MITIGATING CYBER SECURITY RISKS IN LESS DEVELOPED MARKETS; BASIC INSURANCE COVERAGE IS REQUIRED?

MITIGATING CYBER SECURITY RISKS IN LESS DEVELOPED MARKETS; BASIC INSURANCE COVERAGE IS REQUIRED?

Introduction

Cyber insurance has been available since the late 1970s, with the market growing out of the tech risk/tech errors and omissions (E&O) space. In the 1980s, the first tech E&O policies that included cybersecurity insurance were introduced, designed primarily for financial institutions and blue-chip organisations. Cyber insurance as a stand-alone product began to take off in response to Y2K concerns and was designed to fill gaps in traditional property and casualty (P&C) products. The number of insurance providers offering the product gradually expanded, although it remained a niche and specialised market during these early days.

Today, while advances in information technology and interconnectivity have improved business models, efficiency, and organizational infrastructure, they have also created increased risk associated with cyber systems. Though the cyber insurance market still lingers in its infancy, no one can miss its dynamics.

However, cybersecurity threats have become rife in the developing world in recent times. For instance, the latest global cyber-crime statistics, published by Internet Crime Report (2008), listed Nigeria in the third position among the top 10 perpetrators of cybercrime. Recently, cybercrime attained such a huge dimension in Africa and other parts of the developing world that the Nigerian government had to set up the Economic and Financial Crimes Commission (EFCC) in 2004. With such a high spate of cybercrime, it is expected that governments and other stakeholders will take interest in measures to control cybercrime or the severity of its impact.

Protective measures like firewalls, software encryption, virus detection, and system compartmentalization are also used to reduce cyber risk. However, the extensive nature of cyber attacks indicates that sufficient cyber risk management cannot be achieved solely through information technology management that attempts to mitigate the risk. An alternative approach is to transfer the residual cyber risk is to third parties through insurance.

Nature of cyber risks

The Internet of Things (IoT) has witnessed applications in many areas such as smart cities, healthcare, and transportation. However, IoT networks and devices can be highly vulnerable to adversaries who can inflict huge financial and non-financial losses on government, companies, and non-profit organizations. The situation is further complicated by the unceasing proliferation of technology, the increase in network speed, and an explosion of data. Taken together, these developments are multiplying the potential attack surface for malicious actors, with predictions that 20.8 billion connected things will be in use globally by 2020, up from 6.4 billion today. Thus, the growth of the Internet of Things (IoT) has introduced new vulnerabilities, as not all connected devices are currently designed with security in mind. For example, Mirai botnet in 2016 has compromised numerous IoT devices and knocked out popular sites, such as Netflix, Spotify, Twitter, and GitHub, with massive distributed denial-of-service (DDoS) attacks. In early November 2016, the same tactics were used to wage multiple attacks against Liberia’s internet infrastructure, taking an entire country offline for a week. Liberia was particularly susceptible to attack due to its reliance on a single submarine cable to supply all of its internet needs.

Quite apart from its impact on businesses, the potential for physical damage and bodily injury arising from the exploitation of IoT by hackers is of growing concern. In 2015, hackers Charlie Miller and Chris Valasek demonstrated how they could remotely access the control systems of a Jeep Cherokee, sending commands through the vehicle’s entertainment system to control its dashboard functions, steering, brakes, and transmission.

Cyberattacks and other cyber events are created by humans. Attacks are usually directed at specific targets with a clear outcome in mind (e.g. profiting from the attack, causing damage, responding to political manifestations). Cyberattacks could be provoked by the behaviour of targeted companies or governments. In that sense, the cyber risk may assume features of endogeneity, thereby losing its idiosyncrasy. Developing markets are particularly exposed to cyber vulnerabilities due to weaknesses in cybersecurity infrastructure.

Challenges facing less developed markets

First, the unique nature of cyber insurance is a source of challenge for less developed insurance markets. Traditionally, insurance companies are used to dealing with many areas of uncertainty and risk. They offer coverage for natural disasters, business interruption, and even damage from terrorist attacks; however, insurance companies are not used to dealing with many of the new incidents of cyber risk. Unlike natural disasters which are highly scrutinised and catalogued in extensive records, cyber risks are relatively new events, and the existing models to assess risk and the information available are still limited. Therefore, how to set premiums is a key question for the development of a more robust cyber insurance market. Setting premiums is particularly challenging due to the lack of actuarial data from past events and the lack of normative standards. Some cyber risks may not be quantifiable and therefore are not insurable. The ability to model cyber risk is currently limited but will improve substantially as more data is accumulated and shared.

Beyond the issues surrounding the quantification of risk, conceptual issues exist around correlated risk and lack of re-insurance. Also, traditional insurance market issues apply to cyber insurance, including moral hazards and adverse selection caused by information asymmetry. For example, there is a moral hazard associated with companies that may not feel the need to improve cyber security if they are insured.

One of the foremost challenges in the cyber security landscape is accumulation risk. Accumulation risk is the total exposure affected by incidents (e.g. a cyberattack on a power utility or a cloud service provider) that could cause significant business disruption or loss across geographies or companies, and affect several insurance policies. As more and more companies rely on third-party solutions to operate their businesses, and interconnectivity increases, accumulation risk is becoming more relevant. The number of companies using common platform software (e.g. SAP) or moving to the cloud increases the potential impact of a large-scale attack. The complexity of accumulation risk means that it is not clear whose insurance would cover what in the case of such an attack. Accumulation risk is not the only consequence of exposure to the cloud. Companies using the same IT platforms and tools are all exposed to the vulnerabilities of those platforms and tools. This challenge will particularly constrain the development of a robust cyber insurance market in less developed markets as companies in specific industries operate on the same IT platforms. For example, almost all Rural Community Banks in Ghana use the T-24 banking software.

Another challenge in the cyber insurance market is the lack of cyber insurance regulation. The main difference between the U.S. and Europe is the role that regulation has played in the development of the cyber risk market. There are two relevant developments. The first, and so far, relatively well-advanced development, concerns the treatment of cyber incidents in the corporate sector (including financial services) and the protection of consumers with respect to the protection and integrity of data stored in the cyber space. The second relates to the regulation of insurers as providers of risk solutions to their customers. This regulatory development is still in its infancy across the globe. With regard to the first developments, the U.S. cyber insurance market is a couple of years ahead of the European market.

Finally, technology and cyber risk go hand in hand. As technology improves and transforms our lives, hackers are getting more and more sophisticated, developing attacks that could potentially destroy companies and governments. With the expansion of the Internet, the proliferation of smart connected devices (Internet of Things (IoT) devices), and the rise of autonomous vehicles, there is an increasingly large number of possible attack vectors and an increased potential for a point of failure that could lead to a disastrous scenario.

 The role of insurance in cyber risk mitigation

Cyber insurance companies in the advanced insurance markets such as the U.S are experiencing a mutual transformation of their business model, including more services along the value chain. Insurers are transforming from offering simple risk transfer services to offering risk consultation and prevention and breach resolution services. Thus, cyber insurance underwriters are transforming their role, shifting their value proposition so that they are present along the entire value chain of their customers. Insurers are working to design appropriate cyber insurance policies for their future clients. They are working with customers to better understand risks and to prevent breaches based on appropriate risk management frameworks. Insurers are also offering consulting services to train and assist organisations in best practices for reacting to and limiting the damage from a cyberattack or incident. Insurers are providing services that evaluate the impact of an attack, help implement response and recovery plans, provide public relations and communications support, and identify appropriate mitigating actions.

In the past, insurers were present only after a breach. Underwriters helped with claims and coverage but did not actively engage or collaborate with their customers on how to improve their cyber risk practices. Enterprises have traditionally hired IT vendors, consulting firms, and specialised cybersecurity firms to address their cyber risk management needs. Today, the insurance industry is experiencing a transformation to a situation where insurers and customers become partners in reducing cyber risk exposure and the potential losses associated with it.

Insurance companies are building cyber risk expertise to better serve their customers. The additional services offered by insurance companies range from cybersecurity training to incident resolution advice and forensics after a cyber event.

The new role of cyber insurance is driven by three market needs: (1) increasing attractiveness of cyber insurance for customers; (2) improving profitability through loss reduction/prevention and customer retention; and (3) gaining cyber risk knowledge.

The additional services along the value chain generate fee income and help reduce the probability and size of losses, making it in the interest of the insurers and brokers to prepare and help their customers to manage risk. Customers who have a risk management plan, risk prevention, and resolution tools, as well as dedicated teams in their organisations are better prepared to deal with cyber risk. Offering additional services also increases customer retention. Insurers with an understanding of the market, its customers, and cyber risk are better prepared to design risk models and pricing frameworks. Ultimately, engagement in the entire value chain is a competitive advantage for insurers.

 Prospects of cyber insurance in less developed markets

To better serve the market, insurers need to understand the differing needs of each segment of the market and their degrees of exposure to cyber risks. There are two clear customer size segments in the cyber insurance market: Large Enterprises and Small/Medium Enterprises. Small and medium scale enterprises (SMEs) form a large chunk of firms in less developed markets. Large enterprises, such as financial institutions (e.g. HSBC, Citibank, State Street), have large IT departments and dedicated resources to manage risk. These companies usually have in their organisation a Chief Risk Officer and Chief Information Security Officer who are well prepared to deal with cyber risk and have a high degree of understanding of their vulnerabilities and exposures. In addition, large companies usually have cyber insurance policies and work with external cyber risk consultants to reduce exposure.

On the other hand, SMEs are not ready to deal with cyber risk, making selling cyber insurance to them a slow and costly process. While there are notable exceptions, SMEs as a group lack the expertise and resources to deal with cyber risk effectively. They are usually unaware of their vulnerabilities and risk exposures, they do not have dedicated teams to deal with cyber risk, and even when they do, the team is neither large nor diverse enough to provide adequate protection. As a result, SMEs outsource much of their IT and cybersecurity functions. While this market has an attractive potential for cyber insurance, underwriters find it difficult to demonstrate the value of insurance to SMEs that are not well versed in cyber risk. The investment of time that would be required for insurers and brokers to sell to SMEs is substantial, and returns can be small.

The big question is, what can underwriters and brokers do to attract cyber insurance customers? The first trend that needs to be observed is the need to clearly define which insurance policies address cyber risk. The current practice is to either include cyber risk cover as a part of existing policies or as stand-alone insurance products. The fact that it is difficult to understand which policies cover which events and that better clarity is needed to increase customer awareness and understanding of cyber insurance options is common knowledge. The second trend concerns the standardisation and simplification of cyber insurance language. Customers who are not well versed in cyber insurance find it difficult to understand policies and premiums. The provision of education by insurance regulators, underwriters, and brokers is important for this process.

 

The role of insurance regulation in cyber risk transfer and marketability

Regulation alone makes a significant difference in the cyber risk insurance market in different jurisdictions. Regulation is the single most important factor that accounts for the vast difference between the U.S cyber insurance market and the European market. The fundamental elements underpinning the impact of regulation in these markets are practically two-fold. The first one bothers on the treatment of cyber incidents in the corporate sector, and the protection of consumers with respect to the protection and integrity of data stored in the cyber space. The second point relates to the regulation of insurers as providers of risk solutions to their customers.

Regarding the first developments, the U.S. cyber insurance market is a couple of years ahead of the European market. The main reason is that regulation in the U.S. has driven the market to increase its demand for cyber risk coverage. Thus, in the U.S. market, companies are required to report cyber incidents (i.e. a data breach) to their customers and the authorities.

The European regulatory landscape has also witnessed a change with the introduction of the General Data Protection Regulation (GDPR) in May 2018. Insurance companies writing cyber policies expect that the new directive will boost the market to levels similar to those of the U.S. market.

The new regulation has helped to raise cyber awareness on the customer side and increase efforts to protect customer data, raising demand for cyber risk coverage in both the U.S. and E.U markets. This change is transforming the market: insurance companies that were not yet in the cyber risk market are developing cyber products, and those already offering cyber products are revisiting and improving them, putting to use their experience and expertise in cyber insurance.

With respect to insurance regulation, authorities have recognised that cyber risk has taken on a global dimension and ideally needs to be addressed in a globally coordinated manner. An example is the declaration of EU and U.S. authorities made in early 2017 in which they declared cyber risk as one of the key initiatives in the joint EU-U.S. Insurance Project.  Similarly, while member jurisdictions of the Financial Stability Board (FSB) have been active for some time in addressing cybersecurity, nearly three-quarters of members reported plans to issue new regulations, guidance or supervisory practices that address cybersecurity for the financial sector. The U.K. Prudential Regulation Authority, for example, has issued a consultation paper on ‘Cyber risk underwriting risk’ that is mainly concerned with issues of accumulation risk and silent risk. There is a need for similar regulatory interventions and oversight by governments and regulatory authorities to achieve growth in cyber insurance penetration in emerging and developing markets, as such specific regulations on cyber risk management are lacking.  In particular, and given the potential contribution that insurance can make to cyber risk management, governments should consider the development of the cyber insurance markets as a component of their strategies and policies for digital security risk management. Governments could support the availability of the incident reporting data, threat analysis, and risk management expertise necessary to reduce uncertainty about cyber risk exposure and allow for the development of probabilistic pricing and exposure management models.

Do we need to institute a compulsory minimum Cyber Risk Insurance Policy Coverage looking at the digitization drive?.

The digital transformation of economic activities is creating significant opportunities for innovation, convenience, and efficiency. However, as recent major incidents have highlighted, a growing reliance on digital technologies comes with digital security and privacy protection risks. This presents policymakers with the challenge of finding an appropriate balance between addressing these risks while allowing sufficient space for achieving the economic and societal benefits of digitalization (OECD 2017).

 

The Cyber Security Authority (CSA) has been established by the Cybersecurity Act, 2020 (Act 1038) to regulate cybersecurity activities in Ghana; to promote the development of cybersecurity, and to provide for related matters. Having transitioned from the then National Cyber Security Centre NCSC, the CSA was officially launched on 1st October 2021 as an Agency under the Ministry of Communications and Digitalisation. The vision is to ensure a secure and resilient digital Ghana. Their mission is to build a resilient digital ecosystem; secure digital infrastructure; develop national capacity; deter cybercrime, and strengthen cybersecurity cooperation.

Cyber risk was identified as the risk of highest (or second-highest) concern to doing business in more than one-third of Organisation of Economic Co-operation and Development (OECD) countries in the World Economic Forum’s 2017 Global Risk Report (and among the five risks of greatest concern in more than half of OECD countries, a higher share than either terrorist attacks or natural disasters). Similarly, the business respondents to the 2017 Allianz Risk Barometer survey ranked cyber incidents (cybercrime, IT failure, data breaches, etc.) third among top global business risks (up from 15th in 2013) and consistently among the top five risks across all regions (Allianz Global Corporate & Specialty, 2017).

While not a substitute for investing in cyber security (and therefore reducing the risk of being affected by an incident), insurance coverage for cyber risk provides a means for companies and individuals to transfer a portion of their financial exposure to insurance markets. Where providing significant levels of insurance coverage, insurance companies can also make an important contribution to the management of cyber risk by promoting risk awareness and encouraging measurement, supporting incident management, and providing incentives for risk reduction.

Ghana is pushing and driving the digitization agenda. Previously, it used to be only the private sector and especially the financial industry that was taking data from the public. Now, most public institutions collect data from the public and these are being linked to social security and pensions, Ghana revenue authority, and others. Are we considering the economic impact when there is a data breach? Are we considering the implication on third parties who could be affected by this breach?

The threat and impact of cyberattacks on the financial sector are increasing. Customers of financial services suffered 65% more cyberattacks in 2016 than customers of any other industry, which represented a 29% increase from the previous year, according to Bank Group estimates. (World Bank report, 2018).

Conclusion

Cyber risk insurance is by far, the fastest growing line of business in the insurance industry in the advanced insurance markets such as the U.S. The opportunity for the industry to provide cyber risk transfer services by way of cyber insurance policies and to mitigate the impact of a cyberattack through prevention, detection, and response services comes in handy. These services are by no means a novelty to insurers or their partners and business allies. What is novel, however, is the risk associated with the digital revolution currently prevailing across business domains.

As new, technical, and specialized as it is, the cyber insurance market is characterized by a myriad of issues; including the unique nature of cyber risk, the difficulty in measuring and understanding accumulation risk, the limited availability and sharing of cyber incidents and data, the impact of regulation, and the effect of new technologies on cyber security. Although risk transfer is well understood in the insurance market in general, these specific issues are currently posing new challenges.

It is now up to stakeholders to device strategies and introduce regulatory reforms that will create the enabling environment for insurers in the less developed markets to embrace unlimited opportunities that this new market niche offers to the insurance industry.

 

 

 

 

 

 

 

 

Writers:

Justice Peprah AGYEI

The writer is the Leading Managing Partner of Jusbel Risk Consult limited. He is a Chartered Insurance Practitioner and an Associate of the Chartered Insurance Institute of United Kingdom and also Ghana (ACII-UK, ACIIG), and holds MPhil in Enterprise Risk Management and Business Consulting from Kwame Nkrumah University of Science and Technology. Attained Bachelor’s degree from University of Ghana, Legon and have Applied Insurance studies, Diploma and Advanced Diploma (AAIS & AIS) from Ghana Insurance College / Malta Insurance Training Institute.

 

0208498571 || justice@jusbelriskconsult.com || www.jusbelriskconsult.com  ||  www.irm.edu.gh

 

Inusah Sumaila

The writer until recently had been a Senior Credit Risk Analyst and Currently internal auditor at Kwamanman Rural Bank LTD. Though he has practically been involved in managing financial risks in the banking sector, he takes interest in studying insurance and has been researching and reviewing journal articles on these subject areas. He is a Land Economist and a probationer member of the Ghana Institution of Surveyors. He holds a Master of Philosophy in Business Consulting and Enterprise Risk Management from Kwame Nkrumah University of Science and Technology.

 

 

 

References

The Geneva Association (2018). Cyber Insurance as a Risk Mitigation Strategy, International Association for the Study of Insurance Economics,www.genevaassociation.org.

 

OECD (2017). Enhancing the Role of Insurance in Cyber Risk Management, OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264282148-en

 

Zhang. R and Zhu. Q (2019). A Game-Theoretic Cyber Insurance Framework for Incentive-Compatible Cyber Risk Management of Internet of Things, Department of Electrical and Computer Engineering, New York University, Brooklyn, NY, 11201.

 

Mark Camillo (2017) Cyber risk and the changing role of insurance, Journal of Cyber Policy, 2:1, 53-63, DOI: 10.1080/23738871.2017.1296878.

 

Tonn. G, Kesan. J, Czajkowski. J and Zhang. L (2018). Cyber Risk and Insurance for Transportation Infrastructure, Risk Management and Decision Processes Center, The Wharton School, University of Pennsylvania 3730 Walnut Street, Jon Huntsman Hall, Suite 500 Philadelphia, PA, 19104 USA.

 

Gareth W. Peters, Pavel V. Shevchenko, Ruben D. Cohen (2018). Understanding Cyber-Risk and Cyber-Insurance, Working Paper 18-01

 

Adeleke I. A, Ibiwoye. A, Olowokudejo F. F. (2011). Cyber Risk Exposure and Prospects for Cyber Insurance, Department of Actuarial Science and Insurance, University of Lagos, Nigeria

About the Author
Justice Peprah Agyei
Chartered Insurance Practitioner || MPhil || CPCU|| ACII || ACIIG || BA (Hons) || Writer   The writer is a Chartered Insurance Practitioner of United State of America, USA, United Kingdom, UK and Ghana (CPCU, ACII, ACIIG), and holds MPhil in Enterprise Risk Management and Business Consulting from Kwame Nkrumah University of Science and Technology, attained Bachelor’s degree from University of Ghana, Legon and have Applied Insurance studies, Diploma and Advanced Diploma (AAIS & AIS) from Ghana Insurance College / Malta Insurance Training Institute with 15years industrial experience. His interest lies in insurance, risk and data analysis. Justice Peprah AGYEI, CPCU, ACII, ACIIG, MPhil, BA (0208498571) Follow and Like "Talk Insurance with Justice" on LinkedIn and also "The Insurance Classroom" on Facebook and YouTube to learn more on insurance.