By Michael Obuya
The insurance industry, the world over, has for a long time been dominated by physical business risks like accidents, theft, and fires among others. However, with the advent of information technology and increased adoption of e-commerce, businesses are slowly getting exposed to a new form of business risk that is ‘cybercrime’. Cyber crime risk is costing the global businesses roughly 500 billion US dollars in a year, as reported by insurer Allianz.
Although computer experts have come up with measures such as firewalls, anti-virus software, anti-spam, Intrusion detection systems (IDSs) and other add-ons for preventing and minimizing the chances and the seriousness of damages of cyber attack, these measures are not adequate protection for business. This has necessitated search for newer solutions to cyber risk. Financial risk experts have suggested the coverage of cyber risk by an insurance company.
Insurance firms in Kenya must look at cyber crime as a new business opportunity that must be exploited. They need to analyze cyber crime risk exposures of different business and thereafter develop insurance products around cyber crime. This is a very lucrative market for insurance firms that may rake in millions of shilling if the challenge is taken by them.
What is cyber crime risk?
Cyber crime risk happens when Cyber criminals penetrate an organization’s computer security systems and then plan their attack. Cyber criminals exploit known weaknesses in the software in which a business database or websites is built, extract valuable data, and then demand payment to restore a company’s website or database. The attackers are in search of Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry Information (PCI), all of which can be bought and sold on the black market. Another organizational scenario of a cyber attack may involve a cyber criminal impersonating a senior employee in a different town say Nairobi contacting a junior employee based in Nakuru. The fraudster knows the name of the senior employee and is aware the senior employee is not at work and then instructs the junior staff to make an emergency wire transfer of funds.
What is cyber Insurance?
Cyber insurance is a risk mitigation tool by which a business cyber risks is shifted to an insurance company subject to insurance premium being paid. Cyber insurance policy providers includes cloud computing firm and classical insurance companies. Supporters of cyber insurance cover argue that cyber insurance should result in the development of insurance products that transfers a specified amount of cyber crime risk from insured to an insurance company. Cyber insurance is a market-based solution that can generate economic benefits to cyber crime stakeholders. For instance, the cyber insurers earn a profit from premiums received, business get to hedge cyber risk exposures by purchasing an insurance policy, policy makers would ensure the increase in overall network security, and finally security software providers may experience a surge in sales of software by forming strategic collaborations with cyber insurance providers.
What should cyber insurance cover?
An organization having a website or engaging in e-commerce should get a cover from potential cyber risk exposures including theft and fraud, business interruptions, data loss, cyber-extortions defamation and libel cases and more. The cyber crime insurance policy should cover both third-party and first-party potential losses as explained bellow:
Theft and fraud coverage: Covers theft of funds or digital assets through theft of digital equipment or data. It should cover the costs destruction of the insured’s data, theft of third party information, and compensation to customers who get denied access to services due to a failure of software or systems.
Business interruption coverage: to protect against lost business, other costs due to the interruption of the organization’s computer systems. This coverage is also applicable in cases expenses and lost revenue streams due to a computer virus that attacks and impairs a computer system.
Cyber Extortion: where attackers threaten the business or business customers with damage or release of sensitive or private data if cash is not released to them. Extortion is a ransom payment demanded by a cyber attacker to refrain from publicly disclosing or damaging the insured’s private and confidential electronic data.
Data loss and restoration: policy should cover the costs of recovering data if lost, investigating and repairing the cause of the loss. This coverage should enable the insurance firm to reimburse companies for expenses related damages to computer programs and electronic data.
Malware downloaded from an email could lead to lost, encrypted or otherwise damaged files, requiring expenses to repair and restore.
Forensic investigation expenses: policy to cover liability arising from forensics investigation into the cause of the breach of the computer security system and the installation of new security systems to repel future instances of cyber attack.
Privacy liability coverage: the policy to cover liability arising from lawsuits due to a breach of private information about the insured’s clients, customers, and staff. The insured has a legal duty to ensure consumer information is secured against any cyber attack, failure to which it could be exposed to lawsuits resulting from heavy legal fees & fines and year’s long litigations.
Regulatory actions: Policies to cover defense from the earliest stages of an investigation, including a civil investigative demand or request for information by the government. It also bears civil fines and penalties after the government investigation.
An organization in need of cyber insurance cover must initially analyze its cyber risk exposures then put in place protections and protocols to prevent cyber attackers from making it in the first attack on the company’s computer systems. Insurance firms should also be selective with cyber crime since the ultimate risk they’re taking is not well understood may lead to catastrophic losses. However, insurance companies have no choice but to convert cyber crime risk business opportunity into profits.
Michael Ochieng Obuya, Consultant with Radiant Consulting and Event Management Ltd And Finance and Economics lecturer At MKU Nakuru, firstname.lastname@example.org