New technology means new risks. The internet asks a lot of questions of its users. How should the internet interact with nation states? What opportunities can it offer criminals? How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? What are the implications of outsourcing data processing to cloud providers and the growing use of personal devices to conduct business? We are still coming to terms with many of these issues. 

According to Aon Risk Solutions, mitigating the risks that come with being a custodian of data while embracing the opportunities that technology presents is key to building cyber resilient businesses.  Becoming more resilient to cyber risks in an age of digital disruption increasingly means understanding the full scope of cyber governance responsibilities.

Aon provides ten compelling reasons why every business, regardless of size or ownership, that has a network, an internet connection and holds sensitive or personally identifiable data and sensitive company IP, needs cyber liability insurance: 

#1 Cybercrime is growing exponentially - in fact it’s the fastest growing crime in the world. In our internet-connected society, cybercrime is a very real threat to any business or institution.  A cyber-attack can also be just as physically disruptive to a business as a natural disaster or terror attack – think of critical operations in a hospital, airport or power station that are all operated via computer networks and sophisticated software in the wrong hands?

#2 All businesses that hold personally identifiable data and sensitive IP are at risk.  Many small and medium businesses think that they are not likely targets for a cyber-attack, believing that only large corporates, banks and government institutions appeal to cyber criminals.  The reality is that any entity that conducts any aspect of its business online and holds any sensitive data – employee or client records, banking and payment details of staff, customers or own, market strategies or financials, payroll information, medical or academic records or any other sensitive data – is a potential target.

#3 Cybercrime is now the fourth most reported economic crime in SA. Almost a third (32%) of the 232 South African organisations that took part in PwC's 2016 Global Economic Crime Survey reported cybercrimes in the last 24 months. This puts local companies on par with their international counterparts when it comes to cybercrime.  The country leads the global stats for economic crimes, with 69% of local companies having experienced economic crime during the past two years, compared with the global average of 36%.

#4 The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today

A PWC report released in 2016 found that current employees were the top insider cyber risk to businesses. 

#5 Standard insurance policies do not cover you for the risks and liabilities emanating from cyber risk. Cyber insurance is specifically designed to cover the unique exposure of data privacy and security and can act as a backstop to protect a business from the financial and reputational harm resulting from a breach. While some categories of losses might be covered under standard policies, many significant gaps often exist and cyber events can impact numerous lines of insurance coverage. Standard policies are often inadequate to cover the likely cost of even a more “standard” security breach, let alone cyber-attack or ‘hacktivism’. Only specialist cyber insurance policies provide extensive cover. 

#6 You can be held legally and financially liable if third party data is compromised in a breach.  The frequency of cyber breaches is increasing and incident response plans have become more complex due to regulation and mandatory disclosure obligations. The disclosure obligation is of particular interest to South African businesses with related legislation brimming on the horizon - the General Data Protection Regulation (GDPR) commenced on 24 May 2016 with its grace period ending on 24 May 2018, while the Protection of Personal Information (POPI) Act brings a further layer of complexity for any business holding personal client data. Class action lawsuits and regulatory fines have become synonymous with data breaches and in this regard, the fact that cyber risks are global makes complying with various regulatory responses across different geographies all the more challenging. 

#7 Companies are grappling with new risks such as cyber-crime, and lack consensus on how to best prioritise and respond to them. Much more progress is needed in the area of cyber risk control and mitigation to keep pace with the pervasive and fast evolving cyber threats that go hand in hand with the dizzying speed of technological innovation. Currently, only 23% of companies employ financial quantification metrics in cyber risk assessment according to Aon’s 2017 Global Risk Management Survey. Without measuring the actual financial impact of identified cyber threats, companies will not be able to adequately prioritise the capital investment in risk mitigation, nor will risk managers be able to convince a potentially less tech-savvy board of its importance. 

#8 Cyber liability Insurance offsets the expenses of what is essentially an unknown cost. Data breaches are difficult to budget for as they are so unpredictable.  The size, scope, and complexity of each data breach vary widely, so insurance is a practical way to manage high price tag exposures such as data breach notifications, forensic investigations, legal fees, data analysis, crisis communications, monitoring, remediation, restoration and legal settlements. 

#9 Cyber Liability Insurance protects you and the sustainability of your business from what could be crippling expenses. Most cyber liability policies cover first party costs and any resultant liability (third party) arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information.  First party costs include legal and IT services, data restoration costs, reputation management, notification costs to all affected data subjects, credit and ID monitoring, cyber extortion and loss of profits following from a network interruption.  Third party costs include damages and defence costs arising from liability to others following from theft or manipulation of data held in your care, custody and control.  

#10 Cyber Liability Insurance provides for specialist and expensive resources in your time of need and within hours of notification of a breach.  These resources include specialised tech teams and forensics whose first role is to identify and contain the damage as quickly as possible, along with legal counsel, communication specialists and response teams whose role is to limit the organisation’s legal exposures – typically all resources that few organisations would have in-house and on-call due to their price tags.

The Aon Cyber Risk team works with clients to improve their proactive posture to cyber risk threats, and respond more effectively in the event of an attack with an integrated approach to managing and mitigating the systemic risk of cyber threats.

Worried about your exposure to cyber risks?  Complete Aon’s cyber diagnostic tool to assess your risk.

To download the infographic, click here