A multi-pronged approach is needed to
mitigate cybercrime risk

4 October 2022

Work-from-home policies were adopted by companies around the world over the past two years, to keep the pot boiling in the time of Covid lockdowns. But, while businesses took some time to adjust to the new way of working, cybercriminals adapted, and flourished, all too quickly.

Phishing, social engineering and other hacking tools are being used to extract millions of dollars from businesses. In 2021, US-based wireless network operator, Verizon, reported that the average cost of a data breach soared to $21,659 per incident during the pandemic, with incidents ranging from as little as $800 to more than $650,000; while 5% of successful attacks cost businesses $1 million or more. 

South Africa has not escaped this scourge. According to a report from Dutch cybersecurity company, Surfshark, SA is among the top 10 countries that experienced the most cybercrime in 2021. This is substantiated by several high-profile data breaches that occurred locally over the past year.

While the natural instinct is to avoid “rewarding” cyber criminals by paying ransoms, the reality is that companies often find themselves having to choose between paying up or facing lengthy operational disruptions, or reputational damage due to customer data being breached – which could cost even more than the ransom in the long run.

No doubt, IT teams will remain forever occupied with trying to stay one step ahead of ever more “creative” cybercriminals, but what else can companies do to mitigate cyber risks?

“A tailormade cyber insurance programme, featuring both a strong self-insurance component coupled with a traditional risk transfer element related to the client’s risk appetite, and underpinned by prudent cyber risk management policies and ongoing staff awareness and training programmes, is an organisation’s best defence in the war against cyber criminals,” says Richard Eales, Managing Executive at Guardrisk Insurance.

Traditionally, cyber risk cover was only available locally through the larger specialist liability insurers but Eales predicts that lack of capacity in the market, uncertainty about scope and extent of cover needed and high premiums for this type of cover, will see more companies turning to tailormade alternative risk transfer solutions in order to supplement market capacity with their own provision for cyber risk.

Many cyber risk insurance policies have onerous risk control conditions in terms of things like spyware, which are expensive but, within self-insurance structures, companies can use their own service providers and fund this themselves.

Eales predicts that ultimately the solution for cyber risk cover – and it’s a risk that is only going to grow for businesses of all sizes – will be a combination of self-insurance and traditional risk transfer markets, working together to find workable, and affordable, solutions for clients.

But he cautions that cyber insurance is not the panacea to cybercrime, it is merely one aspect, albeit a valuable component, of a solid risk management strategy. No matter how effective technology, and insurance interventions are, the human element (in the form of employee vigilance and competence, sustained by ongoing awareness and upskilling) remains at the heart of a successful cybercrime prevention and management strategy.

In the self-insurance space, a comprehensive risk management strategy tailored to suit the business’ unique profile, delivers significant benefits for businesses that enforce prudent risk management policies on an ongoing basis. This translates not only to financial savings in terms of premium, but also to building capacity to continuously expand the self-insurance programme.