Emergency: 0861 222 250 info@orchidrisk.co.za

Why your company should have cyber insurance.


Imagine your business falls victim to a data breach today. All your clients, who trusted you with their personal information, are now at risk.


This is a horrible reality that many businesses have to face nowadays. But did you know that you can get insurance to protect you from this? We find out more about cyber insurance for businesses.


What is cyber insurance, and what does it cover?


According to Kirsten Cronin, underwriter at SHA Risk Specialists, a division of Santam, cyber insurance covers the insured organisation for both first-party and third-party losses following a cyber event.


“A cyber event is any incident related to, among others, a data breach, cyber extortion or ransomware, cybercrime, malicious acts, malware, human error, or DoS attacks,” says Cronin.


“The policy response is triggered by any of these incidents. As soon as the organisation is aware of an incident, they should notify the response team noted on the policy. They will immediately take over and handle the incident from start to finish,” she explains.


Cronin outlines, among other things, what’s covered in terms of first-party losses following any of the above cyber issues:


  • A data breach response, which provides cover for an expert to investigate the data breach, notification costs to the supervisory authority as well as the data subjects, credit and identity theft monitoring services, reputational protection costs and legal defence costs for any action taken by the supervisory authority in the relevant jurisdiction.
  • Costs to restore the organisation’s data and software following the incident.
  • Business interruption cover, which will pay the organisations reduction in net profit during a specified time period, which was directly caused by the cyber incident.
  • Cyber extortion or ransomware attack – where legally permissible, the policy makes provision for the reimbursement of any ransom paid by the organisation and any reasonable and necessary costs to resolve the cyber extortion.
  • Cybercrime, which covers the organisation for any money illegally taken as a direct result of a third party’s unauthorised electronic transfer from the organisation’s bank account or any alteration of data on the organisation’s computer systems where the organisation is unable to recover such sums.


Cronin points out that these third-party losses, among others, will also be covered:


  • Third-party claims for any confidentiality and privacy liability following a data breach.
  • Network security liability that covers the organisation for their legal obligation to pay a third-party claim for any data breach, theft of data, or DoS attack on a third party’s computer system which was a direct result of any malicious act, or malware on the organisation’s computer systems where the organisation failed to prevent the spread.
  • Media liability, which provides cover for any legal liability arising directly from the organisation’s online media activities which result in a third-party claim for defamation, breach of copyright, title, slogan, trade name etc, and the breach or interference of privacy rights.


Which businesses should have cyber insurance?


Cronin believes that all businesses should consider cyber insurance.


“It’s not a question of who, how, or when – every business has some form of cyber exposure, whether it be the data they hold or the risk of any downtime as a result of a cyber attack,” says Cronin.


“Just by taking out this cover, the organisation’s reputation, as well as their balance sheet, will be protected in the event of a cyber attack.


There are no downsides, Cronin says, to taking out this type of cover. On the other hand, there are many cons should an organisation not take out this cover. This includes possible company closure as the costs of one incident could be crippling for any small to medium enterprise.


“This insurance should really form part of any organisation’s risk management strategy,” says Cronin.


The cost and requirements of cyber insurance


Cronin says that each organisation’s risk is analysed separately and the costs aren’t black and white.


“What I can say is that we have products specifically designed for the size of an enterprise, starting with the SME product, which takes affordability into account, and ranging to large enterprises, which takes complexity into account,” says Cronin.


“The premium can be paid annually or on a monthly basis so there are options available too. It all depends on the size of the business, the type of industry they are in and the security measures in place,” she explains.


Depending on the product being taken out, Cronin says that the client would need to answer a number of questions. However, she adds that, should the organisation not have the following basic security measures, they may not qualify for this insurance:


  • A password policy enforcing the use and rotation of long and complex passwords.
  • Annual education and training to increase the organisation’s users’ security awareness.
  • Malware protection on web-proxy, email gateway, workstations, and laptops.
  • Regular back-ups of business-critical data – at least weekly.
  • Monthly updates of critical IT systems and applications.
  • Appropriately configured firewalls on all internet access points.


Cronin recommends that the organisation contact their broker to discuss cyber insurance as well as qualification for it.


“Should the organisation qualify, a quote will be sent out and cover can be implemented almost immediately upon instruction from the organisation’s broker,” says Cronin.


Photo by  possessed photography on unspashed.com article on www.justmoney.co.za