Lecture 11- Cyber risks and Cyber Liability Insurance April 2023 (1).pdf

Transcript

UNIVERSITY OF THE WITWATERSRAND
SCHOOL OF BUSINESS SCIENCES
BCOM. HONOURS INSURANCE AND RISK MANAGEMENT
BUSE4024A Advanced Liability Insurance and Risk Management 2023
Lecturer: Ms Penny Spentzouris
LECTURE 11- Cyber-risk, Cyber Security and Liability Insurance
Introduction
The topic of cyber risk and cyber security is increasingly relevant in today's digital age: cyberrisk, cyber security, and liability insurance. As we become more dependent on technology and
digital systems in our personal and professional lives, we also become more vulnerable to
cyber-attacks and data breaches. The society we now live in is the information society. Many
decisions and activities that firms engage revolve around data. Due to globalisation, more and
more businesses are now turning to the internet to enhance their competitiveness.
The risks associated with cyber incidents are multifaceted and can have significant
consequences for individuals and organizations alike. These risks can range from reputational
damage and financial losses to legal liabilities and regulatory fines. Therefore, understanding
the nature of cyber-risk, the principles of cyber security, and the role of liability insurance in
mitigating these risks is crucial for anyone operating in today's digital environment.
Confidential information can be obtained when there has been an information security breach
and used for a variety of sinister purposes such as fraud, identity theft, extortion against the
company and breach of privacy (e.g. when information is shared on social platforms). Privacy
and cyber security are growing areas of potential liability for firms globally. Firms that misuse
personal information or fall victim to data breaches can face reputational damage risk,
regulatory fines and other penalties and class action lawsuits by 3rd parties.
We will explore the various types of cyber risks, the methods of cyber attacks, and the
strategies for managing and minimizing those risks. We will discuss the principles of cyber
security, including the importance of risk assessments, threat intelligence, and incident
response planning. Finally, we will delve into the role of liability insurance in protecting
organizations against the financial and reputational impacts of cyber incidents.
Nature, definition and global context of cyber risk
Cyber is a fairly new business risk that rose to prominence with the increase in the use of
information technology (IT). Most businesses and services like education are increasingly
being conducted on the internet. For example, in 2012 Canadian firms sold in excess of
$122bn worth of goods and services over the internet.
The increase in the use of the internet comes with risks called cyber risks i.e. risks associated
with usage of IT to conduct business. The risks could take the form of reputational damage,
regulatory penalties and claims by 3rd parties. Most of the claims are linked to data that firms
hold relating to clients or other 3rd parties and its security.

1

Some industries are more exposed to cyber risk than others. The nature of a firm’s business
is a key determinant of the extent of exposure that the firm faces. A Verizon study conducted
in 2015 identified the following industries as facing the highest cyber risk exposure:
§

§

§

Public entities e.g. justice department, entities dealing with public order issues,
electricity and gas supplying entities as well as entities that supply other public
utilities.
Information processing and vending entities e.g. publishing houses, software
publishers, motion picture production companies, telecommunication companies,
data processing and hosting companies, broadcasting companies etc.
Financial services firms e.g. banks, insurance companies, securities trading
companies, brokers, credit management companies etc.

Now even SMMEs are also beginning to realise that they are not immune to cyber risk. This
risk has been identified by the World Economic Forum alongside climate change as one of the
risks to watch over the course of this century.
Cyber risk is a business risk associated with the use, ownership,
operation, involvement, influence and adoption of IT within an
enterprise (Marsh, 2015).

From the above text-boxed definition it is clear that the tentacles of cyber risk are multiple.
Cyber risk can be transmitted to an organisation in various ways including ownership,
operation, involvement, influence and adoption of IT. As long as a firm is directly or indirectly
reliant on IT-related inputs or outputs it is vulnerable to cyber risk.
Information and some of its sinister uses
It is often said that we are now living in the information age. This simply means that information
and its processing is now an integral part of the value chain of most businesses. It is therefore
not surprising that access to information is associated with a number of sinister activities that
can be used to harm businesses. If information or data gets into the wrong hands, it can be
used in harmful ways such as:
§
§
§
§
§
§

Fraud
Perpetration of theft including identity theft
Extortion against firms
Defamation
Breach of privacy (invasion of privacy)
Blackmail

Apart from the above, there are other ways that information can be used to the detriment of
firms if it comes into the wrong hands. This is because cyber risk is always evolving. Cyber
criminals continue to look for other ways to achieve their sinister objectives whatever those
may be.

2

According to Marsh (2015), cyber risk is similar to IT risk – it is risk to a “business associated
with the use, ownership, operation, involvement, influence, and adoption of IT within an
enterprise”. It is therefore apparent that cyber risk is broad in terms of its conceptualisation
and firms are exposed to it from a variety of perspectives such as usage of IT, influence of IT
on operations and activities of the firm as well as ownership. Cyber risk has become an
increasingly important issue for insurers in recent years. According to a report by Swiss
Re(2019), the global cyber insurance market is expected to reach $7.5 billion in annual
premiums by 2020, representing a significant growth opportunity for insurers.
In response to the growing demand for cyber insurance, many insurers have developed
specialised cyber insurance products. These products typically provide coverage for a range
of cyber risks, including data breaches, network interruptions, and cyber extortion. They may
also offer additional services such as risk assessments, incident response planning, and cyber
security training. Insurers have also been exploring new approaches to underwriting cyber
risk. This includes the use of advanced analytics and data modelling techniques to better
understand and quantify cyber risks. Some insurers are also partnering with cyber security
firms to provide more comprehensive risk management solutions to their clients.
At the same time, insurers are also grappling with the challenges of underwriting cyber risk.
Cyber risks are complex and constantly evolving, making it difficult to accurately predict and
price these risks. There is also a lack of standardisation in the cyber insurance market, which
can make it challenging for insurers and clients to compare policies and coverage.
There are various sources of cyber risk, which can be broadly classified into two categories:
external and internal.
External sources of cyber risk include:
1. Hackers and cyber criminals who attempt to exploit vulnerabilities in computer systems
and networks to gain unauthorised access to data or disrupt operations.
2. Malware, such as viruses, worms, and Trojan horses, which can be used to steal data,
damage systems, or launch attacks.
3. Phishing and social engineering scams, which trick individuals into providing sensitive
information or clicking on malicious links.
4. Nation-state actors and cyber espionage, which involve foreign governments or
organizations targeting other nations for political or economic gain eg. organised crime
syndicates, including terrorists.
Internal sources of cyber risk include:
1.

2.
3.

Insider threats, which involve employees or contractors who intentionally or
unintentionally cause harm to computer systems or data. This can include malicious
insiders who steal data or sabotage systems, as well as unintentional insiders who
make mistakes that lead to security breaches.
Human error, which can include mistakes such as misconfigurations, weak
passwords, or failing to update software.
Equipment failure, which can include hardware or software failures that cause
disruptions or data loss.

3

It is important to note that cyber risks are constantly evolving and can arise from a wide range
of sources. Organisations should regularly review their risk profile and take steps to mitigate
and manage cyber risk, including implementing robust cyber security measures and investing
in cyber insurance. It is clear from this that cyber risk invariably involves the human element.
Motives of cyber criminals could be financial or non-financial (e.g. pure malice or
vindictiveness). The figure below shows the taxonomy of cyber risk for a typical firm.

Taxonomy of Cyber Risk for Corporations

Cyber risks vary depending on the capability and sophistication of the attack (bespoke attacks
committed by cyber experts), persistency (short-term, opportunistic, automated or long-term)
and proximity of the attacker (internet/remote attack, local network external attack eg. wifi,
insider attack with network access, physical access to IT infrastructure). Typically, cyber risk
can produce different types of harm or damage for firms. The forms of damage do not affect
all firms all the time – much depends on the business activities of the firm and its sensitivity to
an information data breach. The forms of damage arising from cyber risk are:
•
•
•
•
•
•
•
•
•
•
•

Intellectual property theft
Business interruption
Data and software loss
Cyber extortion
Cyber-crime e.g. fraud
Breach of privacy
Network failure leading to liability to 3rd parties
Damage to reputation
Physical asset damage
Death and bodily injury
Incident investigation and response costs.

4

In one incident, hackers breached a computer system at a German steel plant causing an
unscheduled shutdown causing massive physical damage. In the US a retailer that suffered a
data breach involving 40m payment card records and the personal data of around 70m further
individuals following an infiltration of its corporate network via a link with a 3rd party contractor
incurred costs in excess of US$200m.
See: 2021 Cisco Cyber Threats Trends Report:
https://umbrella.cisco.com/info/cybersecurity-threat-trends-report?utm_medium=searchpaid&utm_source=google&utm_campaign=UMB_23Q3_AF_EN_GS_Nonbrand_Threats&ut
m_content=UMB-FY21-Q4-content-ebook-2021-cyber-security-threattrends&_bt=617330338008&_bk=cybersecurity+threats&_bm=p&_bn=g&_bg=12440764007
1&gad=1&gclid=CjwKCAjwrpOiBhBVEiwA_473dNGIr9CzP5VTw9r7NsCCZJ1YepHTkOE9vr4-1uM62pfRnvW-Q2Z0hoCJAIQAvD_BwE
Cyber Risk and Insurance
The insurance market for cyber risk is still developing. Even in developed countries, cyber risk
insurance coverages are still associated with significant conditions restricting the scope of
coverage. In addition, it is extremely rare to find policies that offer comprehensive cover for
cyber risk. That said, cyber insurance has been issued in various forms in developed markets
for more than 10 years. Therefore, when compared to other types of insurance such as marine
and fire insurance, cyber insurance is still in its infancy. However, this type of insurance has
entered the spotlight in the past few years due to the increasing influence of IT and the internet
in business transactions.
There are 2 types of insurance policies used to cover cyber risk. These are 1st party policies
on the one hand and 3rd party policies on the other. First party policies provide indemnity for
direct financial losses and expenses suffered by the insured as a result of a data breach. A
common data breach loss covered under 1st party policies is business interruption. Third party
insurance covers losses suffered by 3rd parties following a data breach for which the insured
is legally liable. Policies vary significantly in terms of the scope of coverage that they provide.
Available policies exclude losses arising from or claims associated with the following:
§ Intellectual property theft
§ Cyber espionage
§ Death and bodily injury
Third party cyber policies can be written on claims made basis or loss occurrence basis.
First party cyber policies indemnify the insured for the following loss types:
§
§
§

Destruction or loss of client data through theft or fraud
Forensic investigation costs to determine the source of the data breach and its
magnitude
Business interruption – lost income and related costs following a data breach or cyber
incident

5

§
§

Extortion – costs incurred in the investigation of cyber threats or money paid to
extortionists
Costs associated with data loss and restoration e.g. cost of restoring damaged
hardware or software.

The above losses and costs are incurred by the insured directly as a result of a data breach
incident or cyber incident. For this reason, they fall under 1st party insurance coverage. As far
as 3rd party (liability) insurance coverage is concerned, the following 3rd party claims against
the insured are normally covered:
§
§

§
§
§

Litigation and regulatory costs – costs of defending civil lawsuits, settlements
(damages), judgments and penalties.
Regulatory response costs e.g. in the event of a data breach or cyber incident,
regulation may require the insured to adopt certain measures that come at a cost. For
example, the insured may be required to issue immediate notification to all clients that
may be affected by the incident in question.
Crisis management costs
Media liability including copyright, trademark or service mark infringement
Privacy liability arising from data infringement.

Like with any other 3rd party claims, the policy pays where the insured’s legal liability is proved.
In Block 1 it was indicated that liability arises where 3 things exist – (a) a wrongful act (2) the
act must be recognised at law as entitling the 3rd party to a civil remedy, and (3) occurrence
of harm. From current global evidence on cyber liability shows that one of the main sticking
points in these claims relates to the conceptualisation of harm.
In the discussion on liability for climate change and
global warming, we saw that the main sticking point
affecting the success of most claims for climate
change and global warming revolves around the legal
requirement to prove causation. In liability for data
breach, the main legal hurdle relates to proving that
harm has indeed occurred not that harm may or could
potentially occur in future. If personal information of
clients is stolen, does this constitute occurrence of
harm in itself or harm only occurs when the data thief
actually uses the information for sinister purposes?

In the US, the Supreme Court has held that for a data breach incident to constitute actionable
harm, it must be shown that the harm in question is concrete, particularised and actual or
imminent. The mere anticipation or speculation that harm might occur in future is not enough
to be actionable (See: Lujan v Defenders of Wildlife 504 US 555 (1992). This is a very
controversial issue because courts in a number of US states have not followed this Supreme
Court guideline and have imposed liability in some cases where harm is not concrete, actual
or imminent.

6

However, conceptualisation of harm is not a problem in certain types of data breach claims.
For example, data breach involving credit and debit cards in financial institutions always
produces losses that are concrete and particularised. In addition, approaches used to
conceptualise harm differ between the judiciary and administrative/regulatory agencies.
Regulatory agencies have tended to adopt a less strict conceptualisation of harm compared
to that set by the US Supreme Court for example. For example, regulatory agencies can bring
claims against companies that they consider to be putting personal client data at unreasonable
risk.
Cyber-crime cases in South Africa
Cyber risks have become increasingly prevalent in modern society, and South Africa is no
exception. With the rise of digitalisation and the internet, the country has experienced a surge
in cybercrime and cyber-related legal cases. In this essay, we will discuss some of the legal
cases in South Africa that involved cyber risks and their impact on the country's legal system.
of the most notable cyber-related cases in South Africa was the data breach of Liberty
Holdings, one of the country's largest insurance companies. In 2018, Liberty Holdings
experienced a cyberattack that resulted in the theft of sensitive customer information, including
names, email addresses, and policy numbers. The company responded by launching an
investigation and notifying its customers of the breach, but the incident still caused significant
damage to the company's reputation and resulted in legal action from affected customers.
Another high-profile case was the 2017 hacking of the South African Police Service (SAPS)
database, which exposed the personal information of over 16,000 police officers. The breach
was a major blow to the country's law enforcement agency, as it compromised sensitive
information that could be used to target police officers and their families. The case highlighted
the importance of cybersecurity measures within government agencies and the potential
consequences of failing to protect sensitive data.
In addition to data breaches, South Africa has also seen a rise in cyber-related fraud cases.
In 2019, a businessman was sentenced to 15 years in prison for running a Ponzi scheme that
defrauded investors of over R23 million (approximately $1.6 million USD). The scheme relied
heavily on social media and online platforms to lure investors, highlighting the need for
increased regulation and awareness of online investment scams.
The legal system in South Africa has struggled to keep up with the rapid pace of technological
change, and cyber-related cases often pose unique challenges for the country's courts. One
notable example is the use of blockchain technology in cryptocurrency transactions, which can
make it difficult to trace and recover stolen funds. Another challenge is the cross-border nature
of cybercrime, which often involves perpetrators operating from outside the country's borders
and requires international cooperation to prosecute.
Despite these challenges, South Africa has made significant strides in developing a legal
framework to address cyber risks. In 2019, the country passed the Cybercrimes Act, which
criminalizes various forms of cybercrime and establishes penalties for offenders. The act also
includes provisions for the investigation and prosecution of cybercrime, as well as measures
to enhance cybersecurity within the country.

7

In conclusion, cyber risks pose significant challenges for South Africa's legal system, but the
country has shown a commitment to addressing these challenges through legislation and
increased awareness. As technology continues to advance and cyber threats evolve, it will be
critical for South Africa to remain vigilant and adaptable in its response to cyber risks.
Cyber Risk Management Issues
Managing cyber risk like any other risk requires a systematic approach that aids appropriate
decisions and measures to be taken at the right time. A useful risk management framework
for cyber risk could be structured as follows:
Step 1 – there is need to understand the firm’s or organisation’s cyber ecosystem. This
simply refers to an understanding of the extent to which an organisation’s activities,
processes and procedures are driven, dependant or influenced by IT.
Step 2 – Assess and understand the type of information or data that the firm or
organisation is holding. Focused and effective security controls can only be adopted
where there is a good understanding of the type and nature of information that the
organisation is holding.
Step 3 – Of the information or data that the firm is holding identify what components of
it are most valuable. This requires an assessment of the data’s legal and commercial
sensitivity. In addition, this step requires an understanding of the statutory and
regulatory requirements applicable to the data or information in question as well as its
business importance.
Step 4 – Identify where the data is located, who has access to it, at what intervals and
how. This is the stage where things could go wrong hence focused controls need to
target this step of the framework. If there are information vendors involved, these must
be managed and what they can access should be monitored.
Step 5 – Assess and measure potential impact of any data security breach on the
organisation and on 3rd parties.
Step 5 – Apply focused controls on potential areas of vulnerability. This requires
building secure and resilient IT systems.
Step 6 – Put in place an appropriate system of incident notification and remediation.
More often than not, cyber risk in the form of data breach requires some form of crisis
management system to be activated. In some cases, measures contemplated under
this stage of the risk management framework could be statutory or regulatory.

§

§

§

§

§
§
§

A fundamental aspect of cyber risk management is enhanced cyber security. In order to build
a secure and resilient IT system, it is important to bear the following in mind:
§
§
§
§

Know the firm’s crown jewels. The firm must understand what is at risk.
Know the firm’s threat landscape – every firm must know what cyber risk
means to it and its business operations.
Know what is needed to build a resilient IT system i.e. the firm must know
what is required to mitigate its exposure to cyber risk.
Take decisions and prioritize what needs to be done.

Cyber risk has the potential to precipitate a crisis for the affected firm for 3 reasons:
§

The scale of damage is usually extensive and sometimes it could be international

8

§
§

Speed of the impacts from a data breach incident
The scale of reputational damage that such events may cause – cyber risk can
undermine investor and customer confidence similar to a run on a bank

Unlike common risks that firms encounter on a routine basis and managed through the risk
register, cyber risk poses a complete different challenge because managing this risk type
through the risk register is unlikely to be adequate.
Furthermore, for cyber risk, reliance on insurance alone is unlikely to be adequate as well for
several reasons. The scope of insurance coverage is more likely than not to be limited or the
insurance may not even be available. In addition, insurance may not respond fast enough
especially where a data breach incident triggers a crisis. Insurance companies usually must
investigate and quantify the claim before indemnity is tendered. This takes valuable time that
an organisation facing a data breach crisis simply may not have.
Therefore, firms need a robust cyber risk governance framework resting on the following
blocks or pillars. These are:
§

§

§

§

An effective risk governance structure – this requires an understanding of the
operating model of the organisation concerned. Effective risk governance requires
an effective Board Risk Committee to be in place. This committee must be
independent of executive management to provide oversight on the effectiveness of
the organisation’s risk management system and processes. Governance forms the
‘human fire wall’ against cyber risk.
Effective risk assessment- Identity and access management system – this is a
complex process to manage. It requires the identity life cycle within the organisation
to be managed i.e. people joining and leaving the organisation. It is also helpful to
promote multi-factor authentication to ensure that only the right people have access
to the sensitive data. It is also a good practice to encourage regular change of
passwords by those with access to the data. Effective risk assessment involves
identifying and evaluating potential cyber risks and their potential impact on an
organisation's operations and assets. This assessment should be conducted
regularly to ensure that new risks are identified and addressed promptly. A
comprehensive set of policies and procedures should be developed to guide an
organisation's approach to managing cyber risks. These policies should cover areas
such as data classification, access controls, incident response, and employee
training and aware
Technical Controls/ Application security i.e. system applications used by the
organisation and their security. Applications that the firm uses for information
collection or dissemination must be as secure as possible. Technical controls, such
as firewalls, intrusion detection systems, and encryption, are critical components of
any cyber risk management framework. These controls should be implemented and
maintained to protect against cyber threats and vulnerabilities.
Vulnerability and patch management (i.e. configuration fixes) – vulnerability and
patch management focuses on 2 main aspects. The first is identifying possible
breaches and the other is putting in place remedial measures necessary to prevent
such and other breaches in future. Identifying possible breaches involves things such
as penetration testing, Vulnerability scans and application scans. Remedial

9

§

§

§

measures entails patch management i.e. system configuration fixes. The importance
of vulnerability and patch management is important because it enables effective
security measures to be developed ex ante rather than on an ex-post or reactive
basis.
Incident response – this requires that an organisation develops a system of incident
response along the following lines: (1) Identification of incident or data breach (2)
Containment of the incident (3) Eradication of the breach (4) Recovery (5) postincident measures. An incident response plan outlines the steps that an organisation
will take in the event of a cyber-attack or data breach. It should be regularly tested
and updated to ensure that it remains effective and relevant.
Employee training and awareness- Employees are often the weakest link in an
organization's cyber defenses. Therefore, a robust cyber risk management
framework should include ongoing employee training and awareness programs to
promote a culture of cybersecurity within the organisation.
Continuous monitoring and improvement- Cyber threats are constantly evolving, so
a robust cyber risk management framework should include ongoing monitoring and
regular review to identify new risks and vulnerabilities. This continuous improvement
process ensures that the organization's cyber defenses remain effective and up to
date.

A robust cyber risk management framework should include a comprehensive risk assessment,
policies and procedures, technical controls, an incident response plan, employee training and
awareness, and ongoing monitoring and improvement. By implementing these components,
organisations can effectively manage cyber risks and protect against cyber threats.
Therefore, we have seen that the information age is characterised by information technologyrelated risks. The priority in the management of these risks is to build secure and resilient IT
systems with insurance playing a complimentary role. The use of artificial intelligence to model
the impact of cyber risk on cash flows of firms is growing.

AM-PS (Reviewed April 2023)

10