Munich Re: A journey from concept to comprehensive Cyber Risk Insurance

Companies conducting their business in the digital age are at greater risk from cybercrime than ever, with an unprecedented spike in the number of reported incidences in both 2020 and 2021. To make matters worse, cybercriminals are developing and fine-tuning sophisticated methods that not only gain access to a company’s IT systems but allow them to evade detection while they carry out their nefarious activities. However, cybercrime is merely one of many cyber perils that can result in first party losses and / or third-party liability exposure to companies, and for which stakeholders must devise suitable risk mitigation and risk transfer solutions.

There are many misconceptions about cyber risk, beginning with what it entails, and escalating to how the insurance and reinsurance sectors should mitigate or transfer the risk that attaches to it. “It is not possible to discuss cyber risk without a basic understanding of the topic,” says Munich Re of Africa (MRoA) CEO, Nico Conradie. “At Munich Re, we define cyber risk as those risks arising from the storage, usage, computation and / or transmission of electronic data. Cyber risk arises from various causes, including malicious actions by hackers, or inadvertently, due to human error”. For the most part, the media is focused on the malicious or criminal aspects of cyber risks; but there are many other types of equally important cyber-perils that should be covered.

The advent of the fourth industrial revolution (4IR) has brought with it a connected, always-on environment in which cybercriminals have unlimited opportunity. Statista.com estimates that there will be 30.9 billion connected electronic devices by 2025, creating a massive, global Internet of Things (IoT) that are increasingly targeted by cybercriminals. Wolfgang Boffo, who looks after Munich Re’s Business Development and Underwriting of Cyber Risks for Southern Africa, says that each of these connected devices creates a node from which a hacker could potentially gain access to a system, or launch an attack.

“There is a growing need for firms to have an effective cybersecurity risk management strategy which entails pre- and post-incident mitigation measures; those who fail to implement such strategies risk falling behind the ever-evolving attacks emanating from the cyber risk landscape,” says Boffo. Some of the most essential and effective pre-incident cyber risk mitigation strategies include conducting a risk assessment to determine vulnerabilities; establishing network access controls; implementing firewalls and antivirus software; regularly performing security patching; monitoring network traffic; building and regularly testing an incident response plan; and, most importantly, conducting annual employee awareness training on cyber risk.

Conradie points out that the aforementioned risk mitigation measures can be viewed as a type of digital ‘vaccine’; but he warns that even the most comprehensive risk mitigation plan has weaknesses. “The insurance industry supports risk mitigation and offers pre- and post- services to help to make the insured more resilient in the event they get hit; and if they do get hit, we do what insurers do, namely cover part of the cost,” he says. “Taking out cyber insurance is arguably the most important and prominent aspect of cyber risk transfer, alongside indemnification clauses in third party contracts”. The elevation of cyber risk and cybercrime on global risk reports has led to a significant increase in the uptake of cyber insurance covers among companies worldwide.

“Companies cannot afford to be complacent, as a cyberattack in the absence of a proper risk mitigation and transfer strategy could prove fatal,” says Boffo. He warns that so-called cyber fatigue could present risks at an individual employee level. For example, employees who neglect to re-start their computer in order for an essential security patch to be put in place could create a security gap for the entire enterprise. Regular employee awareness training is thus an essential component of overall IT security, with each employee encouraged to accept the realities of cyber risk. It is a question of when, not if cyber risk will impact your enterprise.

South Africa is no stranger to cyberattack following the widespread publicity around the July 2021 Transnet port hacks, and more recently, breaches at the Department of Justice (DoJ). These attacks illustrate that the country’s state-owned entities and institutions are in the same boat as private sector firms insofar cyber risk. “The DoJ hack is an example of the disastrous consequences of a ransomware attack; over a month following the hack, the department was still not up and running as normal,” comments Boffo. He says that having a robust information security infrastructure is the most basic way to fend off cyberattacks. Governments should therefore focus on rolling out national strategies for cybersecurity, including the development of best practices in cyber risk mitigation.

Africa offers rich insurance opportunities; but for now, Munich Re is focusing on the South African cyber risk market. A September 2021 IDC Cybersecurity survey, commissioned by Microsoft, shows that half of South African business leaders are concerned with the consequences of security breaches, indicating a vast cyber insurance market potential. “We adhere to a holistic approach in regard to managing cyber risk in Africa and it remains our focus to provide pre- and post-incident services in addition to traditional insurance product,” says Conradie. Munich Re is assisting primary insurance partners with a comprehensive service model that includes risk assessment, wording, pricing support, accumulation control, claims and response services.

“We should all conduct our businesses on a ‘not if, but when’ basis insofar cyber risks,” concludes Conradie, adding that Munich Re has been recognised as Cyber Reinsurer of the Year for the past five years. Local businesses seeking a cyber risk partner can draw comfort from a global reinsurance brand that holds more than 10% of the global cyber insurance market. And, according to Conradie, the reinsurer already boasts a multi-year record of protecting clients from ever-increasing cyber risks: “We differentiate our services by entering long-term partnerships that involve commitments from both sides, and developing tailormade solutions, cocreated between reinsurer and cedent".