ABSTRACT

Cyberspace is a virtual global domain used by all but owned by no one. It is open to attacks or failures from anyone. The size and enormity of this space, often unimaginable. Over the years, it became better appreciated as more people all over the world joined the cyberspace and started making use of it. As we all enjoy the speed, convenience, efficiency of adopting innovative digital solutions in our personal and business lives, our world becomes even more converged on the cloud and through servers that we suppose are secured. How best we can secure our personal lives, business and transactions up in this space are now at the forefront of global recognition. In this light came the discovery of cyber-insurance which according to Fitch Rating has its global worth estimated to increase to over US$28 billion before 20261. Are Nigerian industry players well-positioned to tap into this avenue as cyber-attacks continue to target data especially with the increase of tech start-ups and establishments in the nation? Well, we would find out from this study. The crux of this article is to introduce cyber-insurance as a medium needed to cover business liability on data breaches. It also addresses why companies/businesses need cyber-insurance cover, what is covers, costs, benefits, limitations of its introduction in Nigeria, what corporate entities can do in the main time, the role of government in cyber insurance policies and the role of lawyers in cyber insurance practice.

INTRODUCTION

Interestingly, Cyber Insurance as a product line in insurance has been available for almost 25years and exists today as packaged coverage. It is designed to cover all costs and expenses related to breaches when an organization has been hacked or from theft and loss of client/employee information. Today the cyber insurance market value is over US$7.4billion and will grow to US$28 billion by 2026 and Nigeria loses over ₦127 Billion annually2 to cyber-fraud(about 10% of our GDP) with cyber-insurance covering none of that cost. Similarly, the Global Threat Impact Index 2017 listed Nigeria (and four other African countries) amongst the world's highest risk countries for cyber-attacks. The Federal Government had its fair share of cybercrimes in 2011 when an anonymous Internet hacker group known as “NaijaCyberHacktivists” hacked the websites of the National Poverty Eradication Programme and the Niger Delta Development Commission; the website of the Economic and Financial Crimes Commission was also attacked in 2013. In the Nigerian Electronic Fraud Forum Annual Report 2016, 19,531 fraud cases were documented in Nigerian banks, the traditional channels recorded the lowest number. It also indicated that N2.19bn is lost to electronic payment fraud annually.

You may now want to ask, what is Cyber-Insurance?  Cyber insurance essentially entails a contract between an insurer and an individual or company to protect against losses that are related to computer or network-based incidents. It is also an insurance policy that helps protect organizations from fallouts from cyber-attacks and hacking threats.  Cyber insurance generally covers your business's liability for a data breach involving sensitive customer information. According to Oellrich, Cyber insurance (also referred to as e-business or network intrusion insurance) is a social scheme that is confronted with the task of protecting companies against losses resulting from failures in computer networks as a result of; Data & Software theft, External hacking, First-and third-party risks Internal sabotage and theft, Computer malfunction, Web content liability, Viruses that impair or damage data, Network outages, Network congestion, Business interruption, E-business extortion, Copyright infringement, Loss of reputation and other areas related to technology. Having a cyber-insurance policy helps minimize business disruption during a cyber-incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it. It can be an important risk management tool for strengthening information technology security and liability to Tech companies and Nigerian banks.

CYBER-INSURANCE LEGAL FRAMEWORK IN NIGERIA

In Nigeria, there is no operational insurance company that offers policies to protect organizations from information technology-related risks. The lack of growth in Nigeria can be attributed to either lack of understanding and awareness of the product or a lack of incentive for insurance providers to offer cyber insurance products for the Nigerian market. Also, it is not expressly provided for under the Insurance Act, 2004 but a close reading of the law does not expressly prohibit the creation of such policy. Section 2 (5) of the Act3 provides that an insurer “may be authorized to transact any new category of miscellaneous insurance business if he shows evidence of adequate reinsurance arrangement in respect of that category of insurance business and requisite capital where necessary and other conditions as may be required from time to time.” Section 16 of the Act4 similarly provides a framework for approval of a new product. Similarly, the Central Bank of Nigeria  Risk-Based Cybersecurity Framework5 provided that cyber-insurance coverage should be considered as part of the security assurance program for Payment Service Providers.  Major Fintech Companies are demanding cyber insurance cover over online theft. The Head, Enterprise Risk Management and Compliance, FBN Insurance Limited, Mr. Raymond Akalonu, noted that the cyber-insurance policy being offered in the country was underwritten by international brokers. According to him, re-insurance backing will be required to domesticate cyber-insurance in the country. The Assistant Executive Secretary, Nigerian Council of Registered Insurance Brokers, Mr. Temitope Adaramola stated that less than 10 percent of underwriters were providing cyber-insurance policies through international brokers. This deficit requires prompt stakeholder and regulatory actions to provide cyber-insurance products and engender a facilitative regulatory framework to grow its operations in Nigeria.

WHY DO YOU NEED CYBER INSURANCE?

Any business with an online component or one that sends or stores electronic data can benefit from cyber insurance. Also, any organization that relies on technology to conduct its operations, especially Tech companies need cyber-insurance. Cyber-attacks will continue to grow over the years and a weak or vulnerable area in an operational entity is all that is needed to suffer damaging exposure to data privacy and information. Aima Higo, Unit Head Reinsurance at Allianz Nigeria Insurance Plc. Said, “Although there is no 100% security in the cyber domain, dangers can only be reduced to an acceptable level by implementing a set of actions and by getting cyber insurance.”6 Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cybercriminals who could attempt to break into the network and steal it. There's also the potential for hackers to cripple a network with ransom ware. A cyber insurance policy that covers ransom ware could go a long way to helping organizations that fall victim to attacks find a way out of their predicament. Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common is ransom ware, fund-transfer fraud attacks, and business email compromise scams. 

WHAT DOES CYBER INSURANCE COVER?

It covers the following;

  1. Media Liability – Companies involved in media and entertainment activities with significant marketing activities like advertising your services can experience copyright infringement, plagiarism, defamation, disparagement, and other unauthorized use of material, names, or trademarks. Cyber-insurance covers these consequences with Media liability insurance policies tailored to the needs of the insured party. However, a media liability insurance policy will only cover specific types of intellectual property claims arising out of the insured party's business, which is defined in the policy.
  • Network Security – With information and privacy risks abound, you need to keep your business covered against network security failure. It includes malware infection, business email compromise, cyber extortion demand, and ransom ware.

If you have cyber insurance, you can recover first-party costs related to:

  • IT forensics,
  • Data restoration,
  • Legal expenses,
  • Notifying your customers of the breach,
  • Public relations,
  • Identity restoration.
  • Errors and Omissions –  If a cyber-attack hits you, you could find yourself no longer able to fulfill your contractual obligations and this may affect the whole operations of the company. Once there is a cyber-incident, time and resources are channeled towards addressing the repercussions and minimizing the damage. The customers may not understand, thus, the proactive measure will be to protect you by investing in cyber insurance.
  • Network Business Interruption –  Businesses these days tend to rely on advanced technology to remain operational. In the event of an incident, some form of interruption is imminent. For instance, where your provider's network goes down, you can recover expenses incurred and not lose profits as well. Think of system failures, unstable system patches, security failures, human error, and more.
  • Privacy Liability –  When a breach happens, it can expose the sensitive data of your customers that lies on your servers. As a result, your business could face unnecessary litigations resulting in wastage of finances. Regulatory fines resulting from data breaches can also be another threat and could bring your company to its knees. Without insurance, you could find yourself closing down the doors for good.

As comprehensive as it may be, do bear in mind that cyber insurance does not cover everything. Cyber insurance is still kind of limited compared to the true amount of risk. So do not think that all forms of cyber risk are covered by insurance. The financial damage caused by loss of intellectual property is not covered by cyber insurance and neither the reputational costs that can be incurred following a cyber-attack. It does not cover the loss of potential profits in the future and it also does not allow you to improve your existing internal technology systems or amass the funds to make security upgrades. For example, cyber insurance could payout for the costs associated with dealing with the direct aftermath of a cyber-attack, but in the longer run, the company may lose business due to public perception of having poor cyber-security. A cyber insurance policy will not cover the cost of losing customers due to the bad reputation it picks up as a result of a cyber-attack.

One may now want to ask, how much does cyber insurance cost? The cost of a cyber-insurance policy will depend on some different factors including the size of the business and the annual revenue. Other factors may include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network. An organization that is deemed to have poor cyber-security or has a previous history of falling victim to hackers or a data breach would likely get charged more for a cyber-insurance policy than one that has a good reputation for keeping itself secure.

BENEFITS OF CYBER INSURANCE

Cyber-insurance policies are created to suit your needs and offer many important benefits, which may include the following7:

  1. Business cover – If your organization experiences an IT failure or cyber-attack that disrupts your business operations, your insurer may cover your loss of income during the interruption, increased costs to your business operations in the aftermath of a cyber-attack may also be covered.
  2. Privacy breach costs – In developed countries, cyber-insurance policies will either have a single clause or be split into two separate clauses: breach costs and privacy liability. A breach costs clause provides cover for costs that arise from dealing with a security breach, such as notifying customers. A privacy liability clause provides cover for privacy infringement claims and associated legal costs in the event of a breach, which is critical for all organizations that handle or store personal information.
  3. Cyber-extortion cover– A cyber-insurance policy may cover you if your organization is infected by ransomware or any other malicious software that attempts to seize control of, and withhold access to, your operational or personal data until a fee is paid.
  4. Digital asset replacement expenses – If your organization's digital assets are lost, corrupted, or altered in any way by a cyber-criminal, a cyber-insurance policy may cover the costs.
  5. Forensic support – This provides your organization with near-immediate 24/7 support from cyber-specialists following a hack or data breach.
  6. Management liability cover – In this era of increased executive accountability and transparency, a cyber-insurance policy may cover costs associated with defending senior management from cyber-attack fallout.
  7. Improved standard of security  – The work done by insurance companies could improve and redefine security standards.

Finally, cyber-insurance allows cyber-security risks to be distributed fairly, with higher premiums for companies whose expected loss from such risks is greater. This avoids potentially dangerous concentration of risk while also preventing freeriding.

LIMITATIONS OF CYBER-INSURANCE IN NIGERIA

Cyber-insurance is still a nascent phenomenon that is yet to find its footing in Nigeria. This is because of lack of awareness and underwriting experience, dearth of industry data on cybercrime and related losses, cyber risks unpredictability, and high correlation of one type of cyber risk with another could be some of the debilitating factors.8 As digital eruption is gradually taking over manual services in every sector, including government parastatals in Nigeria, cyber insurance-related work could also be a goldmine for professional service providers to the insurance industry. Nigerian insurance brokers could leverage these opportunities by partnering with foreign insurance firms with vast experience in cyber insurance to provide various products.

WHAT ARE THE MEASURES COMPANIES SHOULD TAKE IN THE MEAN TIME?

It is pertinent to note that there is no one-size-fits-all solution in Cyber-Insurance. Thus, one must protect his business on multiple fronts.

  1. Practice Cyber Resilience  –  This entails a fusion of information security and business continuity strategies. An organization can withstand attacks or failures and in such instanceS re-establish itself quickly back to operational mode. To achieve this, a seven-fold approach which includes being strategic, building capacity, strengthening the process, automating inform and transform, measure and monitor, cyber insurance and collaboration will serve as a human firewall for companies and organizations to curb unprecedented cyber risks.
  2. Update often –  As soon as developers discover a program or OS vulnerability, they rush to release a security update for it. But if you do not take the time to install it, it may not help you in time.
  3. Invest in cyber-security solutions  – For starters, you should protect your systems against malware infection by using antivirus software. Other soft wares such as firewalls, VPNs, monitoring programs, and so on, can also be of help.
  4. Educate yourself and your employees – For organizations, it is important to educate your staff on how to protect your business against digital threats. For instance, by knowing what a VPN is and how to use it, employees can protect sensitive data from being intercepted by hackers.

WHAT ROLE CAN AND SHOULD GOVERNMENT PLAY IN FOSTERING CYBER-INSURANCE IN NIGERIA?

The potential for cyber insurance coverage to contribute to risk reduction and the management of cyber losses will only be achieved if the market can meet the most important needs of commercial and individual policyholders. The Nigerian Government can potentially play a role in supporting the development of the market and maximizing the contribution it makes to manage this fast-evolving risk by examining ways to address the main impediments to the cyber-insurance market development, particularly across the following priorities:

  1. Understand impediments and gaps of the market – As losses from cyber incidents increase, the benefits of and interest in having insurance coverage for this risk are increasing. However, for coverage to become widely available and responsive to demand, there are several impediments and gaps in the market. The National Assembly is encouraged to work further in this direction, to publish a policy report that could propose policy recommendations that address the impediments to market development and the availability of cyber insurance. This report, which will be provided to G7 countries, will contribute to their discussion on possible actions that can be taken going forward.
  • Improving the data available for quantifying exposures – More comprehensive data on the frequency and impact of cyber incidents (and the related claims payments) would provide more confidence in the underwriting of insurance coverage for cyber risk – and therefore should support availability and affordability. The development of a more comprehensive data set on cyber incidents would likely require:

(i) A common classification of cyber incidents and types of losses;

(ii) A trusted party (e.g. government agency) to collect and report the data; and

(iii) Incentives (or requirements) for reporting by companies affected by cyber incidents and insurance companies that have paid related claims.

  • Improving public policies to manage cyber risk – The Nigerian government has adopted national cyber-security or digital security strategies. However, while these strategies aim at improving awareness about cyber risk, they do not address cyber-insurance as an economic and social risk management avenue for business in the wake of the rise of tech businesses and Startups. A national strategy could include incentives for businesses to measure and manage their exposure to cyber risk. In particular, corporate governance practices can provide an avenue to foster the integration of cyber risk into the broader enterprise risk management framework. Another national strategy could also consider the benefit of further cooperation and coordination between government bodies in charge of cyber security, which should include insurance brokers.

Finally, governments can play a role in ensuring that clarity is provided on the extent of coverage for cyber risk included in stand-alone and traditional policies by encouraging the insurance brokers and policyholder communities to develop a common understanding about the appropriate place for cyber coverage and/or establishing requirements for insurers to provide greater transparency on the coverage provided (and losses that are excluded).9  This would be particularly important for SMEs and individuals.

WHAT WILL BE THE ROLE OF LAWYERS IN CYBER-INSURANCE PRACTICE?

Most of our engagements will be areas that are confidential, which includes:

  1. Representing a client that manages loyalty programs to recover insurance proceeds for losses and liabilities due to fraudulent exfiltration via a spear-phishing attack followed by installation of suspected malware.
  2. Assist with structuring and negotiating insurance programs for government to protect against cyber loss across a wide range of industries including banking, education, health care, technology, media and entertainment, energy, and manufacturing.
  3. Assist policyholders in evaluating, negotiating, and enforcing their cyber liability insurance policies.
  4. Help organizations ensure that each type of insurance policy they have is well-coordinated with the other types of insurance plan they have already purchased to help avoid gaps in coverage, eliminate duplicate coverage and potentially reduce insurance cost.
  5. Advice numerous Fintech companies and financial institutions on data breach issues.
  6. Represent insurers at all stages from policy drafting and negotiation, through claim analysis and monitoring, to coverage litigation or alternative dispute resolution.
  7. First-party coverage under cyber policies for privacy counsel, forensic investigations, notification costs, credit monitoring, etc.
  8. Data security-related claims associated with investigations by federal and state regulatory authorities.
  9. Claims by banks, financial institutions, fintech companies, and businesses involving large-scale data security breaches involving sensitive health or financial information.
  10. Represent insurers under cyber and other professional liability policies in connection with large-scale breaches of payment cards and other sensitive information.
  11. Advice insurers in drafting key policy terms under cyber form and in negotiating requested changes through endorsements with key broker representatives.
  12. Advice insurers in connection with multiple breaches suffered during consecutive policy periods and tender under multiple policy periods.
  13. Represent cyber insurers in connection with multi-faceted and sophisticated cyber-attack perpetrated by a foreign nation-state.
  14. Represented trade associations in connection with filing amicus curiae briefs in support of industry on insurance coverage for data security exposures.

CONCLUSION

As the frequency of cyber-attacks continues to increase and cybercriminals get more brazen with campaigns, cyber insurance remains an important consideration for everyone. The more a company depends on technology, the greater is its role. Risk assessment lies on the shoulders of the Company. A data breach can damage more than just your small-business computer system – it can also damage your reputation and put your customers and/or employees at risk. That is why cyber insurance can be a smart precaution for any business.10 We must start to take a more proactive approach to cyber-security now that cyber insurance brokers and lawyers start to serve as risk advisors and a partner for your business operations.

Originally Published 1st December 2021

Footntes

1 Fitch Cyber-Insurance Rating, 2019

2 The Former Minister of Technology, Adebayo Shittu during a Cyber-security Conference in 2017,

3 Insurance Act, Cap C20, Laws of the Federation of Nigeria 2004.

4 Insurance Act, Cap C20, Laws of the Federation of Nigeria. 2004

5 Appendix III (9) of the Central Bank of Nigeria June  Risk-Based Cybersecurity Framework and guidelines for Payment Service Providers

6 Allianz Nigeria Webinar on the “Increasing Impact of Cyber Attacks: A case for Cyber Insurance.” Retrieved from; https://www.allianz.ng/media-center/blog/thought-leadership-on-cyber-insurance.html

7 Neil McFarlane, “Benefits of Cyber-Insurance” 14th November 2017. Retrieved from: https://www.linkedin.com/pulse/benefits-cyber-insurance-neil-mcfarlane

8 Gabriel Fatokunbo, “Opportunity setting; Telescoping Potentials of Cyber-insurance in Nigeria” 25th June 2020. Retrieved from; https://www.mondaq.com/nigeria/insurance-laws-and-products/958258/opportunity-spotting-telescoping-potentials-for-cyber-insurance-in-nigeria

9 For example, the UK Prudential Regulation Authority recently published a consultation paper recommending that insurers explicitly indicate (and charge premiums for) coverage provided for cyber security incidents in traditional policies. In France, an exercise led by IRT System X has resulted in the development of a matrix showing the areas of coverage of cyber risk provided by stand-alone cyber and various traditional policies in the French market.

10 Danny Palmer, “What is cyber insurance? Everything you need to know about what it covers and how it works'' 5th March 2021 Retrieve from; https://www.zdnet.com/article/what-is-cyber-insurance-everything-you-need-to-know-about-what-it-covers-and-how-it-works/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.