Africa insurers under cybersecurity crisis radar, warn industry experts

Cynthia Ezekwe

The rapid pace of change in the cyber security landscape is presenting unique challenges for the insurance industry, and experts are calling for greater capacity to meet these challenges. With cyber attacks on the rise and the cost of data breaches increasing, insurers need to be prepared to address these risks effectively, experts say.

The ever-increasing number and severity of cyber attacks pose a serious threat to organisations and individuals alike. As more and more data is stored online and companies rely heavily on digital technologies, they become more vulnerable to a range of cyber threats, such as data breaches, phishing attacks, and ransomware. In response to this growing risk, experts have recommended that organisations adopt a comprehensive approach to cybersecurity that includes both proactive measures to prevent attacks and robust incident response capabilities to mitigate the damage should an attack occur.

In a recent webinar co-hosted by the West African Insurance Companies Association (WAICA) and the Organisation of Eastern & Southern Africa Insurers (OESAI), industry experts warned that businesses need to take cyber insurance seriously given the growing threat of cyber attacks. The webinar tagged “Cyber Insurance Capacity Development,” converged industry experts who discussed the importance of cyber insurance and how insurers can build their capacity to better serve their clients.

As part of the discussion, the experts emphasised the need for insurers to keep up with the ever-changing cyber threat landscape and tailor policies to meet the specific needs of their customers. The speakers also stressed the need for insurers to enhance their data collection and analysis capabilities to better assess the risk of cyber attacks. 

Michael Kofi Ando, acting commissioner, National Insurance Commission of Ghana, in an opening remark, noted that cyber security incidents are now a daily occurrence due to the widespread use of technology globally. He stressed that although the insurance industry in the sub-region is still in the early stages of developing cyber insurance products, regulators and insurance companies must work together to create an enabling environment for these products.

Ando noted that there is a huge cyber exposure gap, stating that the African Insurance market is still significantly under the reality that insurance companies do not have solutions that address the protection gap.

According to the African magazine article referenced by the commissioner, 90 percent of African businesses are operating without any cyber security measures in place, leaving them vulnerable to a wide range of cyber threats, such as hacking, phishing, ransomware, and other forms of cybercrime.

Ando highlighted the gaps or challenges that needs critical thinking by insurance practitioners to include:

–  The low capacity of insurance companies to design standardised cyber insurance products that are all encompassing in addressing cyber risks.

–  The slowness of the market to innovate and design solutions that address trends relating to cyber insurance and 

–  Lack of interest by regulators to promote the development and regulation of the cyber insurance market.

To address these risks and ensure the development of the insurance market, Ando pointed out a number of key structural changes that need to be addressed. The commissioner suggested that insurance companies and reinsurance companies should work together to offer cyber insurance products with broader coverage, such as cyber liability for both first-party and third-party costs, defence costs, negligence, breach of contract, social engineering, fraudulent transfer losses, and more.

As part of his suggestions, the commissioner also stressed the need for insurance companies to have effective risk mitigation measures in place to reduce cyber risks. For example, he suggested that insurers should establish a process to assess the cyber risk profile of their clients, in order to design tailor-made insurance policies that address their specific needs.

“Beyond the industry we also need to leverage on laws and institutions to manage this risk. I know that in a number of countries cyber security laws have been passed and institutions have been established and it is important that we collaborate with such institutions and leverage on these legal instruments to help us in mitigation of this risk that is becoming very important,’’ Ando said.

According to the commissioner, the insurance industry must be intentional about building its capacity to address the increasing risk of cyber attacks. He called for the support of regulators such as the National Insurance Commission to develop regulations for cyber insurance and provide more tailored and comprehensive products that meet the needs of the market.

“The curriculum of insurance colleges and training institutions must be extended to include specialised courses in cyber risks. This will greatly help to raise awareness and develop the capacity of practitioners in relation to cyber insurance,’’ he added.

Kashifu Inuwa Abdullahi, director general of the National Information Technology Development Agency (NITDA), highlighted the growing cyber risk in the digital age, stating that the increasing number of mobile subscribers in West Africa is leading to an exponential increase in cyber risk.

Abdullahi, who was  represented by Emmanuel Edeth, director,  standards and regulation (NITDA), noted that Africa alone lost about $3.8 billion to cyber crime in 2020, adding that 36 percent  of these total losses came from West Africa.

Edeth explained that cyber insurance is not a substitute for cyber security, but rather a means to build trust and confidence in digital technology in the sub-region. He explained that cyber insurance can help to mitigate the financial impact of losses associated with cyber risk, such as non-compliance with regulatory requirements, loss of data, and other risks related to the use of digital technologies.

The NITDA  director stressed that the primary objective of the agency is to promote the use of digital technology for economic growth while ensuring that people can use this technology safely, regardless of their background or purpose. He stated that cyber insurance is an essential element of any business, government, or individual’s cyber risk management strategy, as it helps to enhance digital security and facilitate economic growth as well as digital transformation goals.

Edeth pointed out that cyber insurance will provide an added layer to security and trust in West Africa and indeed,  Africa; and also provide the necessary maturity in the  local markets for digital investment digital technologies and the use of digital goods and services across the board.

On his part, Adekunle Ajiboye, chief executive officer, Aajimatics, an electronic technologies solutions and services firm, while referencing a report by the Africa Cyber Security Centre, pointed out that there were over 10 million cyber attacks recorded in Africa in 2021 compared to previous years, which is quite significant, compared to the previous number of attacks in the region.

Ajiboye noted that despite the clear evidence that cybercrime is on the rise in Africa, there has been a relatively slow uptake of cyber insurance on the continent compared to Europe and other parts of the world.

According to a report by Marsh Africa, only 10 percent of businesses in Africa have cyber insurance, compared to 30 per cent in Europe and 40 percent in the United States.

Pointing out the reasons for the low uptake of cyber insurance in the region, Ajiboye  said, “There are several reasons why businesses in Africa are slow to adopt cyber insurance. One of the major reasons is the majority of businesses are not aware of their level of exposure to cyber risks. Others perceive cyber insurance premiums to be either too expensive or an  unnecessary expense, especially small businesses.

The limited availability of coverage is also another barrier as not all insurers have the necessary reinsurance treaties to offer cyber insurance in Africa, and those that do may not offer the same level of coverage as insurers in other parts of the world.’’

According to the Aajimatics CEO, one of the reasons for the slow uptake of cyber insurance in Africa is the complexity and length of the process involved in obtaining it. In addition, there has been a lack of enforcement of cyber laws in many African countries, which has further hampered the development of the cyber insurance market.

Ajiboye urged businesses in Africa to take more steps to protect themselves from cyber crime.  He  explained that businesses need to continually train their employees in cybersecurity best practices including multi-layered access verification, to the various official systems and applications.

He cited the example of Chubb, the world’s largest publicly traded insurance company, which was hit by a ransomware attack. The Maze ransomware, a sophisticated and highly contagious variant, rapidly spread across the company’s network, causing significant disruption. This incident highlights the risks that insurance companies face from cyber attacks and the importance of implementing robust security measures to protect themselves.

“Zurich, another large insurance carrier, suffered a data breach that exposed auto policyholders PII and policy information for both current and former customers. The data breach only affected Japan which included last names, dates of births, genders, email address, policy numbers, customer IDs, vehicle names, grades, and other insurance related information,’’ he added.

Ajiboye pointed to an incident in which his firm Aajimatics was called in to respond to a ransomware attack on a financial services company in Nigeria. He noted that many cyber attacks go unreported, which contributes to the underreporting of cyber attacks in the region.

Experts in the insurance industry believe that in order to effectively meet the challenges of the digital age, insurers need to take a multi-faceted approach to strengthening their capacity. This includes developing specialised products and data analytics capabilities, as well as incident response plans, regular training, and testing to ensure they are prepared to effectively respond to cyber incidents. This approach will enable insurers to provide comprehensive cyber risk protection to their clients and help to reduce the financial and reputational impact of cyber attacks.

They contended that by following this approach, the insurance industry can play a key role in helping organisations to reduce their exposure to cyber risks and recover from cyber incidents.