Data Privacy legislation outlines the responsibilities of Data Processers and Responsible Parties, and aims to protect the interests of the ultimate owner of personal information, the Data Subject. In an age where data breaches have become daily occurrences, Cyber Insurance has also had to undergo a rethink in order to adequately cover the Data Processors themselves.
I recently caught up with @ZamaniNgidi who is a Client Manager for Cyber at Aon South Africa. Having qualified with UNISA in Risk Management, and as an ISO/IEC Information Security Lead Auditor, Zamani knows a thing or two about managing Cyber and Regulatory Risk. Zamani also published an important paper on Cyber Insurance in the age of POPIA in South Africa, which has been doing the rounds in industry.
KEN: I found your recently published paper interesting as it brings together the discussion on an important value chain.
How do you quantify the risk and adequately cover for the unknown especially when you look at the volume of data in the hands of the Responsible Parties and Data Processors and the sheer velocity of data breach incidents these days?
ZAMANI: It’s helpful that we have a lot of data that supports our insights. In 2016 Aon acquired Stroz Friedberg, a specialist Incident Response firm operating across multiple geographical locations globally. With that acquisition there was a great deal of data gathered, as well as the work that we have done pre-emptively developing scenarios for our clients, supported with the claims stats we see from the insurance side – Aon is able to predict loss scenarios which can give clients a better understanding of what their potential threats are. Obviously, it’s not a crystal ball, but it’s far better being prepared for what is known than simply relying on management intuition to support what the loss scenarios would look like.
KEN: In plain language, which cyber and regulatory risks are insurable and which ones are not?
ZAMANI: What can be insured is Event Management expenses (Incident response, network business interruption, investigations etc.), as well as the subsequent liability from information being lost as a result of a criminal or hacker stealing information. This is including the cost of undertaking regulatory investigations and the like. The insurability of fines, however, is still a contentious topic globally and is still playing itself out in some Courts, as it infringes on public policy.
KEN: What are some practical steps organisations can take to proactively manage their Cyber Insurance premiums?
ZAMANI: Ultimately, clients need to start being proactive around cyber risk management, develop proper plans to protect their environment and understand that there has to be a return on investment, on the spend that they allocate to protect their critical assets. What that means is that, over time, organisations will have to retain more risk via increasing deductible structures in their insurance policies, which goes hand-in-hand with them having confidence in their contingency strategies, as well as the likelihood of meeting their recovery time objectives, implementing disaster recovery plans and the like.
It’s also important to note that most of the insurance carriers that offer this type of insurance are global, so it would be of some benefit to implement some sort of recognized IT security best practices, which gives them some comfort that the organisation has a level of risk maturity.
KEN: Thank you Zamani for taking the time to unlock this topical issue and for putting it all in easy to understand terms. I look forward to catching up with you again as more developments in this field come to the fore!