This article was originally published in The Oath (Issue 135 October 2024).
In today’s interconnected world, Domino Day always seems to be around the corner. This was reconfirmed last July when the IT security firm CrowdStrike caused a massive IT outage, crashing millions of Windows systems around the world, triggered by a software update. According to several sources, total losses amounted to USD 5 billion, of which approximately USD 400 million to USD 1.5 billion was insured.
With the help of experts in the field of law, IT security, and cyber underwriting, this article provides insights into the application of cyber insurance for organisations in the UAE and the MENA region. Cyber insurance is often referred to as a 'Cyber Risk Management tool', as it is designed to help organisations manage and mitigate the risks associated with cyber threats and security failure incidents. The coverage is typically split into three parts:
-
Breach Response: Requires expert services to manage and mitigate an event or incident. It will include Incident Response costs – the costs of IT forensic experts who would primarily be required to manage and mitigate the cyber incident. It also includes Data Breach costs – notifying affected customers, providing credit monitoring services, and restoring lost or damaged data.
-
First Party Loss: Costs include direct loss incurred by the insured and business interruption costs, including the loss of revenue and profits that can result from a cyberattack that disrupts business operations. First party loss costs also include fines and penalties that may be imposed on the business by government regulators for failing to protect customer data.
-
Third Party Loss: Claims and damages (suits) brought against the insured. Costs include the legal fees of defending lawsuits that may be filed against the business as a result of a cyberattack or security failure incident.
Like with any insurance policy, it’s important that the insured understands the exclusions of the policy. For example, direct financial loss suffered from fraudulent transactions is never covered under a cyber policy; however, such loss can be picked up by a comprehensive crime policy.
Cyber Security Business Continuity Planning
To get a feel for potential vulnerabilities and the importance of a cyber security business continuity plan, Neil Haskins, Group Head of Security & Governance at Almosafer, shared his practical insights into a situation:
"Your business has been hit with a cyber-attack. Malware has begun attacking your endpoints. Your users are ringing up; they can’t use their computers. We can’t ship the product, and our website is down. Then the CEO rings… what do you do? What went wrong? Why didn’t your firewall work? You bought an expensive Data Loss Prevention tool. Why didn’t that stop this? Why isn’t your security operations team fixing this?"
Is disaster recovery, incident response, or business continuity a technology problem? Let's delve into the concept of cyber resilience. It is not just about bouncing back from an incident, but also about being prepared to do so. It is about recovering your business operations as quickly and safely as possible with minimal impact. To achieve this, meticulous planning is key. Remember, ‘if you fail to plan, you plan to fail.’
Let's go back to the start. Cybersecurity is risk management. Our consultant friends would say, “It’s a combination of people, process, and technology.” Of course, you need the technology to build a robust, resilient cyber defence… but which technology? There are so many areas to choose from. Where should your business invest? Do you need to buy advanced forensic tools or hire people to sit and wait for an incident?
That brings us to people. Who do you hire? How many? And how much should you pay them?
Finally, processes: What should you have in place in the event of an incident? Who runs it, and what do you tell the customers, the regulators, the board, or even the media?
So let's take it back even further. “Attack is the secret of defence; defence is the planning of an attack.” First things first, what are your crown jewels? What are the most important things to your business, mission critical?
Now, how can these be impacted? Could they be stolen, disrupted, or deleted? How would that happen? Who might do it? All these questions help you evaluate the risks, enabling you to build a mitigation plan.
With all this information, you can now start to build your defence. You can implement technology, engage a skilled security operations team, train your colleagues, and invest in cyber insurance. These are all part of a combined approach to risk management.
Think of your cyber insurance partner as a Tier 1 operator. They are ready to parachute experienced experts onto the ground and spring into action at a moment’s notice. The cyber insurance team has already worked with you to evaluate your defences, identify weaknesses, and underwrite the risks. They have pinpointed where additional controls are required, providing you with a safety net in the event of an attack.
Understanding when to initiate a response is as crucial as the response itself.
In the event of a cyber incident, it is time to hit the big red button. Having a team manage your customer notifications, liaise with the regulators, and provide financial support for fines and penalties is invaluable. This team, with its wealth of experience, not only supports your internal team but also instils confidence in all your external stakeholders that the situation is under control.
The Legal Perspective
International law firm Kennedys is the dedicated legal response partner for the cyber offering by GIG Gulf, the largest regional insurance company across MENA. Peter Ellingham, partner at Kennedys, explains the impact for businesses of the new data protection law in the UAE and the importance of proficient legal assistance when dealing with a cyber attack or security breach.
The recently introduced Personal Data Protection Law (PDPL) in the UAE represents a significant shift in the way businesses must process and protect personal data. The PDPL aligns closely with global data protection regimes such as the GDPR, setting new stringent standards for data processing and protection.
Compliance is now more crucial than ever, as organisations face increased regulatory scrutiny and legal risks if they fail to meet these new requirements. In today's evolving cyber landscape, companies must focus on strengthening their data protection strategies to avoid breaches and protect sensitive information, as well as ensuring that they have an incident response process in place.
In response to these changes, Kennedys has seen a marked shift toward proactive engagement in data protection across the region over the past 12 months. More businesses are moving to make data protection a board-level priority, ensuring their internal incident response (IR) plans are robust and fit for purpose. Leading organisations are also conducting regular tabletop exercises to stress-test their IR strategies in real-world scenarios. However, while progress is being made, there is still much more work to be done to elevate the entire market to these new standards.
Incident response is far more than a technical task for IT teams; it involves every corner of a business. Our IR team supports businesses across a spectrum of critical areas, from managing customer and client communications during an incident to navigating complex contractual issues arising from business interruptions. We also address regulatory compliance and legal considerations around ransom demands, global data frameworks, and work with other experts to ensure businesses mitigate long-tail risks such as litigation and business continuity. This is only the beginning of the UAE’s evolving data protection landscape, and we expect substantial growth in this space over the next five years.
The Underwriter’s Perspective
Liji Philip, regional head of casualty at GIG Gulf, oversees the underwriting of GIG’s cyber offering across the region. Recently, GIG partnered with Swiss Re, a leading global reinsurer, to enhance their cyber offering. Philip explains the key elements of the underwriting process at GIG and provides insights into regional trends, including claim examples.
At GIG, the first step in the underwriting process is to gather information to better understand what the insured does from a core operations perspective. This then becomes the basis to streamline policy terms and conditions that best suit deemed exposures. Risk analysis revolves around potential hazards and the probability of claims from a frequency vs. severity perspective. Premium calculation, based on factors like deductibles, limits, and extensions, is the last step to ascertain the best cost vs. cover position.
Regional claims to note are predominantly around the following loss events:
- Data encryption, business interruption, and/or reputational damage
- Extortion claims (although not many make it to the news)
- Phishing attacks (on the rise), resulting in financial loss or identity theft
- Business Email Compromise (BEC) via fraudulent transfers
- Denial of Service (DoS) attacks resulting in notable business interruption losses
The global cyber insurance market tripled in volume in the five years ending in 2022, according to the Swiss Re Institute, with direct written premiums worldwide totalling an estimated USD 13 billion. In the UAE and across the region, the proportion of uninsured cyber risks is still high. However, with increasing threats from aggressive cyber criminals, new technologies and dependencies, as well as geopolitical crises, risk awareness is growing. As such, we are experiencing greater interest and uptake of policies.
Summary
In conclusion, there are multiple factors driving the growth of cyber insurance applications across the region. The fact that insurers can offer meaningful, tailored policies and solutions to protect companies against the evolving landscape of cyber risks is key. The risk management framework that comes with a well-structured policy is a huge benefit, providing peace of mind that a range of different experts have the insured's back in the event of a cyber or security failure event. As with anything in business, it’s important that insureds periodically check and practice internal procedures to ensure they join up seamlessly with the incident response services of the cyber policy in place. With the ever-evolving adoption of technology in business, it seems we are still at the forefront of what is to come.
Authors:
- Alexander Blom, CEO, Viva Insurance Brokers
- Neil Haskins, group head of security & governance, Almosafer
- Peter Ellingham, partner, Kennedys
- Liji Philip, regional head of casualty, GIG Gulf