Skip to main content

Article

Using cyber insurance to bolster cybersecurity in the Middle East and Africa

Organizations in the Middle East & Africa should take the appropriate action and proactively build their cyber resilience program, including risk transfer.

Cyber insurance — one of the newest and most rapidly evolving insurance lines — provides a financial backstop that enables innovation and risk taking in our increasingly digitised world. At the same time, cyber insurance plays an increasingly important role in risk management strategy in the Middle East and Africa (MEA) region and elsewhere, influencing the adoption of best practices and controls.

63% of surveyed MEA companies purchase some type of cyber insurance, according to a recent report from Marsh and Microsoft. The report also found that companies with cyber insurance are likely to have taken more actions to build cybersecurity and to have stricter controls in place than those without.

Among MEA respondents whose companies purchase cyber insurance, 75% said cyber insurance is worth purchasing to safeguard against the risks and potential costs of a cyberattack. In addition, 54% said they could not afford all of the potential costs of a cyberattack without insurance.

All companies face potential cyberattacks

Considering that 66% of survey respondents in the MEA region — and 73% globally — said their companies had experienced a cyberattack over a recent 12-month period, it is clear that cyberattacks have become a matter of when, not if.

Since the risk of cyber incidents is a constant and evolving threat, it is hard to overstate the importance of building cyber resilience versus simply preventing incidents. Organisations should thus develop cyber-specific, enterprise-wide goals that include cyber insurance as well as cybersecurity measures, data and analytics, and incident response plans. 

Introduced in the late 1990s, cyber insurance has proven resilient, developing into a product that addresses an array of digitally derived risks and effectively pays claims as intended. Perhaps equally important, cyber insurance creates a valuable feedback loop — as insurers learn from claims, they can shift their underwriting focus to controls that can help mitigate damage. 

The result is that companies are better able to manage risks responsibly and holistically, with insurance positioned as an important part of cyber risk management strategy, influencing the adoption of best practices and controls. In fact, the use of certain cyber hygiene controls is now a minimum requirement for most insurers, with organisations’ potential insurability on the line. 

In our report, 59% of MEA respondents that purchased cyber coverage — compared to 41% globally — said insurers’ requirements influenced decisions to augment existing controls or adopt new ones, showing the positive effect insurance has on cybersecurity postures. 

Enterprise-wide coordination is a key to effective cybersecurity

As cyber risk management has evolved, it has become clear that cyber hygiene is most effectively practiced with an enterprise-wide perspective and alignment that fosters a shared responsibility. Risk managers, finance professionals, cybersecurity/IT, executive leaders, and other stakeholders will likely gain confidence in the organisation’s cybersecurity posture by being better connected to the broader enterprise. 

However, the involvement from different areas of a company in cyber risk management issues can still, at times, lack coordination. 

For example, our report found that although risk management and insurance professionals tend to be on the team that manages cyber incidents, they are generally absent from discussions of cybersecurity tools and services. Given the increasing scrutiny that underwriters place on cyber controls, it would be a best practice to share the insights from a company’s risk managers and insurance professionals with those involved with other aspects of cybersecurity.

Adopting a best practices approach to cyber risk management involves an enterprise-wide commitment to share responsibility. This means coordinated investments and engagements in a broad, balanced, and continuously updated array of resources and activities to mitigate cyber risks and reinforce cyber resilience, including: 

  • Cybersecurity technology and talent.
  • Incident response training and penetration testing.
  • Vendor/supply chain risk assessments.
  • Cyber insurance.
  • Cyber risk advisory services.

Organisations in the Middle East & Africa should take the appropriate action and proactively build their cyber resilience program, including risk transfer. You can speak to a cyber expert by contacting us here