ODIMEGWU ONWUMERE examines in this report that despite the growing concern about cyber security, Nigeria still lags far behind the rest of the world when it comes to enforcing privacy and security laws for businesses. Similarly, the attack’s persistence and widespread nature affect small, medium, and large businesses. The article traces that less than 10% of underwriters offer cyber-insurance policies through international brokers. It, therefore, calls on stakeholders and regulators to swiftly establish a regulatory framework to domesticate cyber-insurance in Nigeria in order to necessitate the use of reinsurance, which will facilitate the expansion of cyber-insurance businesses in the country
While addressing the attendees of a two-day symposium on internet governance and cyberspace security in Abuja, the Nigerian Communications Commission (NCC) claimed that it was collaborating with the Alliance-Africa Attorney General (AGA) to create a standard cyber insurance policy for internet governance.
By 2026, the global market for cyber-insurance will be worth over $28 billion, according to Fitch Ratings. An industry stakeholder, Allianz Nigeria, reported that only 51% of Nigerian businesses are confident in the ability of their security team to act. In addition, since the COVID-19 pandemic began in 2020, 71% of businesses have reported an increase in the threat of data breaches, with financial institutions bearing the brunt of each attack.
The source stated, “Cyberfraud causes annual losses of over 127 billion dollars, or about 10% of Nigeria’s GDP, and cyber insurance will not cover any of those losses.” Given Nigeria’s growing number of tech startups and establishments, experts wonder if Nigerian businesspeople are well-positioned to profit from data-targeting cyberattacks. On August 6, 2020, Allianz Nigeria hosted an interactive webinar titled “The Ever-Increasing Impact of Cyber Attacks” with four industry experts to educate business owners on how to safely mitigate these risks and raise awareness of the issue.
Professionals lamented that the Federal Government had its fair share of cybercrimes when an anonymous Internet hacker group known as “NaijaCyberHacktivists” hacked the websites of the National Poverty Eradication Programme and the Niger Delta Development Commission in 2011. The website of the Economic and Financial Crimes Commission was also the target of an attack in 2013. In the Nigerian Electronic Fraud Forum’s 2016 Annual Report, 19,531 instances of bank fraud were documented. Traditional channels recorded the lowest number. In addition, it stated that electronic payment fraud results in annual losses of $2.19 billion.
The experts say that these kinds of risks are usually not covered by traditional commercial general liability policies, or at least they aren’t specifically defined in them. Most people believe that big businesses like banks only need cybersecurity insurance. However, the source continued by stating that any electronic information that is stored on one’s personal devices—such as name, email address, phone number, financial records, medical records, payment information, government documents, and so on—can be hacked quickly and easily by a skilled hacker.
“Cyber insurance does not cover everything, despite its potential for comprehensiveness. When compared to the actual risk, cyber insurance is still insufficient. As a result, not all forms of cyber risk are covered by insurance. A cyberattack’s potential financial loss of intellectual property or reputational harm to a business is not covered by cyber insurance. It does not cover the possibility of future profits being lost, and it also does not permit you to upgrade your internal technology or security systems. For instance, despite the fact that cyber insurance may cover the costs associated with dealing with the immediate consequences of a cyberattack, the business may ultimately lose customers as a result of public perceptions of inadequate cyber security. A cyber insurance policy will not cover the costs of losing customers as a result of a cyberattack,” the source stated.
According to findings, despite the growing concern about cyber security, Nigeria still lags far behind the rest of the world when it comes to enforcing privacy and security laws for businesses. Similarly, the attack’s persistence and widespread nature affect small, medium, and large businesses.
In the 2019 Verizon Data Breach Investigation Report, 43% of online attacks target small businesses. As a result, cyber insurance is becoming more and more important as the costs of cybersecurity to limit a company’s exposure and liabilities rise. Even though data suggests that the Insurance Act of 2003 (the “Act”) does not mention cyber insurance, a closer look at the law reveals that the creation of such a policy is not explicitly prohibited.
The statement goes further, pointing out that an insurer “may be authorized to transact any new category of miscellaneous insurance business,” as stated in Section 2(5) of the Act. In a similar manner, the Act’s Section 16 offers a framework for the approval of new products.
In a similar vein, the risk-based cybersecurity framework developed by the Central Bank of Nigeria stipulated that the security assurance program for Payment Service Providers should take into account cyber-insurance coverage. A Proposition for Cyber Insurance, it was discovered that, since the virus began, 71% of security professionals had reported an increase in security threats or attacks.
Phishing (55 percent), malicious websites (32 percent), malware (28 percent), and ransomware (19 percent) are among the cyber-risk trends that are most likely to affect businesses, investigation revealed. The need for organizations to focus on cyber resilience rather than just cyber security was one of the other points of emphasis made by the speakers.
This requires combining strategies for business continuity and information security. To put it another way, an organization’s cyber resilience is its capacity to withstand failures or attacks and quickly return to normal operations.
In light of this, Mr. Uzodinma Ibe of Casualty & Liability Underwriting, General Insurance, stated that because more and more businesses are connecting to the internet and the internet is part of their day-to-day operations, insurance protection against cyber attacks is necessary.
Leadway Assurance, a major insurer in Nigeria, was worried that individuals, businesses, religious groups, and institutions should take the necessary insurance measures to safeguard their computer networks and databases from cyber attacks.
This was emphasized about two years ago at a Leadway Assurance virtual training workshop on “Understanding Cyber Insurance.” Industry experts are worried that there isn’t a good operational insurance company that can protect businesses from risks related to information technology.
Either a lack of understanding and awareness of the product or a lack of incentive for insurance providers to offer cyber insurance products for the Nigerian market account for the lack of growth in Nigeria, they say. Also, the Insurance Act of 2004 does not explicitly allow for it, but a careful reading of the law does not explicitly forbid the creation of such a policy.
“May be authorized to transact any new category of miscellaneous insurance business if he shows evidence of adequate reinsurance arrangements in respect of that category of insurance business, requisite capital where necessary, and other conditions as may be required from time to time,” states Section 2(5) of the Act 3.
Mr. Raymond Akalonu, Head of Enterprise Risk Management and Compliance at FBN Insurance Limited, mentioned that the country’s cyber-insurance policy was written by international brokers. He claims that domesticating cyber-insurance in the country will necessitate the use of reinsurance.
According to Mr. Temitope Adaramola, Assistant Executive Secretary of the Nigerian Council of Registered Insurance Brokers, less than 10% of underwriters were offering cyber-insurance policies through international brokers. In order to fill this gap, stakeholders and regulators must act quickly to create a regulatory framework that makes it easier for cyber-insurance companies to expand in Nigeria.
But Leadway claims that their Cyber Enterprise Risk Management Insurance policies aim to assist any organization in mitigating risk exposure for certain recovery-related costs and expenses. Mr. Ibe explained that Leadway Cyber Insurance provides organizations with first-party and third-party liability risk coverage against cyberattacks. Sources showed that he did not specify who is being covered or who is being indemnified.
It was observed that in the event of a data breach or compromise, the policyholder—the individual or business that purchases the insurance—covers the costs of a private investigation to inform a number of customers about the breach. Companies are protected from losses incurred by others as a result of third-party liability coverage, such as defamation, failure to safeguard data, and errors and omissions; in addition to regular security audits, post-incident expenses for public relations and investigation, and funds for criminal reward. This was because the Global Threat Impact Index 2017 ranked Nigeria, along with four other African nations, among the nations with the highest risk of cyber attacks worldwide.
Checks revealed that due to a lack of awareness and underwriting experience, a lack of industry data on cybercrime and related losses, the unpredictability of cyber risks, and the high correlation of one type of cyber risk with another, among other factors, experts argue that the cost of a cyber-insurance policy will depend on a variety of different factors, including the size of the business and its annual revenue.
This is a new phenomenon in the country. The business’s industry, the kind of data it typically deals with, and the network’s overall security may also be important considerations, they say. A cyber-insurance policy from a company with a good reputation for security will almost certainly cost more to cover than one from a company with a history of being hacked or having a data breach.
On the other hand, it is thought that digitalization is gradually replacing manual services in every industry, including Nigeria’s government parastatals. Work related to cyber insurance could also be a gold mine for insurance industry professionals. By collaborating with foreign insurance companies with extensive cyber insurance experience to offer a variety of products, Nigerian insurance brokers could take advantage of these opportunities.
Against this backdrop, the National Insurance Commission (NAICOM) held a sensitization workshop on the enforcement of compulsory insurance in at least the Federal Capital Territory (FCT) in June 2022 in order to deepen insurance penetration in Nigeria as a pilot program. Because many Nigerians are reluctant to purchase insurance unless forced to do so, the security agents who make up the Joint Task Force were integral to the enforcement.
The workshop’s purpose, according to NAICOM spokesperson Rasaq Salami, was to educate Task Force members about the law’s requirements for compulsory insurances and the enforcement strategies of the Task Force Committee. Experts believe that insurances are required by law.
Unit Head of Reinsurance at Allianz Nigeria Insurance Plc., Aima Higo, said that understanding cyber security is the first step in protecting oneself and the people with whom they interact in a connected world, emphasizing that risks can only be reduced to an acceptable level through the implementation of a set of measures and the acquisition of cyber insurance, even though there is no such thing as total cyber security.
Industry pundits say insurance is the best way to help reduce losses caused by cyber risks, so financial institutions, in particular, need to learn cyber resilience, evaluate how quickly they can return to operational mode following a cyberattack, and, most importantly, transfer risks.
They went further to say that over the course of time, the number of cyberattacks will continue to rise, and all that is required for an operational entity to suffer detrimental exposure to data privacy and information is a weak or vulnerable area.
Regardless of whether the pandemic is over, they say that organizational cultures must emphasize the need for a cyber-security management system and incorporate cyber insurance into their strategic objectives.
Onwumere contributed this piece from Port Harcourt.