The Necessity For Cyber Insurance In Nigeria -By Oyetola Muyiwa Atoyebi & John Oladipo

INTRODUCTION

In recent years, cutting-edge technological trends have evolved, and are affecting practically every industry, by allowing large and small businesses, as well as individuals, to work effortlessly, create optimal results in the shortest possible time and aid in data management, among other things. On the other hand, the rise of the technology sector has also brought with it, a corresponding increase in Cybersecurity issues.

The year 2011 witnessed a major breach in the game console industry, as Sony’s PlayStation Network was attacked by cybercriminals. This attack led to the breach of personally identifiable information of 77 million PlayStation user accounts, and prevented the users’ access to the PlayStation service to retrieve, alter or delete their data. This lasted for 23 days and Sony incurred over $171 million in costs, related to the breach[2]. Zurich American Insurance Co., the Insurance company retained by Sony Corporation of America and Sony Computer Entertainment America (‘Sony’), did not bear liability because Sony’s deal only includes personal and advertising injury liability coverage, as provided by typical General Liability policies, which are specifically intended to cover resulting bodily injury and property damage liability[3].

Could Sony have done better by insuring the data of the Users?

The emergence of COVID- 19 forced many businesses and organizations to adopt a remote working model. Flowing therefrom, businesses have chosen to develop their online presence, to scale their products and services irrespective of the nature of their businesses, with or without a standard, robust security structure. A recent survey[4] by Sophos Group plc,[5] revealed that 86 per cent of Nigerian companies fell prey to cyberattacks within the past years. The second highest percentage recorded globally after India, and much higher than South Africa with 64 per cent. According to Sophos’ report, Nigeria had the highest percentage of data leakages worldwide in 2021, and ranks in the top five for other forms of attacks: Ransomware, Malware, Crypto-jacking.

This article deals with another layer of security, that can protect businesses from liabilities that may arise, as a result of a breach of the business network infrastructure. 

NATURE OF CYBER INSURANCE

Cyber Insurance also called Cyber Liability Insurance simply means an insurance cover, that safeguards firms/ organizations against financial losses, reputational and brand damage caused by cyber incidents, including data breaches and theft, system hacking, ransomware extortion payments and denial of service[6].  Simply put, it is an insurance cover relating to damage to, or loss of information from, IT systems and networks. It is an essential risk management tool for IT-based companies, and any other company or organization that has access to a lot of personal information, especially sensitive information. This insurance cover is designed to reduce losses from data breaches, network damage, or other cyber interruptions such as hacks that keep systems down, causing loss of revenue and exposure of sensitive information to cybercriminals.

The insurable interest in Cyberspace needs to be carefully determined and appraised. Put differently, in whose interest will insurance be considered, and in the event of any loss, who will be compensated?[7]

Generally, there are two types of Cybersecurity insurance and they are:

First-Party Insurance:  First-party Cyber liability insurance provides financial assistance, to mitigate the impact of data breaches and cyberattacks at your small business. First-party coverage is like commercial property insurance. It covers a company’s damages from cyber losses.

 It covers the costs of:

1. Communicating with affected customers.
2. Providing credit monitoring.
3. Executing PR and reputation management campaigns.
4. Other recovery activities.

Third-Party Insurance: Third-party Cyber liability insurance provides liability protection, in case the insured company makes a mistake that results in a client suffering a data breach or cyberattack. It’s a key policy for tech companies and IT consultants, that could be blamed for errors that led to a breach. Third-party coverage is like general liability insurance. It covers legal expenses that result from a firm being blamed for causing another firm’s/ individual’s cyber losses.

IMPORTANCE OF CYBERSECURITY INSURANCE

Generally, adopting solid Cybersecurity measures is of immense importance today, in any business structure or organization, especially companies that deal with sensitive information or data, owing to cyber-attacks that can lead to mishandling and exposure of sensitive data, revenue loss, among other things. Any organization that stores company and customer databases online, conducts client and customer relationships via a digital link, or relies on online payment portals for monetary transactions, is vulnerable to cybercriminals and should consider Cyber insurance to build a protective mechanism against such attacks. However, it is of utmost importance for both the Insured and the Insurer to consult a seasoned legal practitioner of their choice, in drafting and/or reviewing relevant clauses in the Cyber insurance policy.

Some benefits of Cyber Insurance Include:

1. Business Interruption/Loss Reimbursement: Where a company’s activities are disrupted as a result of cyber-attacks, leading to business interruption. If the company is insured, the insurance will cover the loss of income during the interruption.

1. Digital Asset Replacement Expenses: Any digital asset lost due to a breach by cybercriminals, may be covered under the insurance policy, and this will mitigate the loss that will be incurred by the breach.

1. Cyber Extortion Defense: Cybercriminals have developed malicious software, that can take control of and withhold valuable data from a company until a ransom is paid. The insurance policy may cover the company in the event of an attack by malicious software like Ransomware.

1. Privacy Breach Costs: Cyber insurance protects the company or business from the overall cost of the security fixes, identity theft protection for those impacted by the breach, and protection from the costs of possible legal action.

• Forensic Support And Legal Support: Cyber insurance can also help to cover the cost of forensic and legal support, to ensure that companies will get expert advice needed to determine the extent of the attack, the solutions available and deal with the various repercussions.

While Cyber insurance is beneficial, it does not absolve a corporation of its cybersecurity responsibilities. When a corporation purchases cyber insurance, it undertakes to put in place safeguards to prevent events that could have been avoided in the first place. If no such safeguards are in place, the company’s claims could be denied. Companies should take proactive measures to maintain a solid Cybersecurity posture, such as conducting frequent compliance audits and providing Cybersecurity awareness training to their employees.[8]

CONCLUSION

It is expected that relevant government agencies collaborate with the National Insurance Commission (NAICOM), to develop necessary guidelines that will guide insurance organizations in the issuance of Cyber insurance policies, pursuant to section 7 of the NAICOM Act. In the same vein, NAICOM and other relevant agencies should engage in regulatory discussions beyond the national boundaries, to ensure that the evolving environment of cyber risks and Cyber insurance, are better monitored and evaluated to achieve effective collaborative actions against cybercrimes.

Finally, organizations and firms are reminded that their businesses may be vulnerable to emerging cyber risks, and investing in technological solutions that prevent cybercrimes is the only way of protecting themselves. Hence, Cyber insurance is the appropriate remedy, when there is unexpected access to data by cybercriminals, which may lead to damage and loss of information.

AUTHOR PROFILE                                          

AUTHOR: Oyetola Muyiwa Atoyebi, SAN.

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr. Atoyebi has expertise in and a vast knowledge of Telecommunications, Media and Technology Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: John Oladipo

John is the head of the Technology Law Team at OMAPLEX Law Firm. He also holds commendable legal expertise in cybersecurity.

He can be reached at john.oladipo@omaplex.com.ng

[1] Rudden, Jennifer. “Cyber Insurance – Statistics and Facts.” Statista (2022) < https://www.statista.com/topics/2445/cyber-insurance/#dossierKeyfigures> accessed 1/03/2022

[2] Tom Philips,’ Five years ago today, Sony admitted the great PSN hack‘,https://www.eurogamer.net/articles/2016-04-26-sony-admitted-the-great-psn-hack-five-years-ago-today ; Date accessed: 11/02/2022

[3] Young Ha ‘N.Y. Court: Zurich Not Obligated to Defend Sony Units in Data Breach Litigation’,  https://www.insurancejournal.com/news/east/2014/03/17/323551.htm, Date Accessed: 11/02/2022; Numra Haroon ‘Is Cyber Insurance Enough to Stop Worrying About Ransomware? (Hint: No)’, https://right-hand.ai/blog/cyber-insurance/ Date accessed: 11/02/2022

[4] https://secure2.sophos.com/en-us/content/state-of-cloud-security, Date accessed: 11/02/2022

[5] Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.

[6] Whitney Vandiver, ‘Cybersecurity Insurance: What It Is, Which Businesses Need It’, https://www.nerdwallet.com/article/small-business/cybersecurity-insurance Date accessed: 16/02/2022

[7]  Ekerete Olawoye Gam-Ikon , ‘ Cyber Insurance – Its Relevance in the Emergent Cyber Ecosystem  ‘, https://www.proshareng.com/news/Insurance/Cyber-Insurance—Its-Relevance-in-the-Emergent-Cyber-Ecosystem/55429 ,Date accessed: 18/02/2022

[8] Ellen Zhangon, ‘ What is Cyber Insurance and Why Does Your Business Need It?  ‘, https://zeguro.com/blog/what-is-cyber-insurance-and-why-does-your-business-need-it , date accessed: 19/02/2022