By Lydia Kayonde
In a world where computers are critical to many aspects of doing business, a new set of risks must be managed. The dependence on computers means cyber risk is becoming increasingly prominent, presenting a level of threat similar to that of physical security issues. However, the insurance industry is responding by providing solutions designed to help counteract data leaks, interruptions to information technology systems, financial losses flowing from cyber breaches, and even reputation management services to limit adverse press.
The spate of data breaches which are reported around the world attest to the significance of cyber breaches. High profile stories demonstrate the impact made by hackers who compromise information, causing losses which can run into millions of dollars. Data compromises can also impact individuals: credit card numbers, medical records, birth dates, ID/passport numbers and other personal information can be used by hackers for identity theft or to steal money.
There is also the risk of intellectual property theft; such information, if illegally accessed, that can be used by competitors or extortionists to the detriment of the rightful owner.
The nature of business today means just about every company will routinely handle sensitive information. Should this information be compromised, the consequences can be severe, as demonstrated in recent examples.
• When nearly 5 million records were breached at the USA’s Department of Defense health care program, the cost of remediation ran to millions of dollars.
• EBay was forced to ask users to change their password after a major cyber attack potentially exposed details of its 233 million customers.
• Retailer Target’s CEO Gregg Steinhafel stepped down as a result of a data breach which exposed up to 110 million customer details.
Given the reality of cyber-risks, it is necessary for organizations to put in place insurance policies to protect themselves against the consequences of a breach. Notably, regular insurance policies do not necessarily cover cyber breaches. Instead, specific cover is necessary, particularly to address the wide-ranging consequences which can follow an attack; financial loss is just one aspect, with others including reputational damage, the necessity for remediation of information systems, and the resolution of any liability issues which may arise in the wake of a hack.
Comprehensive cyber insurance provides organizations with a cost effective way of mitigating against data breaches. As a condition of the insurance policy, client companies are required to have a demonstrable level of IT security systems in place, so the process of purchasing a cyber insurance policy itself contributes to an improved security stance (and, therefore, diminished risk)
Uganda Turns to Citibank After Years of SGR Delays Over FinancingCybercrime and Ugandan business
Like in any other country, businesses in Uganda have to be aware that cyber-risks are not limited by borders. The nature of the internet means hacks and attacks can (and do) come from anywhere in the world – and, yet, local businesses are generally not ready for it.
The Constitution provides that it is the right of every citizen to have privacy of their personal communication and correspondences. This right is reiterated in the Computer Misuses Act which anticipates some of the risks presented by cyber risk. This Act makes it an offence for businesses to disclose information in their possession to any other person or uses it for purposes other than what the information was collected for. It also makes it an offence to hack and or attach other person’s computers.
Due to the continued risk presented by cyber risks, the Government has unveiled a draft Data Protection and Privacy Bill 2014 to protect the privacy of individuals and their personal data by regulating the collection and processing of personal information. The Bill sets out the obligations of data collectors and processors and will seek to regulate the use or disclosure of personal information, while providing guidance for data controllers and processors to protect the personal data of customers and other individuals.
The above coupled with continued public awareness this could set the stage for individuals whose information is compromised, to seek redress in the courts.
There are therefore at least two good reasons for Ugandan businesses to consider cyber insurance: the first is that the risks are very real, and should a breach occur, the losses can be catastrophic. The second is that the legal obligation for businesses to protect data could give rise to liability claims should they fail to do so.
The good news is that specific insurance policies to cover cyber risk are available, providing appropriate coverage for Ugandan businesses today.
The Author is Manager-Liabilities& Financial Lines at AIG Insurance Uganda
