On the morning of Sunday, April 23, 2023, Kenya’s largest supermarket chain Naivas informed its customers that it had been the victim of a ransomware attack.
The retailer revealed that the intrusion might have compromised some of their data even as Threat Actor—an online criminal group— threatened to publish the stolen customers’ data in due course.
This ransomware attack had the potential to cause operational, reputational, and legal damage to the retailer if the stolen information was to be published.
The retailer engaged cybersecurity experts to prevent further intrusion and then informed the Office of the Data Protection Commissioner (ODPC) Kenya of the incident.
The Naivas incident highlights the growing threat of cybercrime in Kenya and the urgent need for companies to implement robust cybersecurity measures as cybercriminals become more sophisticated.
Now insurance companies are witnessing rising demand for cyber cover as firms move to shield themselves from the wave of data losses and costly privacy breach litigations.
The insurers say more companies are taking up cyber insurance, also called cyber liability or cyber security insurance, fueled by the hefty data breach penalties since the country enacted the Data Protection Act 2019 to govern how organisations collect, use and disclose personal information.
Increasing data breach penalties have seen firms deepen their focus on cyber third-party coverage, which protects businesses against claims made by third parties, such as customers or business partners who may suffer losses due to data breach or security failure. This cover includes legal fees, regulatory fines, and claims settlements.
The rising profile of cyber insurance has come on the back of the Office of Data Protection Commissioner fining several firms over data privacy breaches.
Some of the firms that have suffered fines this year include WPP Scangroup (Sh1.95 million), Shalina Healthcare Kenya (Sh1.45 million), Miguel Ventures (Sh1.2 million), Grain Industries (Sh1 million) County Assembly of Migori (Sh900,000), Nova Pioneer (Sh950,000) Lintos Academy (Sh750,000), Creditwatch Investment (Sh500,000) and Liquid Intelligent Technologies (Sh500,000), pointing to the multi-million shillings exposure across different sectors.
Attention on third-party exposure marks a shift from the traditional first-party coverage where firms have been buying cyber security insurance to protect themselves from costs related to data recovery, system recovery, cyber extortion, and business interruption when data breaches occur.
Now firms are going for both first and third-party coverage, giving them comprehensive protection against financial losses and legal liabilities associated with a cyber-attack or data breach.
Britam General Insurance acting CEO James Mbithi said in an emailed response, that businesses are becoming more aware of the first party risks exposures, fueling demand for insurance.
“Over the past two years, we have seen a rise in the requests for cyber insurance from a number of sectors, especially IT firms and financial institutions. This is majorly due to the rise in cyber-related risks,” said Mr Mbithi.
“Businesses are becoming more and more aware of the first-party risks exposures on cyber and, therefore, we are seeing requests going beyond the third-party coverage towards getting more coverage on first- party risks like a business interruption and bricking.”
The Association of Kenya Insurers said it is yet to track uptake for this class of insurance but said the rise is expected given increasing use of technology, growing commercial value of personal data, and the operationalisation of data privacy laws.
CIC General Managing Director Fred Ruoro said in an interview, saccos and banks top the list of corporates that have increased interest in cyber insurance as they seek to cut their exposure from attacks on their systems.
“Our cyber insurance takes care of the organisation itself and the liability claims which come from the subsequent loss of data, including legal defense. The penalties from the ODPC have been steep and firms are becoming alert to this exposure,” said Mr Ruoro.
Communication Authority of Kenya data for the quarter ended June 2024, showed the number of cyberattacks targeted at internet users in the country jumped 16.5 percent to 1.1 billion, with system attacks contributing 1.06 billion or 97 percent of the threats—much to the concerns of firms. A system attack is an attempt to disable computers, steal data, or use a breached system to launch additional attacks.
“Organisations are increasingly focusing on cyber insurance due to the expense of data breaches and the data privacy laws. The cost of a breach is substantial, and as a result, there is a growing interest among organisations to transfer this risk to insurance companies,” said Michael Ndegwa, head of commercial lines at Sanlam General Insurance Limited in an interview.
“Cyber insurance is most frequently requested by organisations in the financial services and IT sectors, as the implications of successful attacks are weighty.”
Mr Ndegwa added that some organisations are putting in a condition that they can only collaborate or trade with firms that have cyber security insurance. This is part of a risk management strategy to lower the chances of data privacy breaches. Such conditions and the high cost of restoring data in case of any breach are adding to the rising profile of this cover.
Jubilee Allianz General Insurance Kenya said in an emailed response, it has witnessed increased inquiries and expects uptake to follow.
“By and large, businesses are insuring against costs associated with data breach, data restoration, and systems recovery. However, most businesses do not opt for business interruption coverage,” said Sylvester Nzioka, principal officer at Jubilee Allianz General.
The trend in Kenya mirrors what is happening in developed markets such as the US where the evolving regulatory and legal environment has brought an uptick in lawsuits resulting from incidents such as wrongful collection and processing of personal data.
Allianz Commercial Cyber Security Resilience 2024 Report says the value of non-attack cyber claims has tripled in the past two years due to regulatory and legal changes. Non-attack cyber claims refer to claims related to cyber incidents that are not attacks on systems, such as improper data collection and sharing data without user consent.
In the context of turbulent geopolitics and the ever-deepening reliance on digital devices, the global insurer predicts that a potential shutdown of critical infrastructure is likely to become a much more concerning risk for businesses in future.
“We are seeing more data privacy breach claims in the US where there is a growing trend for class action litigation against large US and international corporations related to privacy violations, such as around consent and data usage. The cost of some of these claims can be even larger than a ransomware incident, in the hundreds of millions of dollars, not including the cost of reputational damage,” said Michael Daum, global head of cyber claims at Allianz Commercial.
Cyber insurance looks set to gain more relevance in Africa given the rise in the number of countries passing data privacy laws. As of January this year, 36 out of 55 African countries had data protection laws while another three had draft regulations under consideration, according to Data Protection Africa— an online platform that maps the state of data protection laws and policy in Africa.
Allianz says there has been a rise in data exfiltration, where attackers copy organisations' data and threaten to publish on the dark web.
This means that what typically starts as a ransomware loss escalates into a data privacy event once it is revealed that attackers have stolen personal data.
“This can lead to a large claim involving regulatory fines, notification costs, and potentially third-party litigation, in addition to extortion demands, first party costs, and any potential business interruption from the ransomware attack,” says Allianz.
Insurers in Kenya are now balancing between taking the risk and ensuring that they do so at an appropriate price. They are for instance asking firms, as a minimum, to have risk mitigation measures such as data policies, firewalls, and two-factor authentication.
Underwriters in Kenya are keeping a close eye on what is happening across the continent and globally since it has a bearing on the pricing.
“Due to the rise in cyber-related risks, some of which have materialised into losses, the global cyber insurance and reinsurance market is hardening and may lead to price increases in some instances,” said Mr Mbithi.
However, firms are moving ahead of insurers to try to reduce losses from cyber risks. The string of fines from the office of data protection have for instance triggered investment in better systems and a revision of data privacy policies across firms as they seek to lower their exposure.
The revisions are going to impact how businesses relate with others. For instance, banks and insurers in Kenya are now revising their contracts for the bancassurance business—a move that narrows further the room for insurers and banks to share data.
Aggrey Mulumbi, chairperson at Bancassurance Association of Kenya, says the revisions are important to minimise chances of breaches, adding that banks and insurers have taken the data protection issue “very seriously.”
“Data protection officers in most banks are supporting bancassurance intermediaries, and this brings a concern around what a bancassurance intermediary and a bank will have in terms of business alignment with insurance companies. If banks give bancassurance data to insurers and they call the same customers to sell them additional products, banks may end up in legal suits. We are asking for revisions in these contracts,” said Mr Mulumbi.