Hackers often target companies, and when the criminals succeed, organisations risk losing money and customer data. Firms also risk losing customer and shareholder trust when a cyber incident occurs.
By Michael Akuchie
In 2024, four Nigerian banks and three companies were fined a combined total of ₦400 million for failing to prevent a series of data breaches that affected them. The government was able to demand fines from the firms thanks to the National Data Protection Law, which was signed into law in 2023. The policy allows the regulator to fine businesses that fail to safeguard customers’ personal data.
For those unaware, a data breach refers to a security incident whereby a person or a group gains access to a company’s sensitive data without any prior authorisation. In this context, the data can include customer data such as bank account numbers and healthcare information. It can also refer to company information such as payroll records and intellectual property.
Hackers often target companies, and when the criminals succeed, organisations risk losing money and customer data. Firms also risk losing customer and shareholder trust when a cyber incident occurs.
If a company repeatedly makes headlines for being a victim of data breaches, its stock value can plummet, bringing it closer to bankruptcy. To avoid this, businesses should consider exploring new methods of protecting customer data and other sensitive information from hackers.
One of the most innovative ways to do this is to purchase a cyber insurance plan. Fortinet defines cyber insurance as “a product that enables businesses to mitigate the risk of cybercrime activity such as data breaches and cyber attacks”. It is a great safeguard for companies, especially as traditional business insurance plans rarely offer any coverage for cyber incidents.
Although Africa is playing catch-up with the rest of the world, particularly North America and Europe, in terms of technological advancements, the continent’s relative newness to the scene has not stopped hackers from targeting companies.
Through social engineering tactics like phishing, cybercriminals can exploit weaknesses in a company’s defense and gain access. In some instances, hackers steal data and then sell them on the dark web, a secret part of the internet on which illegal activities are said to occur.
Last year, a digital rights group called Paradigm Initiative accused XpressVerify.com, a private website, of monetising the retrieval of lost National Identity Numbers (NINs) for as low as N200. Usually, private websites that are not affiliated with the National Identity Management Commission (NIMC) are not supposed to have access to such sensitive data.
For the greater part of last year, NIMC was repeatedly accused of being a victim of a massive data breach that allowed XpressVerify to exploit the personal identities of hundreds of millions of Nigerians.
Away from Nigeria, the popular South African retail bank, African Bank, in April 2021, announced that one of its partners, a debt recovery company called Debt-IN, had been affected by a ransomware attack. A ransomware attack is a kind of cyber attack whereby a company is unable to access files stored on its computer or server.
Usually, these files become encrypted by an outsider like a hacker. Companies are then contacted by the hacker who will require a certain amount to be paid before the files can be decrypted. Think of it as a kidnapping, but instead of humans, data becomes the hostage. In the case of the South African debt recovery company, a sizable portion of customers’ personal information was compromised by cybercriminals.
In 2024, ransom payments from companies amounted to $813 million, a sky-high figure that spotlights the devastating effects of cyber attacks.
For companies unsure about the benefits of a cyber insurance policy, this section provides useful insights. Businesses often have to comply with the regulatory policies of the country they operate in. One of such policies states that companies are mandated to notify clients and regulators if a data breach occurs.
A cyber insurance plan can help cover the costs of notifying the customers and regulators. It can also come in handy for helping firms procure new hardware in the IT department if the current one develops an irreparable fault.
As the case of the seven Nigerian businesses that were fined ₦400 million shows, data breaches can come with hefty consequences. Fortunately, a cyber insurance plan can cover the costs of fines. When data gets stolen and is most likely headed for sale on the dark web, companies can launch a recovery plan.
This usually includes forensic investigation, data mining, and the actual recovery effort, all of which can be expensive. Provided a firm has an active cyber insurance plan, the policy will cover the costs of data recovery.
Ransom payments remain a thorn in the flesh of corporations across the world. In South Africa, the average ransomware payment can set a company back by $975,675 or more depending on the hacker. It is worth mentioning that every company can fork out almost a million dollars or more to regain access to encrypted files.
As such, a chunk of personal data eventually ends up on the dark web where competitors can purchase them. Companies with a cyber insurance plan will not need to worry about ransomware payments as they are usually covered.
While cyber insurance has several advantages, many companies are reluctant to adopt this plan. Per the findings of a Sophos survey of 3,000 IT professionals across 14 countries, South Africa (98%) had the highest adoption rate while Italy had the lowest policy take-up (39%). Most times, companies are ignorant of cyber insurance, especially its importance.
In some instances, some businesses who are aware may view the plan as overly expensive. This is usually the case for businesses like startups that rely on internal funding due to s failure to attract venture capitalists. Businesses that bootstrap themselves may rarely see a cyber insurance plan as a must-have, especially when funds are limited.
To combat the issue of awareness, insurance companies that offer cyber insurance should conduct frequent sensitisation programs about the plan’s benefits. Additionally, businesses can compare the plans of multiple insurers and decide based on cost and number of incidents covered. They should also conduct regular cybersecurity audits to expose vulnerabilities in their network and address them accordingly.
Hackers are known to be persistent and innovative in their approaches. Companies that get targeted risk losing customer support and money in the process. To prevent an ugly event, firms must accept cyber insurance as a meaningful investment and set aside funds to buy a plan. Nobody knows when the next ransomware attack or data breach will occur. As such, it pays to have a shield that can withstand the financial impact of a cyber incident no matter the magnitude.
Michael Akuchie is a tech journalist with five years of experience covering cybersecurity, AI, automotive trends, and startups. He reads human-angle stories in his spare time. He’s on X (fka Twitter) as @Michael_Akuchie & michael_akuchie on Instagram.