Open Letter to Bawumia on cyber insurance as part of the cybersecurity strategy
It is an honour to have such a hardworking leader who is very well well informed about the technological development and trends in the world.
Your push for digitisation in Ghana is commendable, Sir. Kindly let me share this quote from John Q. Adams, which says: “If your actions inspire others to dream more, learn more, do more and become more, you are a leader”.
This is to simply draw your attention to the fact that most people are happy with you pushing the digitisation agenda in Ghana – and this also places a huge task on you to do more by looking at the bigger picture. With this, I would like to draw your attention to the risks associated with digitization; which include environmental risk, operational risk, third party liability risk, etc.
I am very much aware of the new Cyber Security Authority Act. This is in the right direction. The only thing we need to consider going forward is cyber-risk insurance. This is not going to be a replacement for cybersecurity but part of the measure to contain the residual risk from cyber-attacks, and this should be part of the whole cybersecurity plan or strategy.
As the global economy becomes increasingly dependent on information technology (IT) systems and digital networks, cyber-risk has become a great threat. Global annual losses caused by cybercrime have been estimated as high as US$445billion (McAfee 2014). According to the World Economic Forum (WEF 2014), there is a 10% probability of a critical information infrastructure breakdown within the next 10 years that might cost about US$250 billion. In response, insurance companies have started to develop policies to protect against those emerging risks.
We are much aware that various central banks around the world are looking into the possibility of an e-currency or digital version of their physical currency. Our BoG has also announced the possible introduction of an e-cedi shortly. This creates a risk exposure in terms of cyber.
Whenever we talk about compulsory insurance, it is a means to protect the vulnerable in society. Cyber-risks will have a great impact on third parties who have given out their private information to institutions, and also small and medium enterprises that do not have the financial capacity to protect themselves against these cyber-risks.
Cybersecurity, as noted by many experts and also the World Economic Forum (WEF), is too big a job for governments or businesses to handle alone. This makes a Cyber Insurance Plan a must for all companies that store customers’ data!
Among the threats to our cyberspace, according to the World Economic Forum (WEF), is the danger of digital mistrust – which has the potential of hindering full cooperation from many people, hence limiting the potential benefits to us. To reassure all stakeholders in the digital space, there is a need for a robust cyber-insurance market.
Robust cyber-insurance markets can promote the public good by reducing the country’s vulnerability to cyber-attacks, and by limiting the need for government support in the wake of such attacks. Moreover, governments play an important direct role in the cybersecurity ecosystem, as they face unique cybersecurity vulnerabilities; and, in some cases make active affirmative use of cyber-attacks. Given these realities, governments have both a clear interest in promoting more robust cyber-insurance markets and the potential technical means to help do so.
Currently, the infrastructure, users and services offered in information systems and networks encounter a wide variety of cyber-risks caused by different threats: such as distributed denial of service attacks, persistent threats from insiders, worms and viruses. A typical and effective approach to control these risks is self-protection. Self-protection is a cyber-defence strategy that combines both technical and operational methods to secure the users’ systems directly and reduce the likelihood of losses.
However, this approach often fails to achieve the expected perfect/near-perfect protection owing to some inevitable obstacles. As another effective method of mitigating these risks, cyber-insurance has drawn increasing attention recently.
It is generally recognised that a cyber-defence strategy is incomplete if it defends cyber-attacks by combining only technical and operational/procedural means. Instead, a complete cyber-defence strategy should include cyber-risk management to control security risks in information systems and networks. In general, cyber-insurance is introduced as a suitable network risk management technique to eliminate risks owing to security threats. Cyber-insurance refers to insurance contracts designed to mitigate liability issues, property loss and theft, data damage, income loss from network outages and computer failures, Website defacement, and cyber-extortion.
The Role of Government
“We have a major stake in shaping the digital revolution that’s happening around us, and making sure that it serves our people, protects our interests, boosts our competitiveness and upholds our values,” said Secretary of State Antony Blinken. “We want to prevent cyberattacks that put our people, our networks, companies and critical infrastructure at risk.
“There are, as with any good plan, a few pillars – five of them,” Blinken said. “We will build our capacity and expertise in the areas that will be critical to our national security in the years ahead; particularly climate, global health, cybersecurity in emerging technologies, economics and multilateral diplomacy.”
The subsequent establishment of the Cyber Security Authority demonstrates Ghana’s commitment to the protection of critical information infrastructure and the need to prevent, manage, and respond to cybersecurity crimes and threats, and foster Ghana’s growing digital economy. Ransomware targetting private industry is a growing threat to the global economy, including Ghana and the United States. As more businesses moved online during the last year and a half, so did criminals. We must remind ourselves that criminals and their online techniques have no borders, and they have no morals. Without robust cybersecurity, cybercriminals also have no limits to the effects they can have on Ghana’s economy as they target businesses, government and individuals.
For President Biden, cybersecurity is a top priority and essential to national and economic security. We know our allies and partners are a tremendous source of strength and advantage in the continuing fight against cybercriminals. We look forward to our continuing and collaborative relationship between the United States and Ghana (U.S. Embassy in Ghana).
President Nana Addo Dankwa Akufo-Addo has launched a National Security Strategy blueprint to enable stakeholders in the security sphere to deal effectively with existing, new, and emerging threats to the country. “The National Security Strategy also aims to establish Ghana as a land of opportunities, with the resolve and the capability to protect her people, her culture and her values, to spur growth, development, and prosperity that acccrues to the well-being of her people, while positioning the country to play a meaningful and influential role at regional, continental and global levels,” he said.
This is the main reason why cyber-risk insurance should be considered. Cyber-risk is a national security threat as indicated by the UN Security Council. If government has the appetite to protect the people and national resources, then the residual risks should be transferred after the cyber-risk security measures through cyber-risk insurance. Cyber-risk insurance is not a replacement for cybersecurity, but rather a continuation of the process to cater to the residual risks.
What is the role of government in cyber risk insurance? Cybersecurity, as noted by many experts and also the World Economic Forum (WEF), is too big a job for governments or businesses to handle alone. And in agreement with WEF’s publication in 2021, a good place to start is getting a coalition of private sector players to share possible cyber-threat information and come up with standard solutions.
To reassure all stakeholders in the digital space, there is a need for a robust cyber-insurance market. An introduction to a panel discussion during a recent event considering the Role of Government in Fostering Cyber Insurance Markets goes like this: “Robust cyber-insurance markets can promote the public good by reducing the country’s vulnerability to cyber-attacks and by limiting the need for government support in the wake of such attacks. Moreover, governments play an important direct role in the cybersecurity ecosystem, as they face unique cybersecurity vulnerabilities; and, in some cases, make active affirmative use of cyber-attacks. Given these realities, governments have both a clear interest in promoting more robust cyber-insurance markets and the potential technical means to help do so’.’
Mr. Thomas Cook Jefferson-Dankwah – a renowned Cyber-Insurance expert who is currently the Executive Director of Hanssen Global UK and Ghana Ltd., a Microsoft Partner Network-Ghana – said in his interview with B&FT newspaper that Insurance companies handle all matters relating to the cyber-risk transfer. It must also be noted that Technology and Insurance Industries go hand in hand to mitigate cyber-risk, which is part of the overall strategy of cybersecurity. And let me add that there is a need for coordination of the cyber-insurance ecosystem.
This is his advice that Cybersecurity and matters arising are high on the agenda for many nations across the world. Most advanced economies are even taking it more seriously than the developing ones. Like the US and rest of the world, Ghana is equally prone to cyber-attacks. The CBNC report revealed not long ago that there have been cyber-attacks on the US government’s software contractor, Solar Winds. This and many such attacks should be a wake-up call for us here in Ghana.
Recently reported by CNBC, President of the United States, Joe Biden, met with CEOs of big tech and insurance firms to discuss cybersecurity issues. The likes of Microsoft and Google have promised to invest billions of dollars in cybersecurity. The discussion of cybersecurity should involve the technology companies, insurance regulator and insurance associations.
Threats in our cyberspace take different forms and happen at various levels in the cyber architecture, therefore we need all hands on board – both private and public sector – in tackling them.
The writer is a Chartered Insurance Practitioner and an Associate of the Chartered Insurance Institute of United Kingdom and also Ghana (ACII-UK, ACIIG).