Dealing with the Challenges of Cyber Crime in the
Nigerian Economy – The Insurance Solution
By
September 2015
Shola Tinubu (FCIB)
MD/CEO, Scib Nigeria & Co. Ltd.
CONTENTS

Part 1- Background
• Global Cyber Liability
• Definition of Cyber Insurance

Part 2- Challenges
 Part 3- Cyber Risks
a.
b.
c.
d.
Potential Risk Targets
Potential Business Consequences
Potential Legal Consequence
Potential Cost
 Part 4- Cyber Risk Management
 Part 5- Regulatory Framework
 Part 6- The Solution: Cybercrime Insurance
•
Questions?
Part 1
Background
Part 1 - Background
Global Cyber Liability
•
864.2 million personal records have been breached in the U.S. since 2005.
•
2.7 billion people in the world are online (approximately 40% of the world’s population).
•
Portable devices carrying more than 172 million personally identifiable records were lost or
stolen, between 2005 and 2014.
•
In U.S. Healthcare alone, more than 120,000 people are being notified that their data has
been breached every week!
Part 1 - Background (Cont…)
Global Cyber Liability (Cont…)
•
More than a third of customers of companies that suffered a data breach no longer did
business with the companies in question “because of the breach”
•
Cybercrimes are widespread, systemic and insidious
•
Cyber crime cost companies $300bn - $1trillion total in 2013
•
Average cost of $500,000 and 24 days to identify and resolve an attack
•
~5% drop in share price for public companies
•
Value of brand can decline 17-31%, depending on nature and industry
Source: www.aon.com
Part 1 - Background (Cont…)
Saturday Vanguard
EFCC, Nigerians raise alarm on hacking
on July 29, 2011 / in Crime Alert 4:54 pm / Comments
- Fears of massive fraud in the banking and financial sector have been raised by the
Economic and Financial Crimes Commission (EFCC) as Nigerians are alarmed by
renewed upsurge in hacking into their personal computer systems and electronic mail
accounts, using it to attempt defrauding friends and relatives.
- This is coming as the United States approved $130billion to fight hacking and cyber related
crimes, with focus on hacking and cyber crime fraudsters from Nigeria. Washington last week
deported a Nigerian for defrauding 70 law firms through cyber crimes.
-This came as EFCC said that it has received reports of people trying to use electronic means to
divert public funds, perpetuate forgery and fraud.
Source: Vanguard July 29, 2011
Part 1 - Background (Cont…)
Business Day
Nigerian payment cards vulnerable to hackers abroad
November 4, 2014 | Filed under: Exclusive, main story | Author: Ben Uzor
- The failure of some more advanced economies to upgrade to the latest electronic payment card
technologies is causing Nigerian card holders to be vulnerable to hackers when they travel abroad,
BusinessDay has gathered.
- Facts have emerged that hackers in some countries abroad are duplicating Automated Teller
Machine (ATM) cards belonging to Nigerian bank customers who travel to those countries and
conduct payment transactions on their cards.
-The hackers clone the Nigerian cards and use them to purchase items worth millions of dollars
from shopping malls in the US.
Source: Businessday
Part 1 - Background (Cont…)
Definition of Cyber Insurance
Cyber insurance -- also called cyber security insurance, cyber liability insurance, cyber
risk insurance, and data security insurance, among other terms –
What Does the Product Protect Against
• Protection of businesses from Internet-based risks,
• Risks relating to information technology infrastructure and activities.
Exclusion
Risks of this nature are typically excluded from traditional commercial general liability
policies.
Part 1 - Background (Cont…)
What Does Product Cover?
Covers include;
• first-party coverage against losses such as data destruction, extortion, theft,
hacking, and denial of service attacks;
• liability cover indemnifying companies for losses to others caused, for example, by
errors and omissions, failure to safeguard data, or defamation; and
• other benefits including regular security audits, post-incident public relations and
investigative expenses, and criminal reward funds.
Part 2
Challenges
Part 2 - Challenges
• Attacks or security breaches may lead to a variety of business consequences, which are
very difficult to quantify the impact
• Lack of historical data is one of the foremost issues faced while determining the premium
rate of an insurance policy and deciding on whether to underwrite the risk.
• Lack of standard legal definitions of cyber liability across the globe.
• Lack of systems to alert consumers in a timely manner in the event of a cyber breach.
• Inadequate protection of personally identifiable information held by insurance
companies and third-parties .
Part 2 – Challenges (cont…)
• Insufficient audits to determine if controls are in place to protect personally
identifiable information.
• Inadequate Periodic employee training and assessment .
• Lack of implementation of policy by the government
• High rates of poverty.
• Lack of awareness .
Part 3
Cyber Risks
Part 3 - Cyber Risks
What risks are there in Cyber?
Where
Who
Online
Malicious
Financial
Impact
Accidental
Technology
What
Crisis
Expense
Offline
Extra
Expense
Internal
Protected
Data
Media
Lost
Income
External
Defence
Expense
Regulatory
Fine
Liability
Part 3 - Cyber Risks (Cont...)
Who creates cyber risk?
7%
6%
17%
Internal Accidental
10%
Internal Malicious
External
Internal Unknown
Unknown
60%
2014 Year to Date (datalossdb.org)
Part 3 - Cyber Risks (Cont...)
Notable Trends in Cybercrime
•
Motivation : Huge financial potential is making attackers more sophisticated
•
Methods : Attacks are becoming more targeted
•
Targets : The workstation (desktop or laptop) and the user is the easiest path
into the network
•
New wave of Cyber Terrorism
Part 3 - Cyber Risks (Cont...)
Sources of Data Breaches
2%
5%
4%
7%
9%
48%
9%
16%
Laptop/Smartphone
Third Party
Paper Records
Insider
Backup
Hacked Systems
Malicious Code
Undisclosed
Part 3 - Cyber Risks (Cont...)
Potential Risk Targets
• Any business handling customer data will, sooner or later, be confronted with the
challenge of a data breach.
• The stakes are high. If customers don’t think the business can be trusted, the future of
the company may be at risk.
• Companies with access to private, confidential information about their customers or
employees have a responsibility for keeping it safe
• Companies who have a web presence have emerging content exposures
• Companies who have a dependency on technology have emerging transactional
exposures
Part 3 - Cyber Risks (Cont...)
Potential Business Consequences
•
Harm to business, company valuation, stock price, etc.
•
Long-term financial and business damage
•
Theft of valuable intellectual property and business plans
•
Theft of customer data and funds
•
Disruption of critical operations and corporate web sites
•
Headline and reputational harm
Part 3 - Cyber Risks (Cont...)
Potential Legal Consequences
• Governmental investigations and sanctions
• Consumer litigation
• Class action lawsuits
• Shareholder derivative demands
• Potential claims against the company
Part 3 - Cyber Risks (Cont...)
Potential Costs
• Financial losses for company
• Financial losses for shareholders
• Brand reputation
Part 4
Cyber Risk Management
Part 4 - Cyber Risk Management
Cyber Risk Management Framework
Reduce Risk to Acceptable Level
Assessing Risk
Reduce
Risk of
Security
Breach
through
Preventive
Technology
Reduce
Financial
Risk
through
Insurance
Maintain Risk
at Acceptable
Level
Part 4 - Cyber Risk Management
Scib’s Cyber Risk Management Process
Part 4 - Cyber Risk Management (Cont...)
Cyber Risk Management
Your insurance
(Cyber, others…?)
Vendor insurance
(Professional Indemnity, Cyber)
Contractual risk transfer
(Scope of indemnity, limit of liability)
Vendor risk assessment
(financial,
technical,
legal, security,
privacy,
Managing
the external
accidental
(aka vendor)
cyber risk
quality control, compliance)
Part 5
Regulatory Framework
Part 5 - Regulatory Framework
Cybercrime Prohibition, Prevention Act 2015
The Act is segmented into three (3) parts;
Part I
ii. Part II
iii. Part III
i.
-Object And Application
‐ Protection Of Critical National Information Infrastructure
‐ Offences and Penalties
 The Act dubbed: ‘Cybercrimes Prohibition, Prevention Act’, was signed by former
President Goodluck Jonathan on May 15, 2015.
27
Part 5 - Regulatory Framework (Cont...)
Cybercrime Prohibition, Prevention Act 2015 (Cont…)
Objectives
 The main objective of the Act is to provide an effective and unified legal, regulatory
and institutional framework for the prohibition, prevention, detection prosecution
and punishment of cybercrimes in Nigeria. It also seeks to ensure the protection of
critical national information infrastructure as well as promoting cyber security and
the protection of computer systems and networks electronic communications, data
and computer programmes intellectual property and privacy rights.
28
Part 4 - Regulatory Framework (Cont...)
Implications of the Cybercrime Prohibition, Prevention Act 2015 to Business
Operations
 The Cybercrime Act is a crucial piece of legislation:
- It will encompass stronger obligations around minimum technical and
organizational control as well as prompt failure disclosures.
- The Act provides more power to regulators around imposing financial penalties as
well as subjecting companies to regulatory audits.
- Firms must start preparing early as there are a number of additional administrative
and record keeping obligations that may require fundamental organizational and IT
change and in some cases at significant cost.
29
Part 5 - Regulatory Framework (Cont...)
New Cybercrime Regulation Impacts
N
Fines up to N7,000,000.00 or imprisonment for a term
of not less than three years or both fine and
imprisonment in the event of a computer related fraud
and identity theft and impersonation.
Part III under Offences & Penalty, section 6, subsection
3 & 4 of the Cybercrime Prohibition, Prevention Act 2015
30
Part 6
The Solution: Cybercrime Insurance
Part 6 - The Solution: Cybercrime Insurance
What is Cyber Insurance?
Cyber insurance covers the losses relating to damage to, or loss of information
from, IT systems and networks.
Cyber Insurance also offers coverage for liability that arises out of unauthorized
use of, or unauthorized access to, electronic data or software within a company’s
network or business. In addition, it provides coverage for liability claims for
spreading a virus or malicious code, computer theft, extortion, or any
unintentional act, mistake, error, or omission made by employees while
performing their job.
Part 6 - Scope of Cyber Insurance Coverage (Contd)
Liability Sections
Defense Costs + Damages
+ Regulator Fines
Failure of Network
Security
Failure to Protect/
Wrongful Disclosure
of Information,
including employee
information
First Party Sections
Insured’s Loss
Network-related
Business
Interruption
System Failure
Business
Interruption (some
policies)
Privacy or Security
related regulator
investigation
Dependent Business
Interruption (some
policies)
All of the above
when committed by
an outsourcer
Extra Expense
Wrongful Collection
of Information
(some policies)
Media content
infringement/
defamatory content
Intangible Asset
damage
Expense/Service Sections
Expenses Paid to Vendors
Crisis Management
Breach-related
Legal Advice
Forensic
Investigation
Breach Notification
Call Center
Credit Monitoring,
Identity
Monitoring, ID
Theft Insurance
Reputation Damage
(some policies)
Cyber Extortion
Payments/
Assistance
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Scope of Cyber Insurance Coverage
First Party Response expense reimbursement options include:
 Legal & Forensic Services
 Crisis Management/Public Relations
 Notification and Remediation Expenses
 Business Interruption and Additional Expense
 Computer Program and Electronic Date Restoration
 Computer Fraud
 Funds Transfer Fraud
 Telecommunications Theft
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Scope of Cyber Insurance Coverage
Third Party Defense & Liability expenses (including defense costs)
 Data security breaches can take many forms and do not necessarily lead to any direct
consumer injury like identity theft. However, you will likely need to defend against
individual and/or class action lawsuits anyway.
 Your policy will provide defense and pay liability judgments against you up to the limit
of insurance you select.
 In addition, you will have access to a proprietary breach preparedness web site with pre
and post-breach services and resources.
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Your Standard Policies Probably Don’t Work
Professional Indemnity:
Property Insurance:
- Unauthorized access exclusions.
Denial-of-Service attacks do not constitute
‘physical perils’ and do not damage ‘tangible
property’
- Requires negligence in provision of defined
business activities.
- Generally no cover for information commissioner
regulatory actions
Common Hurdles:
- Intentional acts and insured vs.
insured issues.
-No coverage for crisis expenses
required by law or to protect
reputation.
General Liability Insurance
General Liability coverage is limited to ‘publication
or utterance’ resulting in one of traditional privacy
torts.
“Publication” resulting from hacking is not an act
of the insured
Fidelity Guarantee Coverage
- This covers loss as a result of the dishonesty of
staff resulting in the loss of money, securities, or
tangible property.
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Cyber Insurability Analysis
Professional
Indemnity
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Who needs Cyber Insurance?
 Everybody that has phones with personal or corporate data.

Every organization that receives and sends email.
 Companies who host, store, share or transmit proprietary & confidential data
 Companies who transact business and generate revenues from the Internet
 Companies whose business operations would be impacted by a service disruption
 Companies who outsource storage, processing or sharing of confidential information with third
party service providers
 Companies who publish electronic content
 Companies whose high profile increases the probability of extortion
Part 6 - The Solution: Cybercrime Insurance (Cont...)
Who needs Cyber Insurance? (Contd)
It can happen to anyone…
 The culprit is often someone close to your business: A surprisingly large proportion of
data breaches are carried out by insiders—over half by some estimates
 Size doesn’t matter: Half of the potential companies that suffer data breaches have very
few employees
 The perpetrator could live halfway around the globe.
 Any company can be hit: Retailers, health care institutions, manufacturers, professional
service providers, media and entertainment companies, and financial institutions are
likely to be targeted
 A breach can result from a simple mistake: e.g. An employee misplaces a laptop or
Blackberry, or leaves it in an unsecured location, such as an unlocked car
Part 6 - The Solution: Cybercrime Insurance (Cont...)
What is the cost of the cover?
A good starting point is to determine what exposure does the company have
.what types of incidents you want cover for and for what limit. The company
should state both your own costs (known as first-party costs) and the costs that
others may attempt to claim from you as a result of the incident (known as thirdparty costs).
Depending on the nature of the risks, premium rates can range between 1% to 6.0
% of the limits covered.
The Solution: Cybercrime Insurance (Cont...)
Risk Assessment Parameter
Risk
Tolerance
Loss
Modeling
Peer
Purchasing
Data
Budget
Scope of
Coverage/
Control
Contractual
Requirements
Insurable Risks
Optimal
Program
Market
Limitations
How can Scib facilitate the cover?
Scib approach
Strategic Meetings / Discussion
Scib will take a collaborative approach with prospective client to identify and analyze
exposures, risk and potential insurance including proposed structures, or alternative
solutions
Submission Development
Scib will work with prospective clients to obtain relevant, necessary and favorable
underwriting information to present to markets
Scib approach (Cont…)
Marketplace Leverage
Scib will put our vast knowledge of market conditions and trends to work on behalf
of each prospective client, negotiating favorable terms and conditions with top tier
carriers.
Strategic Negotiations and Placement
Scib will utilize proven and sophisticated negotiation strategies to finalize placements
that meet collaboratively established goals. Throughout the process Scib advises on
Cyber risk management best practices and provides frequent thought leadership and
guidance on emerging exposures and coverage issues
Our Vision and Mission
Our Vision
•
To Be The No.1 Risks Solutions Provider Of Choice.
Our Mission
•
Pursuit of Excellence in the Provision of Risks Solutions of a Global Standard
using Innovation
Who We Are
 Established July 1978.
 Joint Venture between F.I.M Consultants Ltd. & Standard Chartered
Insurance Brokers Ltd. UK*
 Post Standard Chartered Bank’s Divestment – Sedgwick remains a
Shareholder and Technical Partner ……….SCIB
Today
•
Scib is ranked No. 1 of 500 plus registered brokers in Nigeria.
•
Staff Strength of 75. Highly experienced and motivated.
- Additional 55 comprising Consultants and other support staff.
•
Multi-disciplinary team comprising of Lawyers, Chartered Accountants, Chartered
Insurance Practitioners and others with background in Actuarial Science, Engineering
and Economics.
•
Head Office in Lagos:
- Head Office Annex in Lagos
- Regional office in Ibadan, Port Harcourt, Kaduna & Abuja.
- Branch office in Kaduna
International Affiliation
•
Scib is the Network Correspondent for Aon in Nigeria.
•
Aon is the Largest Insurance broking company in the world with over 500 offices in more
than 120 countries.
www.aon.com
Aon has a leadership position in relation to financial institutions.
1.
2.
3.
100% of the top 10 global insurers
94% of the top 50 global banks
60% of the top 10 asset managers
This gives Scib a Global Access.
500
Offices
Aon
No. 1
Insurance
Broker in the
World
Global
Reach
120
Countries
Scib
No. 1 Insurance
Broker in Nigeria
49
WHERE WE ARE
NORTHERN REGIONAL
OFFICE - ABUJA
KADUNA BRANCH OFFICE
Turaki Ali House
(1st Floor)
3 Kanta Road
P.O. Box 8741
Kaduna.
Mobile number-08023143111
Tel/Fax: 062-241567
E-mail: kaduna@scibng.com
Suite 20 & 21 Yashua Plaza
(Behind AP Plaza)
1046 Adetokunbo Ademola
Crescent
Wuse II – Abuja.
Mobile number-08023143111
Tel. 09-6710628
E-mail: abuja@scibng.com
WESTERN REGIONAL OFFICE IBADAN
EASTERN REGIONAL OFFICE PORTHARCOURT
Arit of Africa House (1st Floor)
14 SanusiAkere Street
Oluyole Estate
Ibadan.
Mobile number-08085852816
Tel/fax: 02-2414154
E-mail: ibadan@scibng.com
UPDC Building
26 Aba Road
Port Harcourt
Rivers State
Mobile number-08028399355Tel:
084-770888; 084-575499
E-mail: portharcourt@scibng.com
HEAD OFFICE
66 AdeniranOgunsanya Street.
Surulere
P.O. Box 1782
Lagos
Mobile number- 08081007745
Tel: 01-2710030-4,
Fax: 01-2710035
E-mail: scib@scibng.com
HEAD OFFICE ANNEX
Custodian House
16A, Commercial Avenue (2nd
Floor)
Sabo-Yaba, Lagos
Mobile number-08085852816
Telephone: 2704920 - 3,
Email: scib@scibng.com
Why Use A Broker?
 Assessment of client risk profile.
 Prompt Claims processing and management
 Advice on cover required by client.
 Technical advice and advice on market developments.
 Selection and recommendation of insurer.
 Detailed knowledge of the market, insurers, products/policies and practices.
 Risk management
Why Use Scib?
 Prompt Claims processing and management
 Assessment of your risk exposure profile.
 Advice on cover required.
 Technical advice and advice on market developments.
 Selection and recommendation of insurers
 Detailed knowledge of the local and international market, insurers, products/policies
and practices.
 Risk management
 Global Knowledge
 Global reach
Our Key Differentiating Factors
 Specialized unit to handle financial institutions
 People/Professionalism (Technical Competence)
 High Ethical Standards
 Leverage
 Integrity
 Service
 Experience
Contact Person
G. A. Olanbiwoninu
Senior Manager
He has been in the field of marketing since 1995
Specialty: Business Development and Marketing
Tel: 234 01 271 0030-4
D/L: 234 808 100 7745
Email: gboyega.olanbiwoninu@scibng.com
Questions?
Quote
Locks Keep Out only the Honest
Jewish Proverb
Thank You !