Generally speaking, no sane or normal human being would wish for himself or pray for calamities or vicissitudes that naturally bring about changes in status with respect to fortunes already acquired. This could arise from losses such as accidents, fire, burglary, etc., or other natural causes like floods, tsunamis, or tornadoes. These events are definitely not the desire of anyone; they are beyond the control of human beings, yet they are part and parcel of life. Insurance is the means by which provisions are made in advance to mitigate the consequences of losses, which are part of life [1].

In other words, insurance is used as an instrument to cushion or lessen the effects of losses that are incidental to life; it provides financial protection against losses arising out of the happening of uncertain events. The basic assumption is that insurance works on the principle of spreading or sharing risks, such that the person insured is restored to his original position as much as possible. The foregoing exposition is what is known at law as restituo in integrum (returning to the state or condition as before) [2].

Conceptually, insurance can be viewed as an umbrella that provides shade in extreme tropical sun or as a protective covering against rain; thus, in adverse climatic conditions, a person with an umbrella is better than others without an umbrella. The analogy being drawn is that a person who is insured is in a better position than a person who is not, in case an uncertain event(s) happens.

A legal definition of insurance is a contract in which one party (insurer) agrees to pay a consideration (premium) in order to provide monetary compensation to the other party (insured) in the event(s) or against risk(s) [3].

For the contract of insurance to be valid and enforceable at law, it is important that there must be an element of uncertainty about the event insured against, and above all, the insured must have insurable interest [4]. In order to drive home the point being made, in the context of cyber insurance, the insured is the company or corporation that has paid consideration, referred to as a premium, to the insurance company, while the insurance company is the insurer.

From all the foregoing, it is clear that insurance is a promise of compensation for any potential future losses, by which the insurance company pays to the person insured an agreed sum of money under the contract of insurance, with the intent of lessening the adverse consequences of losses.

Nowadays, cybercrimes are akin to household names; they are ubiquitous and indeed very pervasive in every facet of human life; in ordinary language, they are commonly referred to as "hacking." Even though cybercrimes can be said to be a relatively new phenomenon, interestingly, the germane issue of cybercrimes has attracted and occupied the cynosure of world attention for the fact that no citizen of the world, whether private or corporate, is immune to cybercrimes; in other words, all persons, irrespective of status or gender, are vulnerable to cybercrime incidents. It is even more worrisome because the vulnerability is, in real terms, almost unavoidable, a bitter fact, because humanity is currently living in the information age [5].

It is necessary to quickly add that the advent of the Internet, that is, the global information super highway, has exacerbated the menace of cybercrimes because practically almost all of human activities, which include banking, sales and purchases of goods, etc., are now carried out or effected online, a development that has provided ample opportunity and a conducive forum for cybercriminals to perpetrate what they know how to do best, that is, use of the internet as a springboard and/or launchpad for committing unending and serial cybercriminal acts [6].

For the purpose of clarity of expression and avoidance of doubt, it is important to bring to the fore the distinction between a computer crime and cybercrime, the rationale being that the two terms are used interchangeably, meaning that they are one and the same thing, but in actual fact, they are just similar but different from each other. The clarification of the two concepts is hereunder provided.

Computer crimes are the criminal acts committed with the use of a computer or a computer system; in other words, they are crimes, such as crimes against the computer hardware and the materials contained in a computer, or those associated in one way or another with the computer, which basically are the software and the data contained in the computer. Relevant examples of computer crimes are fraudulent acts, embezzlement, hacking into a computer, financial scams, etc.

On the other hand, cybercrime is a generic term used for the description of two distinct but closely related criminal acts, namely:

• Cyber-dependent
• Cyber-enabled crimes [7].

Cyber-dependent offenses are those that can only be committed by using a computer, computer networks, or other forms of information and communication technology (ICT). These criminal acts include the spreading of viruses as well as other malicious software and distributed denial of service (DDoS) attacks. Cyber-dependent crimes are acts directed against computers or network resources, although there may be secondary outcomes from the attacks, such as fraud.

Cyber-enabled crimes are those traditional crimes that are increased in their intensity or reach via the use of computers, through computer networks, or other forms of ICT modes; this includes but is not limited to fraud, such as mass marketing frauds, phishing’ emails, and other forms of scams; online banking and e-commerce frauds; theft, which includes theft of personal information and identity-related data; and sexual offenses against adolescents.

On the basis of sovereignty accorded to the nation-member states of the world and, of course, jurisdictional liberties, each country makes its own laws and policies on cybercrimes. In view of this unassailable fact, to date, there is no consensus with regards to one acceptable global definition of cybercrimes to adequately capture all the ingredients of this novel variant of crime under discussion. Be that as it may, one outstanding fact beyond debate is that there is a commonality in all the definitional attempts, and that is that reference is made to the Internet. Bearing in mind the foregoing, cybercrime is defined as a crime committed over the Internet, which might include copyright infringement, defamation, fraud, and hacking [8].

Cybercrime also denotes any criminal or other offense facilitated by or involving the use of electronic communications or information systems, including any device, the Internet, or any one or more of them [9].

In all the foregoing paragraphs, an attempt has been made to define the concept of cybercrimes as a criminal act carried out in cyberspace. A distinction has also been drawn between cybercrimes and computer crimes. At this juncture, the brutal fact must be told to the effect that cybercrimes are here to stay, that cybercrimes are a noisome pestilence and technological epidemic that the world must learn to live with, and for which managerial skills must be sought as urgently as possible. It is very unfortunate that as solutions are being found to the menacing issue of cybercrimes, so are cybercriminals devising newer and more sophisticated means of carrying out their attacks. By this development, global trade and commerce continue to suffer very huge costs, and the global citizens, directly and otherwise, continue to groan in severe and incurable pains.

In order to exhibit the dire consequences of cybercrimes, it is on record that at the worldwide level, in the year 2021, the cost of cybercrimes to the global economy is estimated at USD 787,671 in one hour; thus, for one year, the cost is USD 6,899,997,960 to the world as a loss and a profit to cybercriminals. There are an average of 97 cybercrime victims in one hour; this translates to one victim of cybercrime every 37 seconds. With regards to vulnerability, that is, the global average breach density, the UK is on top with the highest victims per million of internet users.

Users totaling 4783, followed by the USA with victims numbering 1494; and the commonest variants of cybercrimes are phishing, ransomware, and personal data breaches [10].

Other highlights of the above study are as follows:

The advent, growth, and continuing use and development of social media platforms have, of late, provided a veritable avenue for cybercriminals to carry out attacks. Meta, the Facebook parent company, uncovered over four hundred malicious iOS as well as Android apps last year, and those devices were targeted at mobile users with the intent to steal subscribers' login details. In the first quarter of 2022, a total of 9.5 million items violating Facebook’s policy were yanked off, and in the second quarter, 8.2 million items [11].

Cybercriminals use social media to source people for scams, for example, romance scams. In the month of May 2021 in the UK, victims of romance scams cost GBP 14.6 million, and half of the victims were women, 39% were men, and 11% did not specify their gender [12].

Globally, e-commerce fraud was predicted to cost the retail business sector a sum of USD 48 billion in 2023. Online payment fraud losses were estimated at a cost of USD 343 billion to businesses between 2023 and 2027 [13].

From the same research, it is alarming to note that only 30% of the surveyed companies have cyber insurance, and 69% were in trepidation that a launched and successful cyberattack could totally paralyze their server message block (SMB) businesses, totally [14].

At this juncture, it is necessary to briefly dwell on cybercrime costs relating to Africa, being the continent where cyber activities would most likely be prevalent due to a general lack of awareness, and thus a huge potential exists for the same to thrive. But before that, a brief introduction to the continent is hereunder shared below:

Africa is known as the world’s second-largest continent, with 54 countries [15]. Africa is reputed to have a land mass covering 30 million square kilometers; although the level of illiteracy is estimated at 40% across the continent, that fact notwithstanding, Africa is proud to have one of the oldest universities in the world, by name, the University of Timbuktu, which was established in 982 CE. With respect to telecommunications facilities, especially the Internet, it is on record that more residents of New York City, USA, have unfettered access to the Internet than the entire Africa continent [16].

Nigeria, the most populous country in Africa and the hub of trade and commerce for the continent, is also reputed for fraudulent activities, especially regarding online fraud. The issue of e-commerce scams and on-the-net fraudulent activities in Nigeria is astonishing, and the same has dented badly the worldwide image of the prosperous country as well as truncated economic growth and development. In 2014, the Nigeria Electronic Fraud Forum and Nigeria Interbank Settlement System stated unequivocally in a joint report that nearly N6.2 billion got lost through electronic frauds in the Nigerian financial industry [17].

Nigeria is not a lone ranger where online fraud is the issue. South Africa, the second largest economy in Africa by extension, has a worldwide notoriety for cybercrime density, which is the percentage of cybercrime victims within a certain number of online users. The measure sharply rose by 8% between 2021 and 2022; ipso facto, South Africa ranked number five (5) in the worldwide index [18].

 Further to the foregoing, as of 2017, the cost of cybercrimes for African economies was put at USD 3.5 billion. That year, Nigeria alone lost a whopping sum of USD 649 million to cybercrimes, while losses to Kenya stood at USD 210 million. For South Africa, USD 157 million was reported lost to cyberattacks, per the official statement credited to the South African Banking Risk Information Centre (SABRIC) [19].

All the foregoing figures, as in the number of victims and the staggering figures in terms of economic losses, are a testimony to the almost insurmountable hurdle of cybercrimes and cyberattacks, to which mankind is faced, and which challenge must be addressed timeously.

It is well-settled that when humanity is faced with a challenge, solutions must be found. One of the elixirs to the menace of cyberattacks is cyber insurance. Cybersecurity insurance is relatively new and an industry that could be described as embryonic [20]. Purchasers of cyber insurance at the corporate level presently are considered early adopters because of the newness of the concept and the industry [21]. Cybersecurity policies are highly dynamic and, thus, capable of changing with the rapidity of a kaleidoscope, given the organic and ever-fluctuating nature of the associated cyber-risks. Unlike well-established insurance plans, underwriters of cybersecurity insurance policies have little or no data to formulate the risk models in the determination of insurance policy coverages, as well as the applicable rates and premiums [22].

A cyberattack has been defined as a premeditated, willful, and malicious act targeted at harming an organization's critical information technology infrastructure, especially through the internet [23].

The implications of cyberattacks in economic terms are indeed enormous. It is on record that going concerns are conditioned to replace where necessary and repair damaged equipment and tools, cater for additional labor and downtime, upgrade company cybersecurity programs, cover consultant fees, as well as pay heavy regulatory penalties as a result of failure to protect confidential information in compliance with data breach reporting mandatory requirements [24] Besides the foregoing, data breaches, which are major, more often than not, engender very costly litigation and, of course, cross-litigation between multiple parties due to interdependencies between the parties, all of which together result in very huge costs [25].

At this juncture, it is expedient to cite some instances of cyberattacks on corporations in order to exhibit the economic and legal consequences, including the unquantifiable reputational damages, after a major cyberattack.

It is trite knowledge that, as humanity relies more on electronic communication on the one hand and as corporations collect and retain more information regarding their clientele on the other, this development has created ample opportunity for cyber criminals to perpetrate their unholy acts, thereby creating problems for corporations and members of the public, an illicit act that is growing exponentially.

In 2015, data breaches tracked by the Identity Theft Resource Center (ITRC) were 781; this number is the second highest on record since the commencement of tracking breaches in 2005 (ITRC 2016). The Ponemon Institute, an independent research organization specializing in data protection and privacy, including information security policy, submitted that 75 percent of organizations surveyed have experienced one or another form of data loss or breach since 2014 (Ponemon Institute 2016). The Civil Rights Office indicated that 112 million health-care-related records were either stolen, lost, or inappropriately disclosed via data breaches in 2015 (Munro 2015). According to recent reports, the average cost of a data breach event for an organization is between USD 3 and USD 7 million [26].

While all the foregoing statistical data relating to cyberattacks was collected, there were others that resulted in serious litigation where heavy costs were incurred. For example, Retailer Target estimated that the infamous data breach that happened to them in 2013 cost as much as USD 300 million, of which about USD 89 million was paid in settlements alone [27].

In addition, in 2017, the giant pharmaceutical company Merck’s operations were practically held by the jugular and paralyzed via cyberattack, through the infiltration of Not Petya malware, an unfortunate development that resulted in a loss to the company of a whopping sum of USD 1.3 billion [28].

The issue of cyber-attacks is a very serious one; unfortunately, it is a global gulf militating against the reaping of technological advancement in telecommunications. The menace certainly needs the inputs of all, but sadly, most corporations are ill prepared to face the reality that cyberattacks, the brainchild and product of endeavor, as well as the potent instrument of cybercriminals, are here to stay.

Taking into consideration the foregoing, compliance authorities (generally referred to as the Data Protection Commission or Regulator) worldwide have levied huge sums of fines and penalties against corporate bodies for data breach occurrences and for non-compliance with prescribed security and privacy laws. The following corporations were respectively fined as follows: Didi Global: USD 1.19 billion, Amazon: USD 877 million, Equifax: USD 575 million, Instagram: USD 403 million, TikTok: USD 370 million, T-Mobile: USD 350 million, Meta (Facebook): USD 277 million, WhatsApp: USD 255 million, Home Depot: USD 200 million, Capital One: USD 190 million, Uber: USD 148 million, Morgan Stanley: USD 120 million, and Google Ireland: USD 102 million [29].

Having come this far, it should be carefully borne in mind that small and medium companies are not immune from cyberattacks; thus, the setback effects of cyberattacks have assumed astronomical proportions, to the extent that the average data loss by a US business grew from USD 3.54 million in 2006 to USD 8.19 million in 2019 [30]. Thus, given all that has been discussed before, it has been submitted that the current cyberattack reports indicate that they are increasingly becoming more frequent and equally highly sophisticated [31]. The conclusion of this section is summarized as follows: in the face of imminent cyberattacks, corporations and other organizations are turning to insurance companies to take cyber insurance cover policies in order to protect them and mitigate the harsh consequences of cyberattacks [32].

It has been submitted that cybercrimes trend, shall likely continue for a long time to come because of its high profitability and low chances of detection [33].  Practically all sectors of industries are feeling the impact of cybersecurity breaches, neither government agencies, public or private entities are immune [34].  To buttress the alarming rate of cybercrimes, the INTERPOL, the global police has documented it, to the effect that, cybercrimes are progressing at a breakneck speed, with new waves and innovations, dynamically emerging [35].

Unlike other forms of traditional insurance policies taken to protect properties, which include but are not limited to fire, accidents, burglaries, etc., which had been in existence for decades, cyber insurance policies are relatively new; the maiden one, Lloyd's of London, is on record as the first insurance company to issue a cyber-related cover in 1999 [36]. However, most industry observers attribute the emergency of cyber insurance to Steven Haase, who assisted AIG insurance company to write the first cyber insurance policy in 1997 [37].

In simple terms, this paper is of the view that cyber insurance is that policy that is taken by organizations as a mitigating strategy against cyberattacks, which is imminent and unavoidable in today’s clime of computerization, a trend that has taken over practically all aspects of human existence.

Cyber insurance has also been defined as that brand of insurance specifically formulated to cater for first-party loss and third-party liability coverage for data breach events, privacy violations, and cyberattacks [38]. It should be added that there are variants in the brands of policies offered, and cyber insurers provide some risk-shifting for incidental costs regarding response, investigation, defense, and mitigating against the setbacks associated with a cyberattack.

The advent of cyber insurance dates back to the late 1990s as a result of an exponential increase in the use of computers and a concomitant rise in cyber-related threats, particularly because of the widespread use of the Internet. The concept of cyber insurance is believed to have its origins in errors and omissions (E&O) insurance, a separate form of insurance that protects against faults and defects in the services provided by companies. E&O insurance is analogous to product liability policies, for companies that sell physical or digital products [39].

While some cyber insurance policies contain specific provisions for E&O, most providers sell these as separate and distinct policies. E&O insurance does not cover the loss of third-party data, such as customer credit card numbers; customers needing such protection can purchase a cyber-insurance policy that covers it [40].

At this juncture, it is necessary to share some peculiar characteristics of cyber insurance that distinguish it from well-known other insurance policies. From a practical operational point of view, perhaps because of its newness, cyber insurance takes a radical departure from traditional and/or common insurance policies in that policies issued under cyber insurance do not follow any standardization in the format or language(s) employed; the terms and conditions are entirely at the discretion of the parties to the insurance contract, to wit, the insured and the insurer [40]. It should be carefully noted that the variants of covered risks in cyber insurance differ appreciably with respect to the contract itself, and across policies, there is no consensus regarding what policies cover which risks. Succinctly put, there is inherent difficulty in writing comprehensive policies for cyber insurance, largely because of past data unreliability as a pointer to future predictions and, of course, the near possibility of unpredictable large-scale cyber-attacks [42].

According to literature, the protection offered by cyber insurance has three variants, namely:

First-Party Coverage

This cover reimburses the insured corporations with respect to the costs of cyberattacks having a direct bearing on their businesses. First-party cyber policies depend largely on company needs, which could be broad or otherwise, and often times take care of post-cyberattack expenses, which include but are not limited to data breach expenses, data recovery costs, the remuneration for crisis management consultants with a view to the restoration of brand reputation, and associated costs for negotiators who handle ransom payments.

Third-Party Coverage

This cover, as the name implies, reimburses the affected third parties for costs incurred by the clients of the insured party, and said costs are those resulting from data breaches, infestations of computers and networks by malware, or other forms of cyberattacks for which the insured entity was responsible or liable. The cyber insurance company steps into the shoes of the insured corporate person with the intent of compensating the affected third party.

Implicit Coverage

This is also referred to as non-affirmative cyber exposure. This variant, strict Senso, is not a cyber-insurance policy, but a brand which refers to potential cyber-related losses, arising from common property and casualty (P&C) policies, not particularly fashioned for cyber risks [43].

Having consistently advocated for cyber insurance as a veritable mitigating agent to cyberattacks, it is pertinent at this point to discuss what the concept actually covers so as to bring to the fore the varieties of risks that could be addressed in a cyberattack situation.

Generally, cyber insurance covers losses pertaining to damage to or information loss from IT systems and networks. Principally, it covers direct (or first-party) financial losses to corporate business arising from a cyber-event. A cyber event is simply any actual or suspected unauthorized IT system access, electronic attack, or privacy breach. The vast majority of financial losses are first-party losses and include theft of funds, theft of data, and damage to digital assets.

Cyber insurance covers the liability actions that might be brought against a corporate body arising out of a cyber-event, that is, third-party losses such as investigation and defense costs, civil damages, and compensation payments to the affected parties.

According to the British Insurance Association [44], the under listed risks are covered by cyber insurance.

Cyber insurance largely assists corporations with managing cyber risks and thus preventing cyber incidents from happening. Insurance companies are capable of offering cyber security experts and threat intelligence services, carrying out IT vulnerability assessments, offering personnel training with respect to cyber security, and assisting immensely with safe password management, amongst other preventive measures, to avert cyberattacks.

This covers corporate business relating to costs arising from dealing with security breaches, which include the cost of notification to clients about a cyber-breach, the cost of call center hire to respond to clients’ inquiries, public relations advice costs, IT forensic costs, legal fees, or the costs relating to responding to regulatory authorities.

This cost also covers corporate businesses against infringement of privacy claims and incidental legal costs should a breach happen. Further, this cover provides for payments to legitimate claimants as well as the legal and regulatory defence costs resulting from a privacy breach. This brand of cover is particularly ideal for corporations that deal with or store the personal information of their clients.

It should be earmarked that, before an insurance company could be called upon to step in for damages or compensation, the actual breach complained of must have occurred and damages must have been done with certitude. This is the rationale for the decision in the interesting United Kingdom case of Lloyd v. Google LLC [45], the facts of which were that the respondent (Lloyd) filed a claim that, inter alia, alleged that the appellant ('Google') has committed a breach of its obligation(s) as a data controller under Section 4(4) of the 1998 Data Protection Act to about four million Apple iPhone users between August 9 and February 15, 2012, wherein Google collected and used their browser-generated information. Consequently, the respondent (Lloyd) sued in his corporate capacity and in a class action for residents domiciled in England and Wales whose data were wrongfully collected. An application was made for permission to serve the said claim out of jurisdiction, which Google opposed, on the grounds that:

• The facts pleaded disclosed no basis for a claim of compensation under the Data Protection Act
• The court should refuse the claim and continue as a class action.

The UK Supreme Court unanimously held that Google was not liable for payment of damages for any unlawful collection of data from four million Apple iPhone users, resident in England and Wales.

Further, under the Data Protection Act 1998, damages cannot be granted by the court without an individual assessment of the damages payable to the injured party, and damages for ‘loss of control’ of personal data, as alleged, are unavailable as a breach under the DPA 1998. Finally, unlawful processing of data itself, without proof of material damage or distress, does not prompt a case for compensation under the DPA of 1998.

From the above decision of the UK Supreme Court, it is manifestly clear that, before a valid claim of data breach can be allowed, the breach must have irreversibly happened, i.e., demonstrable harm must have resulted.

Post-Cyber-Incident Support

This is also called cyber forensic support and is usually included by cyber insurers as standard; thus, in case of IT failure or cyber-mishap, this cover provides the concerned corporate with rapid support and assistance from cyber specialists, recommended or nominated by cyber insurers, immediately after a cyber-incident. The experts assess the corporate systems with the view of identifying the breach source(s) and make suggestions regarding preventative measures against future occurrences. Besides, this support includes legal and regulatory advice and the necessary steps to embark upon regarding notification to clients about breaches.

Cyber Extortion

This cover protects corporations against malicious cyberattacks and ransom ware. These brands of attacks make strenuous efforts to gain access and to seize total or partial control of, including withholding access to, corporate operational or database, until the demanded fee is paid. The utility of this cover is that it provides a reimbursement for the ransom fee by the cyber attacker(s), including consultant’s fees to discharge and/or finalize the unfortunate incident. Cyber extortion cover is highly recommended for online corporate businesses as cases of ransom ware are becoming more rampant nowadays.

Damage to Digital Assets

This cover essentially protects corporate digital assets from damages. Such assets include the corporate website and the mass of information attached thereto. The protection offered is against loss, corruption, and/or data alteration, including computer programs and system misuse. In addition to the foregoing, asset replacement costs are taken care of, particularly for corporations involved in online business activities or auto manufacturing systems.

Business Interruptions

This cover insulates corporate bodies from losses incidental to cyberattacks; in other words, the insurance company pays for loss of income while business activities are put on hold as a result of business interruption. If there is an increase in the cost of doing business, the insurance company also steps in to lend a hand. This cover goes a long way toward mitigating various losses that are inevitable as a result of cyber-attacks.

Liability Costs

Cyber insurance takes care of liability costs should it happen that an insured corporation is sued for slander, libel, defamation of character, or the infringement of copyright or intellectual property rights. This particular cover is very important for corporations that rely heavily on digital data transmission via email or other electronic transmissions of information, which could lead to legal liabilities [46].

It is well established that cyber insurance is capable of providing valuable protection against anticipated cyberattacks. That fact, as unassailable as it is, does not connote that cyber insurance is a panacea for all forms of risks associated with online infrastructure.

In other words, the risks that are outside the cover of cyber insurance apparently appear to be disadvantages, or those that are clearly beyond the scope of cyber insurance and which underwriters in the industry are not prepared to provide cover for; this development could be a result of the standpoint of underwriters, either from a traditional point of view or, that may be, that the risks that are not included under cover are too risky to cover.

Briefly discussed are some of the risks that cyber insurance does not cover, and these are used as exclusions in policies issued by insurance entities:

Known Vulnerabilities

Known or glaring vulnerabilities are excluded from cyber insurance coverage. As a result, if cyberattacks occur and the cause(s) are attributable to known vulnerabilities or other security weaknesses left unaddressed, the insurance companies would not be liable for such lapses.

Intentional Acts

Whatever damages arise out of the intentional and/or fraudulent acts of the insured party, or their employees or agents, are in general excluded from cyber insurance coverage. In other words, these acts are considered willful and calculated to truncate corporate businesses; as a result, the insurance company would naturally exclude such acts from coverage.

Prior Acts

Many cyber insurance policies usually exclude coverage for cyber incidents that occurred before the commencement or effective date of the policy. This is understandable because prior acts, omissions, and commissions are not within the policy’s effective date.

Non-Cyber Events

Some damages and, of course, claims arising therefrom are outrightly excluded because they are occasioned by non-cyber events. By reason of that development, such examples are excluded; the typical examples are natural disasters, otherwise known as acts of God, and theft of properties, which are generally excluded from coverage by cyber insurance.

Terrorism and State-Backed Cyber-attacks

Cyber insurance companies are usually reluctant to honor claims arising out of acts of terrorism, war, or similar events, whether carried out by individuals, groups, or state actors [47].

A typical example of dishonor accorded the “act of war” clause in cyber insurance is the celebrated case of Mondelez International, Inc. v. Zurich American Insurance Company [48], the brief facts of which were that the plaintiff had a policy issued by the defendant against cyberattacks, and when the 2017 NotPetya outbreak affected the plaintiff, whereof 1,700 servers and not less than 24,000 laptops were infected, a development which left staffers of the plaintiff unable to use the systems, the applications, as well as the data, the plaintiff sued for USD 100 million damages, but the defendant denied liability, insisting that the NotPetya cyberattack was “act of war.” The suit was eventually settled out of court.

Rationale for Why Insurers Exclude Terrorism and State-Backed Cyber Attacks

The reasonable question that comes to a discerning mind is: why are insurers disposed to excluding “war like, terrorism and state backed cyberattacks”? The answer is not far-fetched.   Expert opinion has been volunteered by the insurance mogul, the Lloyd’s of London way back in the month of August 2022, to the effect that starting in 2023, Lloyd’s shall introduce cyber insurance to the exclusion of “catastrophic” state-backed cyberattacks, further that, while Lloyd’s is supportive of cyberattack cover, it nonetheless acknowledges the fact that cyber-related risks are evolving continuously, by so doing, Lloyd’s has taken precautionary measures of requiring its insurer groups to exclude liability for losses arising from state-backed cyberattacks. The foregoing decision arose out of a growing recognition in the insurance industry, that state-orchestrated cyberattacks, pose very serious and formidable challenges to the insurance industry.

In a bulletin, Lloyd’s underscored the necessity for underwriters to examine carefully the possibility of state-orchestrated cyberattacks, happening outside the traditional wartime scenarios, which involves the use of physical force. The extensive damages capable of being inflicted by state-backed cyberattacks, and their spread potential, creates a systemic risk to all insurers, a development which makes it necessary to frontally address these risks, as effectively as possible [49].

The Complexities Associated With State-Backed Cyber-attacks

A cerebral submission has been made to the effect that, as opposed to conventional cyber threats emanating from individual cybercriminals or criminal groups and organizations, state-sponsored attacks operate in a totally different trajectory and with multivarious unrepentant motivations. State-orchestrated cyber-attacks are happening because such nation-state wishes to maximize their economic, political, military, cultural and lately, religious interests. The concerned state-nation cyber attackers, more often than not, possess vast financial resources, highly sophisticated techniques, and unfettered access to advanced cyber-tools, all of which empowers them, to be very capable of wrecking unprecedented havocs and worldwide damages [50].

Succinctly, state-backed cyber-attacks extends beyond individual corporates and industries, with potentialities of ruining critical infrastructures, governmental institutions, and even the entire globe. Said cyber-attacks amongst other negative consequences, disrupts financial systems, disable and grind to a halt, essential services, as well as compromise highly sensitive data in a scale unknown to history, thereby resulting incalculable financial losses [51].

This section addresses the percentage or proportion of corporate bodies across the globe, who are currently having cyber insurance to take care or mitigate, the negative consequences of imminent cyberattacks.

As elsewhere pointed before now to the effect that, the concept of cyber insurance, is relatively new, having practically been confirmed that same came to the fore in 1997; the said newness perhaps accounts for low patronage, notwithstanding the fact that cybercriminals are ubiquitous, and always on the prowl, with unalloyed determination to wreak havoc to corporates intent, of ensuring that the industrial and technological wheels, run unhindered.

Per available record compiled from more than 23 cybersecurity insurance statistical data, and from various data sources:

• The worldwide market for cyber security insurance stood at USD 7.60 billion in 2021, and same is expected to increase to USD 20.43 billion by the year 2027.
• The USA market alone for cyber security insurance, was estimated as USD 2.38 billion in 2020.
• Regarding the pertinent question as to how many companies have cyber insurance?

In a survey of 450 organisations conducted in 2022, only 19% of the organisations responded to have coverage for cyberattacks beyond USD 600,000 and only 55% of organisations, confirmed to have any form of cybersecurity insurance, at all [52].

Another way to examine the holistic or total adoption of cyber insurance, is based on the total number of written coverages. Using that statistical record, the total number of written premiums in 2020 stood at USD 2.7 billion, and with a total of 4 million policies in operation [53].

According to a renown global statistical outfit, the present predictions regarding the size of global cyber insurance market, indicate that rapid growth shall happen in the next five years, such that, the total market size would increase from around USD 8 billion in 2020 to over USD 20 billion by 2025, and the majority of the said market, is dedicated to corporate insurance [54]. 

In a global survey conducted by Statista between January and February 2022 involving 5,600 respondents and 31 selected countries, the following are top ten countries and the percentage of corporates having cyber insurance coverages: Austria 66%, Czech Republic 64%, Nigeria 62%, Netherlands 59% Australia 58%, India 56%, Sweden 55%, Poland 55%, Belgium 54%% and Switzerland 53% [55].

Other countries are Philippine 53%, France 52%, Spain 51%, Hungary 50 %, USA 50%, Colombia 49%, Malaysia 46%, Chile 48%, Italy 47%, UAE 47%, Brazil 46%, Mexico 46%, Japan 44%, Singapore 43%, UK 42%, Germany 41%, South Africa 40%, Canada 38%, Israel 37%, Saudi Arabia 36% and Turkey 37% [56].

The above statistical data has invariably revealed a startling development, to the effect that, the highly industrialised and developed nations of the world, which includes but not limited to USA, UK, Japan, Germany and Canada, are not great adopters of cyber insurance, whereas they are in the fore-front of cyber technology.

According to literature, today, there are 195 countries in the world [57], 193 countries of this number are United Nations member states, while two namely, the Holy See and Palestine, are not. By virtue of the outcome of the survey conducted by Statista for 31 countries, it means about only 15.89% (approximately 16%) of the existing countries in the world were surveyed, a figure which is too small, to be taken as truly representative for the adoption of cyber insurance. Even for the surveyed countries, the percentages of the cyber insurance are very low and disturbing; the conclusion of course is manifestly clear that, the patronage accorded cyber insurance globally, is very low.

Generally speaking, having insurance cover is akin to investment, which produces dividends when the calamity insured against, happens. Conversely, a corporate without a cover, stands to lose everything and pay heavy damages, should a cyberattack occur. That was what happened in the United States of America’s celebrated case of Johns v. Sony Computer Entertainment America LLC et al [58],  the facts of which were the groundbreaking suit, a class action on behalf of about 77 million subscribers to Sony services, which was filed by one Mr. Kristopher Johns, at the U.S. District Court for the Northern District of California, on the ground that, Sony did not take reasonable care to encrypt, protect, as well as, ensure security of private and sensitive data of its customers. Sony was also alleged of Payment Card Industry (PCI) Security Standard violation.

Besides the foregoing, Mr. Johns alleged that Sony did not promptly notify him and other customers, regarding the breach of their private and confidential information, a development which prevented the victims, from taking remedial actions, such as, altering the credit card numbers, close down compromised accounts, examine credit reports, or institute other actions, to mitigate the effect of the data breach.

The massive data breach truncated all subscribers of Sony PlayStation consoles from service access, a very unfortunate development that continued for consecutive twenty-three (23) days. A whopping sum of USD 171 million was incurred by Sony in associated costs, relating to the monumental data breach. Ideally, Sony could have used part of this huge cost for cyber insurance policy, but that was not done. The court held that Sony’s insurance policy only covered physical property damage, and not cyberattack(s) and ensuing unprecedented cyber damages.

This section summarises the advantages, inherent in having cyber insurance cover by corporates, and same are as here under:  

Protection against Financial Losses

The after effects of a cyberattack leave in their wake incidental losses to corporate victims, which losses include fraud, identity theft, ransomware, investigation expenses, credit monitoring services, and data breach costs in sending notifications to affected clients, among other costs. Cyber insurance provides firm financial security against damages resulting from cyber incidents and reimburses the losses a corporation may incur.

Legal Support

Legal assistance is a non-negotiable service if and when cybercriminals perpetrate cyberattacks. The legal support offered by cyber insurance lies in the helping of corporate businesses to navigate the technicalities and complications of legal systems associated with cyberattacks. Cyber insurance takes care of legal fees, as does legal compliance with existing regulations, potential lawsuits, and ensuing litigation occasioned by data breaches and privacy violations. Cyber insurance also helps in the settlement of judgments against corporations, where they are judgment debtors.

Reputational Damage Mitigation

More often than not, cyberattacks could wreak more havoc than just mere financial losses; they could occasion incalculable damages, especially to the hard-earned goodwill and reputation built over a long period of time. With cyber liability insurance, corporations are provided with the resources to repair the battered reputational damage after a cyber-incident, which principally consists of public relations services such as image laundering and the management of crisis support.

Commitment to Security and Industry Standards

Cyber insurance coverage prompts corporations to operate in compliance with industry standards and regulations in force. It highlights their commitments, unalloyed dedication to clients’ data safeguards, and preparedness for cyberattacks. Without doubt, cyber insurance connotes a commitment to cybersecurity; this goes a long way toward boosting the reputation of corporations as well as confidence in the perception of customers, other stakeholders, and business partners. With particular reference to industry standards, if a corporation operates where customer data is stored, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is mandatory. Cyber insurance would ensure that is complied with.

Assurance against Cyber Calamities

Cyber insurance automatically confers peace of mind on corporate bodies that have cover; it gives a sense of security to such corporations, which in turn is a form of guarantee against financial instability, in case cyber criminals, who are always alert, ready, and seeking where and who to damage, strike.

A corporate body that is insured against cyber crises or attacks would naturally focus on their real business operations without the need to constantly be in trepidation regarding the dire consequences of cyberattacks, which bring about financial crises and, of course, imminent reputational damages, which are the end results of cyberattacks.

Online Damage Recovery

The goal of some cybercriminals is not only to steal valuable information but also to slow down the entire corporation’s proper functioning; some are out for various forms of vandalism to online infrastructural facilities, which are in soft or hardware form. If a corporate body has cyber insurance cover, where malicious damages have occurred, the corporation can be assisted in the cost of business recovery, and the cyber insurer shall take responsibility for any damage arising or ensuing from cyber vandalism.

Prevents Loss of Intellectual Property

Intellectual property is the intangible creation of human intellect, which includes inventions, designs, literary and artistic works, symbols, images, and names generally used in trade and commerce. Intellectual property is legally categorized as trade secrets, patents, copyrights, and trademarks.

Trade secrets are distinctive competences that corporations hold very dear so as to continue in business and remain competitive. The loss of intellectual property is very costly, and it may spell doom for a corporation, depending on the severity of the loss. Cyber criminals are always out to steal intellectual properties owned by corporations; however, when a corporation is covered by cyber insurance, to a large extent, the intellectual property is protected, and even if stolen, compensation is assured to the covered corporation, which has fallen victim.

Vulnerability Assessment

More often than not, insurance outfits offering cyber insurance cover, usually as a result of due diligence, insist on a comprehensive vulnerability assessment. This is done to ascertain the level of risks to which a corporate body is exposed and, basically, to know what premium to charge for the identified risks on the one hand and, on the other, to reveal to the potential insured corporate body the level of vulnerabilities in their systems of operations. This is principally to set in motion and eventually take necessary measures that shall prevent the incidence of cyberattacks and, of course, anticipated data breaches.

Forensic Analysis and Support

While vulnerability assessment is for the prevention of cyberattacks, forensic analysis and support address the aftermath of post-cyberattacks. After a cyberattack has been carried out on a corporate body, it is very important and not negotiable to launch a full-scale, extensive examination aimed at finding out the immediate and remote sources and causes of the cyberattack, which could be as a result of compromised personnel, internal weaknesses, or external influences. The forensic analysis reveals what went wrong, where, and how. This helps a great deal in knowing which remedial action(s) are necessary, i.e., preventive actions, to deter future occurrences of such cyberattacks.

This section summarises the themes of this paper by recapping what has been put together under each section before now.

With respect to Section 1, this paper states that insurance generally is a form of protection against the vagaries of life and, in particular, a means of preparing for calamities that are incidental to life. Succinctly expressed, a corporation with cyber insurance coverage is in a better position than one that does not.

The subject of Section 2 is cybercrimes, and till this day, we have not gotten a globally accepted definition, but that definitional challenge has not totally made the concept incapable of understanding, to the effect that, while most terrestrial crime outcomes are seen, to wit, the actus rea part, cybercrimes are committed in cyberspace, the effect of which might not be physically seen yet is very palpable and ruinous. Cybercrimes are novel and relatively new, but they are here to stay. While cybercrimes are increasing exponentially, the means of addressing them in terms of law and physical actions are too slow and totally not commensurate with the growth and ever-developing speed of cybercrimes.

The germane Siamese twin issues of cybercrime and cyberattacks are indeed very pervasive and militating against the global reaping of benefits inherent in technological advancement in telecommunications and computers. It is very unfortunate to note that most corporations across the world are ill-prepared to face the reality of cyberattacks.

In Section 3, a cyberattack was defined as a premeditated, willful, and malicious act targeted at harming an organization's critical information technology infrastructure, especially through the internet. It is hereby added that cybercrime simplicity is inert; the deployment of the same and the manifestation of when the desired intents of the deployers become successful are cyberattacks. And cyberattacks engender elephantine financial losses, not only for corporations but also for small and medium companies.

As discussed in Section 4, cyber insurance policy is a relatively new phenomenon, the first recorded one, credited to Steven Haase, who wrote for AIG Insurance Company in 1997. It is a cover, borne out of necessity, to ameliorate the consequences of imminent cyberattacks. Interestingly, cyber covers do not have a standardized format, like other insurance policies.

There are three variants of cyber insurance coverage: first-party, third-party, and implicit coverage.

Section 5 dwelt on coverages of cyber insurance, and they are preliminary cyber incident support, security and privacy breach costs, post-cyber-incident support, cyber extortion, damage to digital assets, business interruptions, and liability costs.

The central focus of Section 6 is the discussion of exclusions, that is, what cyber insurance does not cover; they are, respectively, known vulnerabilities, intentional acts, prior acts, non-cyber events, terrorism, and state-backed cyberattacks.

The percentage or proportion of corporations having cyber-insurance is the focus of Section 7, and after due consultations of diverse literature, it was found that the concept of cyber-insurance is relatively new, which accounts for why there is low patronage, yet cybercriminals are unrelenting in their quest to do as much damage as possible to corporate businesses across the globe.

The statistical data regarding the adoption of cyber insurance has invariably revealed a startling development, to the effect that the highly industrialized and developed nations of the world, which include but are not limited to the USA, UK, Japan, Germany, and Canada, are not great adopters of cyber insurance, whereas they are at the forefront of cyber technology.

By virtue of the outcome of the survey conducted by Statista for 31 countries, only about 15.89% (approximately 16%) of the existing countries in the world were surveyed, a figure that is too small to be taken as truly representative of the adoption of cyber insurance. Even for the surveyed countries, the percentages of cyber insurance are low; the conclusion, of course, is manifestly clear that the patronage accorded cyber insurance globally is very low.

This paper strongly recommends that corporations across the globe take the following recommendations into serious consideration and implement them, if not already done; it is in doing that that the menace that cyberattacks pose to businesses across the globe will be reduced to the barest minimum.

For ease of understanding, the mitigation of cyberattacks could be broadly categorized into technical and nontechnical.

The technical measures are:

Corporates Are Enjoined To Use Strong Passwords

The use of a very strong password is not negotiable for online security; a password that can easily be guessed by cybercriminals poses a great danger, for the same can be used to infiltrate an online platform, from which point a cyberattack(s) could be launched.

Anti-Virus Software And Operating Systems Must Be Updated.

The necessity to comply with the above recommendation lies in the security provided by the same, because cybercriminals are well known for exploiting vulnerabilities and flaws in software as a means of accessing corporate computer systems. Thus, patching those vulnerabilities and flaws is a form of security against cyberattacks; above all, keeping software and all operating systems updated is a guaranteed means of benefiting from the wide range of latest security patches available in the industry. This goes a long way toward protecting corporate computer systems.

Corporates Must Have Backup For Data And Recovery Plans.

Notwithstanding whatever steps corporations may take to keep cyberattacks at bay, they may still successfully gain access to a corporate data base and wreak havoc. This is because it is almost practically impossible to take all precautionary steps necessary as humans. Hardware backup is recommended so that if there is a cyberattack, corporations can always reactivate the hardware and reinstall the stored database.

The nontechnical measures to combat cybercrimes include the following:

• The employment of qualified IT personnel to take care of the online platforms used by corporations; this arises because competent personnel have the required skills to protect the corporations.
• Fair remuneration with attractive terms and conditions of engagement is also recommended since, with this measure, loyalty is almost automatic because an average person loves job security. Loyalty equally leads to commitment on the part of the employed IT personnel, and this brings forth dedication, making the employed give their best on the job.
• Constant training and retraining of IT personnel is highly recommended since it goes a long way toward improving the skills and competences of the employees. Training is indispensable, especially in a dynamic business environment like IT, where new systems are rapidly coming out and, of course, where cybercriminals are always devising new methods and techniques targeted at perpetrating crimes. Constant training keeps IT personnel up to date on what is current and happening in the IT industry and the market, particularly with respect to developments in the cybercrime world.
• Reasonable and fair restrictions on access to social media settings.

This recommendation is particularly important in a corporate online environment because one of the main routes used by cybercriminals to gain access to online systems is through social engineering. All that is needed by online men of the underworld is a few pieces of personal information, such as date of birth, mother’s maiden name, origin, etc. With any of that information, they can craft or guess the rest and infiltrate a corporate network through the identity of an employee in the organization.

Finally, the foundational premise of this paper is cyber insurance, and because of its inherent advantages in a corporate setting, which include protection against financial losses, the legal support offered after a cyber-incident, the mitigation of reputational damages suffered as a result of a cyberattack, the assurance that cyber insurance provides against cyber calamities, the assured online damage recovery, the prevention of loss of intellectual property, and forensic analysis and support readily provided in case there is a cyberattack, cyber insurance is hereby strongly recommended to all corporate bodies across the globe.

Books

1. EFG Ajayi Law of Insurance: The Students' Companion and Citizens' Manual, Lambert Academic Publication, Germany 2014.
2. Elizabeth A. Martin A Dictionary of Law 5th Ed. Oxford University Press 2003.
3. Mike McGuire (University of Surrey) and Samantha Dowling (Home Office Science): Cyber-crime: A review of the evidence. Summary of key findings and implications Home Office Research Report 75, Home Office, United Kingdom, October 2013.
4. Online Cambridge Advanced Learner’s Dictionary. 4th Edition.
5. Oxford Dictionary of Law, 5th Edition.

Articles

6. Adebayo A, Kekere A. “Electronic Commerce in Nigeria: The Exigency of Combatting Cyber Frauds and Insecurity”. J Law, Policy Globa. 2016; 47: 159-160.
7. Shniderman AB. Prove It! Judging the Hostile-or-Warlike-Action Exclusion in Cyber-Insurance Policies, 129 Yale L.J. F. 2019;
8. Angela Nieves, Cyber Insurance Today: Saving It Before It Needs Saving, 29 Cath. U. J. L. & Tech 111 2020.
9. Kshetri N. “Cybercrime and Cybersecurity in Africa,” J Global Informa Tech Managt. 2019; 22: 77-81.
10. Talesh SA. Insurance Companies as Corporate Regulators: The Good, the Bad, and the Ugly, 66 Depaul L. Rev. 463, 475.2017.
11. Seaman SM, Schulze JR. Allocation of losses in complex insurance coverage claims. 2019; 17: 13.
12. Shauhin A. Talesh How Insurance Companies Act as “Compliance Managers” for Businesses. Law & Social Inquiry. Journal of American Bar Association. 2017.
13. Reed TS. Cybercrime and Technology Losses: Claims and Potential Insurance Coverage for Modern Cyber Risks. 54 Tort Trial & Insurance Practice L.J. 153, 163.

Statutes

14. Electronic Communications and Transactions Amendment Bill, 2012 South Africa.

Table of cases

15. Lloyd v Google LLC UKSC 2019/0213.
16. Johns v. Sony Computer Entertainment America LLC et al 3:2011cv02063, US District Court for the Northern District of California of 27th April 2011.
17. Mondelez International, Inc., v. Zurich American Insurance Company 2018 WL 4941760 (Ill.Cir.Ct.). No. 2018L011008. October 10, 2018.

Internet

18. The Latest 2023 Cyber Crime Statistics (updated October 2023).
19. Countries in Africa.
20. Twenty 27 surprising facts about Africa.
21. South Africa ranked 5th on global cybercrime density list.
22. Kelly Bissell et al., Ninth Annual Cost of Cybercrime Study, Accenture, 18-19 (6 March 2019),
23. Kinza Yasar, What is Cyber Insurance and Why is it Important?
24. Angela Nieves, Cyber Insurance Today: Saving It Before It Needs Saving, 29 Cath. U. J. L. & Tech 111 (2020).
25. Vincent Lynch, Cost of 2013 Target Data Breach Nears $300 Million, HASHED OUT (May 26, 2017).
26. Riley Griffin et al., Was It an Act of War? That’s Merck Cyber Attack’s $1.3 Billion Insurance Question., BLOOMBERG (Dec. 3, 2019),
27. The biggest data breach fines, penalties, and settlements so far
28. IBM, Cost of a data breach report 10 (2019),
29. Cybercrime, INTERPOL,
30. Renee Dudley, The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks, Propublica (Aug. 27, 2019).
31. The Growth and Challenges of Cyber Insurance
32. What is cybersecurity insurance (cybersecurity liability insurance)?
33. The Growth and Challenges of Cyber Insurance.
34. What does cyber insurance cover?
35. Cyber Insurance Explained: What It Covers, Who Needs It.
36. Eye-Opening Cybersecurity Insurance Statistics (2023).
37. Cyber insurance - statistics & facts
38. Share of organizations with cyber insurance coverage in selected countries worldwide in 2021.
39. How many countries are in the world? 2023.