Why cyber insurance claims are increasingly being rejected

You can also listen to this podcast on iono.fm here.

JEREMY MAGGS: Now this is worrying. Nearly half of cyber insurance claims are now being rejected or partially denied, as insurers take a harder line on cybersecurity standards and governance.

A new global study shows many businesses are losing out because what they declared in their policies don’t actually match what is happening in the workplace when an attack occurs.

Listen/read: SA earns top spot as target for cyber attacks [2025]

I want to explore this in a little more detail. I’m in conversation with Muhammad Ali, managing director of cybersecurity and ISO specialist at World Wide Industrial & Systems Engineers (WWISE).

Muhammad, a very warm welcome. I want to start with this headline figure, 47% of claims rejected. Is this about insurers dodging payouts or companies overselling their cyber readiness?

MUHAMMAD ALI: Yeah, I think it’s a very valid question. I think it’s a combination of both factors.

Firstly, I think a lot of corporate organisations feel that they have everything in order. The IT team give them a report, and the top management or the board are all comfortable in terms of what’s going on.

Very little investment is taken into cybersecurity and protecting their privacy and information, personal information as well as their data.

Sometimes I feel like people consider cybersecurity as a cost, as opposed to an investment. In today’s time, it’s about when am I getting attacked, as opposed to if.

ADVERTISEMENT

CONTINUE READING BELOW

You need to know that you are going to go through an attack. Now, there are multiple factors where organisations have misinterpretation of their security controls.

Maybe they have policies that are well written, but it does not talk to what’s actually on the ground. Or perhaps they have very incorrect policies or outdated policies that are in place.

Read: IT consultants also need business interruption insurance [2024]

Now, when a cyber insurance company comes in and let’s look at it from their point of view, and you’re perhaps paying a premium. They’ve done an assessment and analysis. They actually look at all of these things. They look at your misrepresented controls, weak governance, outdated practices.

The assumption is that I’m going to get a payout because I’ve got a cybersecurity insurance that’s going on. That’s not the case, due to noncompliance businesses are exposing themselves without investing and following the actual protocols within their policies. So it’s a factor of both.

JEREMY MAGGS: What you’re suggesting to me is that buying cyber insurance these days is not a cyber strategy.

MUHAMMAD ALI: Not at all. I think cybersecurity is in the top ten risks in most corporate blue-chip companies; and thinking that cyber insurance is going to protect them and their assets, it’s a misconception.

Cybersecurity insurance companies will assist you through a cyber attack, through a ransomware attack, but it does not guarantee that they will provide a payout, and that’s the misconception.

Read: SA businesses vulnerable to cyberattacks [2024]

That is totally due to the fact that the organisation themselves have not read the terms and conditions and been able to fulfil their side of the things, which is actually good governance when it comes to cybersecurity.

They are negligent and they are unfortunately not following the basic parameters of what cybersecurity is all about.

JEREMY MAGGS: Let me throw another big number at you. Ransom demands in South Africa have jumped to around R17 million. At that level, is cyber insurance still affordable or, Muhammad, even viable at this point?

MUHAMMAD ALI: Yeah, it would depend. I think there are multiple factors. If you look at denial of service, I think that is perhaps one of the key factors. If a cyber attack occurs with ransomware coming in, they can deny you from operating. So your production or operations may stop.

Now, depending on the number of days you are basically stationary, this can result in millions and millions of dollars, aside from the reputational damage.

If you are listed to a to a stock market, then you have to – whether you are attacked or non-attacked – you have to inform the regulator of the attack, because that’s law. This can have significant reputational damage. I think you need to weigh up the investment and the return thereof.

If you are paying a significant amount on cyber insurance and you need to look at the attack or the downtime that it can have, the impact it can have to your processes, your systems, your applications, your users, the data in itself, whether there’s sensitive information and the regulator getting involved.

It’s a catch-22, so I think it’s a good assessment to make to be able to determine whether the premiums you’re paying are actually worthwhile. But there are ways of reducing these premiums.

JEREMY MAGGS: Another trend is a move away from the annual audit to continuous assurance. I understand what you’re saying, but I would also ask whether most South African firms are technically capable of that shift.

MUHAMMAD ALI: Right now, as it stands, we do have a lack of skills, and we do have a lack of practical skills, I think that’s the key word.

A lot of people grow within the ranks quite quickly and they get into a leadership role, a management role, and there’s nothing wrong with that, but the technical ability of being able to read firewall rules, to be able to understand the network security parameters and be able to understand the default settings, are not your golden or silver bullet.

Listen: Insurance trends: Storm-proofing your business

You need to be able to be technically inclined to understand what types of threats there are, what types of vulnerabilities there are, and not only just keeping the basics of awareness throughout the users up to date, but it’s about keeping your systems and applications up to date.

I think there is a gap in South Africa when it comes to that understanding.

This is why we are where we are in South Africa when we are sitting ducks, if you want to call it that, because ransomware attackers or cybersecurity attackers, you will see around the world, look at South Africa from the healthcare perspective, from a banking perspective, or just from an industry perspective.

Listen/read: AI-powered scams target SA banks, insurers and retailers

They see that we’re negligent or we do not have the necessary skills, so we become a threat or an easy target. I think we still need to educate ourselves and get the right skills and stop fooling ourselves by misinterpreting that we do know what’s going on.

JEREMY MAGGS: All right. Just a quick answer, as we come to the end of this conversation. If a chief executive officer or chief information officer is listening to this conversation and wants to avoid becoming part of that 40% that I mentioned at the beginning, what’s the one control then they need to get right immediately?

MUHAMMAD ALI: I think it’s very important to align yourself to an internationally best practice standard. That’s the first thing.

Now, with your insurance firm, they don’t declare this out to you, but whether it’s ISO 27001 or a Nist (National Institute of Standards and Technology) framework, if you align yourselves to that particular standard by effectively implementing the controls – and I recommend ISO 27 because you can get an independent, impartial, accredited certification that is recognised around the world – it helps you reduce your cyber insurance premiums drastically, sometimes up to 50%.

More so that standard with your annual external audits and your rigorous internal audit controls, you will see that the awareness of users is going to improve because you are communicating the content of policies, and the actual policies that are embedded on your applications for security parameters are more understood.

Read: Sarb bolsters defences against cyberattacks [2025]

Not only are you improving the posture of the organisation, but enhancing the individual in the organisation for their practicality in the real world so they don’t become a victim of credit card fraud or a cyber attack. I would suggest that would be your go-to standard as a CEO or an executive.

JEREMY MAGGS: Thank you very much indeed, Muhammad Ali, managing director of cybersecurity and ISO specialist at WWISE, enjoy talking to you. Appreciate your time.

Follow Moneyweb’s in-depth finance and business news on WhatsApp here.