The insurer’s dilemma: Cybersecurity as a threat and product

By Justice Peprah AGYEI

Technology can help secure systems and protect data, but it is culture that truly protects an organization. Continuous staff training, ethical data handling, and cybersecurity awareness must become part of an organization’s everyday way of thinking and operating.

People can either be the weakest point in cybersecurity or the strongest line of defense, depending on how well they are educated, empowered, and integrated into the organization’s security strategy.

Recent global cyber incidents have shown that cybersecurity is no longer just an IT concern; it is a major business and economic issue. Cyber failures today can threaten the survival of entire organizations. The WannaCry and NotPetya attacks, for example, caused billions of dollars in losses worldwide, with NotPetya often regarded as one of the most devastating cyber events in history.

Cyber risk did not emerge overnight. It evolved gradually from the early computer viruses of the 1980s and the Morris Worm in 1988, through the rise of organized cybercrime in the 2000s, to today’s environment of ransomware, state-sponsored attacks, artificial intelligence-driven threats, and widespread digital disruption.

Today, cyber risk goes far beyond hacked systems. It includes financial losses, operational disruption, reputational damage, privacy breaches, regulatory penalties, and even geopolitical consequences. Cybersecurity is no longer a future concern but it is one of the defining strategic risks organizations face today. The real question is no longer if a cyber attack will happen, but when.

For many years, organizations treated cybersecurity as a purely technical issue handled by IT departments through firewalls, antivirus software, and system updates. But cyber risk is fundamentally a business risk and management issue.

A single cyberattack can halt operations, damage shareholder confidence, trigger legal action, disrupt supply chains, compromise customers trust, and threaten the survival of a business. These are strategic business risks, not merely technical failures.

Cybersecurity today is about protecting enterprise value, institutional trust, and business continuity. For this reason, cyber risk should form part of Enterprise Risk Management (ERM) and receive attention at board and executive levels alongside financial, operational, legal, and reputational risks.

Cybersecurity leadership, including the Chief Information Security Officer (CISO), should have direct engagement with executive management and risk committees rather than operates solely within IT departments. Leading organizations across the world are increasingly adopting this governance approach.

This perspective was reinforced during professional training I recently attended in Malta, where discussions with global practitioners, regulators, and risk experts highlighted how many organizations, particularly in emerging markets still underestimate the scale and systemic nature of cyber risk.

The experience provided valuable insights into cyber resilience, digital threats, and the growing connection between cybersecurity, governance, and insurance. Cyber risk can never be completely eliminated. It must be actively managed, reduced, and, where appropriate, transferred. This is where cyber insurance becomes increasingly important.

Several global trends are reshaping the cyber risk landscape:

• Ransomware remains a major threat – Cyber extortion continues to drive significant losses, often combined with data theft and business interruption.
• Supply chain vulnerabilities are increasing – Attacks targeting vendors, software providers, and cloud platforms can affect thousands of businesses simultaneously.
• Artificial intelligence is changing cybercrime – AI is now being used for phishing, fraud, deepfakes, and automated attacks.
• Systemic cyber risk is growing – A single cyber event can now disrupt entire industries or economies at once.
• Regulatory pressures are increasing – Data protection and privacy laws are creating greater compliance obligations and financial exposure.
• Focus is shifting toward resilience – Organizations are moving beyond prevention toward recovery, continuity, and operational resilience.

In Ghana, digital transformation is accelerating rapidly through mobile money, digital financial services, e-government systems, and online commerce. While this growth presents enormous opportunities, it also increases cyber exposure.

Challenges remain, including limited cybersecurity maturity among SMEs, rising phishing and digital fraud, low cyber insurance adoption, and shortages of skilled cyber risk professionals. For Ghana, cyber resilience must now be viewed as an economic and national development priority, not merely a technology issue.

Cyber insurance has emerged as a specialised solution designed to address both first-party and third-party losses arising from cyber incidents. Coverage may include incident response costs, forensic investigations, data restoration, business interruption, ransomware response, crisis communication, privacy liability, regulatory defense costs, and legal settlements.

However, cyber insurance policies are highly dependent on clear disclosures, minimum security controls, timely reporting, and compliance with agreed conditions. Exclusions often apply to known incidents, fraud, weak security practices, and certain state-sponsored cyber events. In cyber insurance, policy wording is critically important.

At the same time, insurers themselves are increasingly exposed to cyber threats because they store vast amounts of sensitive financial, medical, and personal data while relying heavily on digital systems. This creates a unique challenge: cyber is both an insurance product and a direct operational threat to the insurance industry itself.

Cyber underwriting also remains one of the most complex areas in modern insurance. Insurers face challenges such as limited historical data, rapidly evolving threats, systemic exposure, pricing uncertainty, and difficulties in accurately assessing an organization’s cybersecurity maturity. Effective cyber underwriting therefore requires a combination of insurance expertise, risk management, and cybersecurity intelligence.

Looking ahead, organizations must stop treating cyber risk as an isolated IT problem. Instead, they must build a culture of cyber awareness, strengthen collaboration between the public and private sectors, improve resilience planning, and integrate cybersecurity into broader business strategy and governance frameworks.

Ultimately, cyber risk is no longer simply about technology. It is about economic resilience, institutional trust, operational continuity, and long-term organizational survival. Cybersecurity is no longer just about defending networks—it is about protecting the future of the enterprise itself.

[email protected]

References

1. Allianz Commercial. (n.d.). Global cyber risk trends and ransomware insights. Retrieved from Allianz Commercial
2. info. (n.d.). Cyber underwriting, pricing, and accumulation risk discussions. Retrieved from Actuary.info
3. Munich Re. (n.d.). Cyber risk and the evolution of cyber insurance. Retrieved from Munich Re
4. National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity framework. Retrieved from NIST Cybersecurity Framework
5. World Economic Forum. (n.d.). Global cybersecurity outlook reports. Retrieved from World Economic Forum

Post Views: 45