Cyber risks for companies escalate

Bertus Visser, Chief Executive of Distribution at PSG Insure
Bertus Visser, Chief Executive of Distribution at PSG Insure

In the last month alone, Johannesburg’s City Power, Transnet and a number of large South African firms fell victim to major cyber-attacks. These are just the latest additions in a rising tide of high profile local cyber-attacks over the past two years. However, these well documented attacks are only just scratching the surface. With the Protection of Personal Information (POPI) Act 4 of 2013 having come into full effect at the start of July, South Africans are likely to see the full impact of cybercrime for the first time.

Bertus Visser, Chief Executive of Distribution at PSG Insure, says that many companies were still taking a lax approach to cyber security before POPI came into full effect. “Data breaches have been massively underreported to date, and it is possible many businesses opted to sweep cyber incidents under the carpet until now. Now that disclosure is a legal requirement that will be actively enforced by a regulator, we expect to see a huge spike in reported incidents, however this poses its own set of risks that businesses will have to protect themselves against.”

Visser explains that businesses need complete cyber-risk management strategies that encompass much more than simply taking out cyber insurance. “More businesses will need good cyber insurance policies. However, these policies only cover first- and third-party losses as well as some regulatory exposures. In order to adequately manage the risks that cybercrime poses, businesses will have to consult with their advisers to develop a well-planned all-encompassing strategy.”

He points out that this begins by taking a closer look at the potential damages to a business. “Third party claims and regulatory fines are just part of a company’s total losses. Business interruption and damages to physical assets are insured under different policies. As businesses increasingly move their operations online, the potential secondary losses have increased in severity. Businesses therefore need to review their insured amounts across all of their policies, bearing in mind that a single cyber incident could trigger a number of policies at once.”

Next, cybersecurity training is crucial. “The human element is still the greatest threat to cybersecurity, and it’s unlikely insurers will cover incidents of pure negligence. Ensuring that all employees and contractors are educated and informed on the latest cyber security attacks and trends is vital. Many IT service providers offer basic cybersecurity training for staff, and it can even be included as an add-on to cyber policies.”

Lastly, he says that regularly reviewing cyber risk management strategies is crucial. “Cybercrime is evolving at a frightening pace, so it would be prudent for businesses to revisit their risk management procedures at least twice a year.” With POPI now in full force, Visser says that this may be the catalyst that could finally set businesses on the right path toward becoming truly cyber-resilient. “Business owners should speak to their adviser to ensure they have all the right risk mitigation measures and policies in place to safeguard their business against cybercriminals and any potential liability following an incident,” he adds.

Visit the official COVID-19 government website to stay informed: sacoronavirus.co.za