The recent hack at one of SA’s largest insurers has been a wakeup call for many local businesses that have maintained a fairly relaxed approach to cybersecurity. As the biggest SA breach to date, it dominated the headlines, but the reality is that cyber security issues have been creeping up on us for some time, with an increasing number of businesses having been victims of “ransomware” attacks.
“It’s crucial for advisers to understand cyber risks, and how to insure against them,” says Bertus Visser, Chief Executive of Distribution at PSG Insure. “This is often easier said than done, however, as they are very different to traditional business risks, and the nature of cybercrime is continually evolving.”
“Cyber risks are often intangible and difficult to quantify, as the value of a loss depends on things like the nature and volume of the data compromised and the damages that have resulted,” says Visser. These could include:
- Loss of revenue
- Loss of intellectual capital
- Loss of competitive advantage
- Reputational damage
- Litigation from clients and third parties affected by the compromised systems or data
“These risks can lead to a host of costs for a company, such as the costs of IT specialists to contain the problem, or a forensic investigation to ascertain how the leak occurred,” adds Visser. There could also be legal costs and the cost of public relations specialists to limit reputational damage.
Then there are industry and regulatory fines and penalties to consider. “Under POPI, for example, if you accidentally send an email with personal information to the wrong person, this can be seen as an information breach and could trigger a liability,” he says. How an organisation responds to an incident is pivotal to reducing the damage of a breach to all concerned.
How does a cyber-attack happen?
Phishing is a major risk for individuals and businesses alike, with increasingly sophisticated tactics being used to fraudulently obtain sensitive information such as usernames, passwords and credit card details.
Breaches can also result from negligence, either by a company or its third parties, and from rogue employees who are looking to gain financially or to damage a company and disrupt its operations.
“Although cybercrime still seems a bit like science fiction to many of us, the reality is that it is becoming increasingly common,” he says. Cyber insurance to cover these risks does not normally form part of conventional commercial insurance, which usually only covers tangible assets.
“Cyber insurance needs to be purchased as a stand-alone policy, and is available in South Africa from a handful of specialist suppliers, who assist companies in identifying and pricing their cyber risks. The cost of a policy will normally relate to a company’s turnover, and the state of its IT infrastructure.”
Who needs cyber insurance?
Any business that has an online presence and that holds or accesses confidential data is at risk. In practical terms, that means most businesses today. Research suggests that there are as many as 1 million cyber-attacks across the globe every day, and South Africa is certainly not immune. Every business today needs to ensure they have the appropriate IT security measures in place – as well as the appropriate insurance cover.
“A discussion with an insurance adviser who has experience in this space will help you better understand these risks and how they could affect your business – as well as how to mitigate them,” says Visser.