Understand cybercrime and insure against it
The recent hack at one of SA’s largest insurers has been a wake-up call for many businesses that have maintained a fairly relaxed approach to cyber security.
As the biggest South African breach to date, it dominated the headlines, but the reality is that cyber security issues have been creeping up on us for some time, with an increasing number of businesses having been victims of “ransomware” attacks.
It is crucial for advisers to understand cyber risks, and how to insure against them.
This is often easier said than done, however, as they are very different from traditional business risks, and the nature of cybercrime is continually evolving.
Cyber risks are often intangible and difficult to quantify, as the value of a loss depends on things like the nature and volume of the data compromised and the damages that have resulted. These could include: Loss of revenue
Loss of intellectual capital Loss of competitive advantage Reputational damage Litigation from clients and third parties affected by the compromised systems/data
These risks can lead to a host of costs for a company, such as the costs of IT specialists to contain the problem, or a forensic investigation to ascertain how the leak occurred.
There could also be legal costs and the cost of public relations specialists to limit reputational damage.
Then there are industry and regulatory fines and penalties to consider.
Under POPI, for example, if you send an e-mail with personal information to the wrong person, it can be seen as an information breach and could trigger a liability.
How an organisation responds to an incident is pivotal to reducing the damage of a breach to all concerned. How does a cyber-attack happen?
Phishing is a major risk for individuals and businesses alike, with increasingly sophisticated tactics being used to obtain sensitive information like usernames, passwords and credit card details.
Breaches can also result from negligence, either by a company or its third parties, and from rogue employees looking to gain financially or to damage a company and disrupt its operations.
Cyber insurance to cover these risks does not normally form part of conventional commercial insurance, which only covers tangible assets.
Cyber insurance needs to be purchased as a standalone policy, and is available from a handful of specialist suppliers, who assist companies in identifying and pricing their cyber risks.
The cost of a policy normally relates to a company’s turnover, and the state of its IT infrastructure. Who needs insurance?
Any business that has an online presence and holds confidential data is at risk.
Research suggests that there are as many as a million cyber-attacks worldwide every day, and South Africa is certainly not immune.
Every business today must ensure that it has the appropriate IT security measures in place – as well as the appropriate insurance cover.
A discussion with an insurance adviser who has experience in this space will help you better understand these risks and how they could affect your business – as well as how to mitigate them.
Bertus Visser is chief executive (distribution) at PSG Insure