Cyber risk major fear of SA insurers
PwC releases fifth industry report
SOUTH Africa was behind the developed world in its ability to deal with cyber threats as it lacked regulation and capacity to address the risk, PwC directors said yesterday.
Presenting their fifth “Banana skins” report, which articulates the risks identified by the insurance industry, Victor Muguto and Sidriaan de Villiers said cyber security threats had risen to the top of the 25 items list of risk factors and that it now needed more than being left to information technology (IT) professionals.
They said the extent of damages and costs to the insurance industry, as well as other sectors, could not easily be quantified because organisations were not required to report incidents and, therefore, statistics were not easily available.
“It’s a boardroom issue that can’t just be left to IT professionals in the organisation; this needs to go to the top of the business agenda and that’s the kind of message we are trying to push. Boards need to take the lead in addressing the new highlighted risk,” Muguto said.
Cyber risk was ranked as the number one concern by insurers in South Africa, and ranked fourth on the combined global survey. Local organisations faced cyber attacks on a daily basis, the PwC directors said.
“All organisations in the industry are potential hacker targets. If you talk to financial services companies, there are daily attempts to penetrate their organisations – therefore, the risk is real,” Johannes Grosskopf, a PwC director, said.
They said South Africa was late in dealing with the threat compared with other countries, unlike in the UK for example, where the government supported and assisted with cyber security awareness campaigns, projects to build cyber security capacity, and so on.
“It’s a very difficult (devel- oping) area to scope, even from a non-life insurance perspective, where they would want to insure companies against the risk; the fact that cyber risk has moved to the top of the list means that it should now receive the right kind of attention,” Muguto said.
“We are behind the world in the regulatory framework to deal with this problem. In other countries, there is specific legislation in place to deal with cyber security. An example is the privacy legislation that has been in place in European countries for a while, while South Africa is only now busy implementing the Protection of Personal Information Act (POPI),” he added. “Once POPI has been implemented, organisations have to promptly report breaches… to the regulator and to each data subject.”
It’s a boardroom issue that can’t just be left to IT professionals… this needs to go to the top of the business agenda.
PwC’s Banana Skins survey, conducted since 2007, is produced in association with the Centre for the Study of Financial Innovation. The survey polled 806 participants in 54 countries. Of the participants, 35 were in South Africa out of a total 42 from Africa.
Other risks include regulation, the macro-economy, distribution channels, human talent, change management, business practices, reputation, investment performance and political interference, among others.
Regulatory risk emerged as the overall global risk for participants in the survey for the third successive time, underlining the deep impact regulatory change is having on the industry.