Cybercrime is an ever-evolving key risk which companies ignore at their peril. With penalties and legal fees that can run into hundreds of millions, Justin Keevy, divisional executive at Marsh, says it’s time to cover all the bases.
In June, cybercriminals targeted a large South African financial institution and threatened to release confidential information should the company not pay the ransom. This company is not the first and they won’t be the last, warns Keevy. To repeat the now overworked phrase, it’s not if but when a cyber breach will occur.
“It’s imperative that a company has breach protocols and a response plan for when this happens,” says Keevy. “This includes IT and communication conventions that must be followed, and having access to a reputational consultant who can manage the ensuing damage to the brand,” he says. These services are covered as value-add services under some insurance policies.
And criminals don’t discriminate between companies, warns Keevy. “Virtually all industries are being targeted,” he says. Cybercriminals have shifted focus from credit card fraud to theft of data and cyber blackmail, he explains, which is the act of holding data hostage while attempting to extort money from vulnerable companies. In many cases, these companies are willing to put up the money to avoid the loss of data, IP and reputation. These breaches often come from unexpected sources.
Employees are among the biggest threats, often being the weak link where cybercriminals gain access to company data. “Social engineering, the short-term placement of staff within an organisation by a third-party syndicate, is on the rise,” says Keevy. Syndicates use these ‘employees’ to gather critical information, after which they launch an attack. These hacks typically occur about six months after the mole is no longer employed at the company.
It’s important to understand that these attacks don’t come from computer geeks armed with sophisticated computers, as often portrayed in films and media, but rather by automated programmes that run continuously to exploit weaknesses in people, businesses and governments, explains Keevy. Attacks can be executed from anywhere in the globe, he warns.
There is currently no legislation in place that requires companies to report data breaches, which makes it almost impossible to accurately pinpoint from where most of the claims in South Africa stem, but it will soon change with the implementation of the Protection of Personal Information Act (POPIA). “Once implemented, the Information Regulator may require that a business publicises a breach, as well as dictate the medium to which each affected user/customer/stakeholder is contacted,” says Keevy, “These costs could potentially run into millions.”
In South Africa, the majority of claims seem to arise from first party costs, which is primarily the costs of employing specialist IT forensic services in the event of a cyber incident, as well as business interruption as a result of income lost due to the unavailability of the IT infrastructure. “We are yet to experience any considerable liability claims for damages, whereby it can be proven that a financial loss occurred as a direct result of a security breach,” he says.
Businesses must start seeing cyber risk as a key enterprise and operational risk going forward, Keevy stresses. “We must ensure that effective IT controls, procedures and governance are in place to fight the constant war against the integrity of the IT infrastructure.” Should the controls fail, insurance will mitigate the outfall of critical business losses on the balance sheet, but it’s not a replacement for responsible cyber-risk practices, says Keevy.
While cyber liability insurance provides coverage for data breaches, insurers require that the insured implements the necessary security to protect such information. Moreover, data privacy legislation places the onus on custodians of personal information to ensure it is suitably protected, Keevy explains.
There are two insurance policies available to South African companies: commercial crime insurance, and cyber liability insurance. The first covers the direct financial losses to the insured’s business and the latter deals with all exposures facing computer networks and systems.
“Cyber liability insurance includes the liability attaching to businesses in rendering their services and giving advice to third-parties (particularly IT-related businesses), as well as the multimedia liability to which the business is held liable for statements made in its marketing and advertising efforts, which includes defamation and breach of copyright,” explains Keevy. This policy also covers security and privacy liability, such as legal defense costs, for which the business may be held accountable following a data breach; business interruption costs, which is often not covered by other insurance policies; breach of legislation, including the fines and penalties imposed on the business for not securing private information; crisis management costs; and data extortion, which includes the ransom amount paid to the hackers.
Both first- and third-party exposures are covered, and the liability component is only a module within the greater cyber offering, says Keevy. Generally, policies exclude bodily injury and property damage claims as a result of a cyber incident.
The role of the broker
The Protection of Personal Information Act (POPI), enacted in November 2013 (but not yet implemented), provides for fines up to R10 million, as well as prison sentences of up to 10 years. Victims of a data breach, or the Information Regulator, can file a civil liability suit against the company for the leak of private and sensitive information, says Keevy. “The financial implications of the fines and civil suit could potentially cripple a company.”
Businesses may also be subject to international privacy laws if they are transacting across borders and have assets in other jurisdictions. “The administrative fines resulting from breaches of privacy data laws can be insured, where such losses are permissible by law,” he says. In addition to all of the above, if a business transacting with debit and credit cards experiences a breach, it may also be liable for a fine by the Payment Card Industry Data Security Standards Council for failing to adequately secure financial information. “Taking into consideration the weak rand, and that these fines are dollar-based, it's clear that a loss of this nature could severely traumatise a business,” says Keevy.
With a better understanding of the organisation's vulnerabilities, it's easier to begin the process of developing policies and putting systems, training, and insurance in place to mitigate the risk of a data breach and the potential fallout that will unquestionably occur, he says.
“The incredible pace of technology-based innovation has produced huge dependencies and interconnectivities of companies and organisations around the globe,” says Keevy. “This has brought about great efficiencies and enhanced business practices, but has also created a wave of new problems: cyber-crime, media liabilities, and a heavy reliance on the uptime of a network, among many other issues.” In this environment, businesses continue to face new business exposures driven mainly by ever-changing e-commerce laws.
“Cyber liability to third parties, network security, commerce network/business interruption and loss of data are just some of the new liabilities clients need to build into their risk management and risk transfer strategies, of which traditional insurance is ill-equipped to address,” explains Keevy.
Cyber risk is a specialised class of insurance, one that is also constantly evolving as criminals seek new ways to gain access to company data and/or money. “Businesses are advised to employ the services of an expert broker who knows the industry when exploring the various types of risk transfer mechanisms available to businesses, both from a South African and international perspective, to ensure adequate coverage is placed, both from a product and limit perspective,” he says.