In today’s interconnected digital landscape, businesses in South Africa face significant risks from third-party data breaches. When an external partner or service provider suffers a breach, the repercussions can ripple across the entire business ecosystem.
These breaches not only compromise sensitive information but also erode trust and expose companies to legal and financial liabilities. The impact on customers can be profound, leading to identity theft, financial loss and a sense of insecurity,” says Fisokuhle Nkosi, Head: Professional Indemnity at iTOO Special Risks.
“As cyber threats evolve, businesses must prioritise robust data protection measures and cultivate resilient relationships with their third-party partners to safeguard their operations and customer trust.”
She explains that for big corporates to engage with third-party suppliers or service providers, these third parties must have cyber coverage and professional indemnity insurance. Cyber coverage ensures that the third party can manage and mitigate the financial impact of a data breach, demonstrating robust risk management practices.
“Professional indemnity insurance protects against claims of negligence and errors or omissions, providing financial security and maintaining trust. These insurance policies are often prerequisites, ensuring that both parties are safeguarded against potential risks and liabilities,” she says.
Earlier this year, a major South African pharmaceutical retail chain avoided a potential fine of up to R10 million for not taking the necessary steps and measures to secure its customers’ private data. About 3.6 million data subjects’ records were accessed from the retailer’s e-statement service database, which was managed by a third party.
The Information Regulator subsequently found that the pharmacy chain had complied with an enforcement notice issued against it in September 2023, which demanded the company take certain steps to address its failure to protect customers’ data or face an administrative fine of up to R10 million.
Following an investigation into the attack, the regulator determined that the retailer had – among others – failed to “enter into an operator agreement with [the third party] and ensure it had adequate security measures to secure personal information in its possession”.
“Cases like this serve as a stark reminder that third-party service providers can be held liable for cyberattacks that affect their clients’ data in South Africa. In other words, third-party service providers can face legal claims and financial penalties if they fail to protect client data adequately,” says Ryan van de Coolwijk, Business Unit Head: Cyber, collectables, aviation, drones and digital distribution at iTOO.
“This underscores the importance of robust cybersecurity measures and comprehensive cyber liability insurance for third-party service providers.”
He also notes that this demonstrates how crucial it is for third-party service providers to have robust cybersecurity systems and expertise to protect their clients’ data. A breach can lead to significant financial and reputational damage for both parties.
“However, many Small and Medium Enterprises (SMEs) in South Africa struggle to afford state-of-the-art security solutions due to limited budgets. They often prioritise other aspects of their business over cybersecurity, leaving them vulnerable to cyber threats. Affordable solutions like basic cyber hygiene practices, employee training and managed detection and response services can help bridge this gap,” says van de Coolwijk.
“It is crucial for companies that share data with third parties to ensure those third parties have adequate cyber and data protection coverage. If something goes wrong, the company wants to know they are protected. This coverage does come at a cost, but it is an important risk mitigation measure.”
He notes that there has recently been a noticeable rise in incidents, leading companies to require their suppliers and third-party providers to have proper cyber coverage before doing business with them.
“Smaller companies may overlook the need for sophisticated security measures and cyber coverage, thinking they are not a target. However, they are just as vulnerable and need to prioritise these protections, especially when sharing data with third parties,” he says.
“The key is balancing the cost of coverage with the potential risks and liabilities that can arise from data breaches or cyber incidents involving third-party providers. Acquiring a baseline level of cyber coverage helps to protect the company’s interests.”