Statistics show that there are over 1,5-million cyber-attacks every year, or 4 000 every day, although experts believe these figures are dramatically under-reported as most victims of cyber-attacks would prefer to keep the news under wraps.
In our Internet-connected society, cybercrime is a very real threat to any business or institution, regardless of size or nature of business that has a network, an internet connection and holds sensitive or personally identifiable data.
This is according to Kerry Curtin, manager: financial institutions and professional risks at Aon South Africa, who says: “The threats don’t just stop with commercial entities – 47% of American adults had their personal information stolen by hackers in 2014 largely as a result of data breaches at companies that held such personally identifiable data.
“Hacks targeting commercial entities that hold sensitive consumer information are on the increase and personal identities are being stolen largely for credit fraud.
“In 2013, the US racked up a staggering $18billion in credit fraud using stolen identities. McAfee estimates that the annual global cost of cybercrimes could be over $400billion, while a UN study found that digital theft affects anywhere up to 17% of the online population.
“Closer to home, the 2015 Security Summit held in Johannesburg showed that South Africa suffered from the most cyber-attacks in Africa,” he adds. “According to reports South Africa is the third worst in the world when it comes to cybercrime attacks. A study conducted last year revealed that South Africa’s annual loss due to cybercrime is estimated at almost R3-billion, and growing.”
Many small and medium businesses think that they are not likely targets for a cyber-attack, believing that only large corporates, banks and government institutions appeal to cyber criminals.
The reality is that any entity that conducts any aspect of its business online and holds any sensitive data – employee or client records, banking and payment details of staff, customers or own, market strategies or financials, payroll information, medical or academic records or any other sensitive data – is a potential target.
The Canadian Government’s “Get Cyber Safe” initiative states that 40% of a small business’ worth is derived from the data that it owns. 90% of small and medium-sized businesses surveyed believed that a hack of their data would have catastrophic consequences for their business, while 50% did not think that they were a target for cyber criminals.
Yet 40% of all cyber-attacks in 2011 were on small and medium sized businesses – most likely because their less robust security measures, policies and firewalls make them easy pickings for hackers.
Who can forget the Ashley Madison data breach when hackers released the details of some 32 million men and women to various internet sites? It was particularly sensitive since the sole function of Ashley Madison is to hook up married people who want to have extramarital affairs.
While 32-million records may sound huge, the biggest data breach is still topped by Adobe when 152-million customer passwords were stolen in 2013.
More recently, the Panama Papers saw the leaking of 11,5-million files for the database of the world’s fourth largest offshore law firm, Mossack Fonseca, detailing how some of the world’s richest and politically connected individuals have secretive offshore tax regimes.
In February 2014 a sophisticated global cyber-attack affected more than 100 banks in 30 countries. In May 2016, Standard Bank confirmed it was the victim of a sophisticated and co-ordinated fraud incident involving ATM withdrawals in Japan costing the bank over R200-million.
While many cyber-attacks are aimed at accessing sensitive data for dubious activities, others are designed to incur a direct financial loss as in the case of the banks, but all are a result of a security breach over a company network.
A cyber-attack can also be just as physically disruptive to a business as a natural disaster or terror attack – think of critical operations in a hospital, airport or power station that are all operated via computer networks and sophisticated software in the wrong hands?
Data breach versus financial loss
While existing forms of insurance sometimes carry a level of coverage, they were not intended to cover the many risks associated with an increasingly digital world. Standard policies are often inadequate to cover the likely cost of even a more “standard” security breach, let alone cyber-attack or ‘hacktivism’.
Only specialist cyber insurance policies provide extensive cover.
“In particular, ensuring your business is appropriately insured in terms of the type of losses it can suffer as a result of a hack is paramount. These incidents highlight the importance of risk management coupled with properly scoped insurance covers, with many assuming that a direct financial loss would be covered under a cyber insurance policy.
“There is still a sense of mystery as to what cyber-risks policies actually cover and there is the assumption that direct financial losses would be covered under a cyber policy.
“However, this is not the case as cyber policies cover loss of data and security protection specifically. A data breach would be covered under a cyber-risk policy, but a direct financial loss would be catered for under either a blended financial lines policy which includes computer crime cover as well as fraudulent internet transactions, or a commercial crime policy which also provides computer crime cover,” explains Kerry.
Most cyber policies cover first party costs and any resultant liability (third party) arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information.
First party costs include legal and IT services, data restoration costs, reputation management, notification costs to all affected data subjects, credit and ID monitoring, cyber extortion and loss of profits following from a network interruption.
Third party costs include damages and defence costs arising from liability to others following from theft or manipulation of data held in your care, custody and control.
The loss suffered from the banks however is a tangible financial loss caused by a third party infiltration into the bank’s computer systems. This type of financial loss, although as a result of cybercrime, is catered for under a computer crime policy.
Financial institutions purchase what is known as blended financial lines policies which include computer crime cover as well as internet transactions. The coverage is also available under a commercial crime policy which covers employee dishonesty and computer crime.
“As our digital connectivity continues to grow and more entities conduct aspects of their business online, the threats are likely to grow exponentially. Regardless of size or status, no business is safe from hackers, unless it includes security as its ultimate priority,” says Kerry.
“There is no one size fits all approach to cyber risk insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in assessing your exposures, developing a risk mitigation strategy and transferring that risk to an insurer in order to protect your reputation, data, clients and bottom line.”