Breaches are escalating with increasing intensity, and with more sophisticated malware than ever before. All businesses and governments face this growing threat, and are looking for ways to protect their assets, both information and financial.
Moreover, while many businesses both large and small have taken measures to implement cyber security solutions, they face a growing problem, because as attackers become more sophisticated, they are using online distribution channels and other third-party partners to target their victims.
According to Sarel Lamprecht, MD of Phishield, the world’s first cyber insurance policy, this has driven a need for insurers and insurance brokers to raise awareness and promote their cyber insurance products and educate businesses as to what is covered in the event of a breach. “Of course, insurance is only one link in the security chain,” he adds.
“To manage risk properly, businesses need to have other measures in place, such as tools, procedures, policies and compliance. They need to remember that having insurance in place is not an ‘instead of’ security solutions, but rather an ‘in addition to’. It is a vital part of a company’s overall risk posture.”
While banks and other organisations that handle their customers’ most sensitive data are generally better equipped to assess cyber risks, and understand the potential fallout, most of South Africa’s businesses are not, he says. “The modelling of cyber risk has been tricky due to a dearth of available data, as well as a multitude of factors that are difficult to quantify.”
However, he says there are other approaches to valuing the risk of a breach including using stress and penetration testing. “Most cyber policies will offer direct loss and liability protection for risks that go hand-in-hand when utilising technology and data. Policies can also be expanded to include costs associated with business interruption or downtime. At an executive level, where regulatory and compliance concerns play a role, a wider understanding of cyber risk is needed, including the potential impact, and ways to mitigate it.”
Lamprecht says in South Africa, the adoption of POPI is forcing businesses to boost their cyber liability plans as they try to get a handle on the true impact a breach could have on their organisations. “Many businesses haven’t a clue that a security event has even occurred until months down the line. They also struggle to put a price tag on the damage a breach has caused – sums that can run into the millions.
“The costs come in many forms – from the forensic investigation, to downtime, to letting customers know and the resulting loss of confidence, third-party losses, as well as penalties and fines imposed by regulatory bodies.”
All businesses are vulnerable, he says, and SA is no different. “This digital era we live in has brought many benefits in terms of efficiencies, innovation and similar, but this comes with a whole new slew of risks and vulnerabilities. “Fraud happens more often than not in cyber space these days, and companies need to ensure their insurance will cover incidents of this nature.”
Moreover, he says businesses must ensure their risk management posture is top notch, and updated to handle growing scourge of breaches. “This should include introducing penetration and stress testing, as well as having a thorough recovery plan in place that unites all the different business units.”