The majority of businesses in South Africa are aware of the risks of cyber-crime, but very few of them have adequate – if any – cover to protect their organisations in the event of a cyber-attack.
“A report by AT Kearney, Global Management Consulting Firm, has revealed that South Africa is the third most vulnerable country in the world for cyber-attacks, and the most vulnerable in Africa,” says Roy Wright, head: risk solutions at financial advisory and wealth management business GTC. “Cyber security is a real business risk that can affect a company of any size anywhere in the world, but too few local companies are taking steps to insure their organisations against this risk.”
Grant Thornton’s recent International Business Report on cyber security reveals that 88% of businesses in South Africa have identified exactly where all their data and information resides within the organisations.
This shows businesses are aware of the need for cyber security, but Wright says this is not enough, adding: “Cyber-crime is a modern threat that requires new thinking and solutions for the risks it adds to a business’ operations. Traditional insurance policies provide cover for physical threats, but not the intangible losses caused by cyber-crime.”
A cyber-attack can manifest as either a data breach by criminals hacking into a company’s systems and obtaining information, or through ransomware, which involves the theft of a business’ data in exchange for monetary compensation. The recent “WannaCry” ransomware attack earlier this month is a case in point. The attack locked up hundreds of thousands of computers in more than 150 countries and affected factories, hospitals, schools and shops globally.
“In both cases of cyber-attack, companies would face several costs, including investigation costs to ascertain where and how the system became vulnerable; restoration costs to fix the system; and loss of income due to not being able to operate,” Wright explains.
The Financial Advisory and Intermediary Services (FAIS) Act stipulates that financial advisers are required to have a full understanding of clients’ needs. Wright cautions that before any recommendations can be made regarding appropriate cover, advisers need to be authoritative on the insurance products and regulations available. They must also be knowledgeable as to a client’s specific industry, electronic data and cyber cover requirements.
In addition to the losses which companies could suffer, they also run the risk that their own clients are compromised through any cyber-attack. This could result in serious liability claims against a company.
“If clients’ data and information ends up in public or in the hands of a competitor, they have a right to sue a business in the event of fraudulent activities or loss of income. These cases could become extremely lengthy and costly,” says Wright.
He also cautions businesses to think carefully about how they secure clients’ personal data and information. South Africa’s Protection of Personal Information Act (POPI), was signed into law by President Jacob Zuma in 2013, and is expected to be fully operational by December this year. The POPI Act regulates how anyone who processes personal information – such as ID numbers, telephone numbers and addresses among others – must handle, keep and secure that information. It carries strict and substantial penalties for contravention including prison terms and fines of up to R10-million.
“The long-term – often intangible – cost of reputational damage for any company, emanating from any cyber-attack could be crippling,” Wright concludes.