According to the 2016 PwC Global Economic Crime Survey, 32% of South African organisations have experienced cybercrime – a figure which is said to be increasing rapidly as at least 57% of respondents believed they’d be affected by cybercrime within the next two years. Yet even as the number of cyber-attacks continue to rise, South African companies seem to still be dragging their feet when it comes to regulatory and security compliance and remain unprepared for cyber liability risks, writes Simeon Tassev, director and QSA at Galix Networking.
Should a breach occur, businesses are not only faced with reputational damage but also the very real possibility of expensive lawsuits, large fines and the associated costs of auditing the system to ensure vulnerabilities are addressed, post-incident. It is no longer possible ignore the need for security measures coupled with effective cyber insurance policies to adequately protect the company and ensure business continuity.
What is at stake for businesses?
While most coverage in the media on cybercrime has focused on how cyber-attacks affect people on a personal level (identity theft, credit card and medical fraud), cybercrime can have a massive impact on business too. Consider the impact of a loss of corporate data or information like intellectual property and proprietary information: what would happen if this data or information fell into the hands of a competitor or cyber-extortionist?
The risks faced by individuals (as sole proprietors) or as business entities are the same and include system unavailability and downtime, loss of revenue, loss of data, reputational damage and the costs associated with reducing the impact of a breach.
There is also the immeasurable loss of competitive advantage, which tops the additional burden of industry and regulatory fines and penalties and the possibility of litigation (including costly forensic investigations) that might arise from compromised data.
Despite these risks, only 35% of respondent organisations have implemented a cyber incident response plan, which means that the majority of South African businesses are unprepared for cyber threats and possible liability.
Cyber insurance is meant to cover an organisation from these risks and such cover is gradually becoming more readily available in South Africa. In order to effectively utilise the cover provided, companies need to meet the insurance provider’s security prerequisites and the basics need to be in place. This includes end-point protection, perimeter protection and some form of logging or auditing activities in the business environment, which provides the basis on which claims are investigated.
Once all of these controls and security measures are in place, there might be a tendency to question the value of cyber insurance when the risk has already been greatly reduced. Here, it’s important to bear in mind the value of such insurance and what it covers.
Benefits of cyber insurance
Cyber insurance can provide cover for event management in order to respond to a security failure or breach. It includes the payment of costs for services to assist in managing and mitigating a cyber incident such as forensic investigations and legal consultations.
Cyber extortion insurance responds to the threat of intentional security attacks against a business by an outsider attempting to hold business data ransom and includes the costs of an investigation to determine the cause of the threat. Network business interruption insurance is appropriate where loss of income and operating expenses are incurred as a result of a company’s operations being interrupted or suspended due to a network security failure.
Most importantly, cyber insurance cover includes access to expert consultants to deal specifically with digital forensic investigation, IT risk management and data recovery, reputational risk and specialist legal services. The right cyber insurance policy should cover first party expenses and take into account the actual costs of recollecting and replacing data, as well as expenses related to employee overtime, rented external equipment and services.
This policy must cover for the loss of business income, notification expenses that are necessary to comply with privacy legislation as well as any crisis management expenses and possibly regulatory fines and penalties.
Just how big can these costs get? At least 3% of the respondents in the PwC Global Economic Crime Survey that were victims of cybercrime experienced financial losses greater than $100 million and 27% experienced losses between $1 and $50 000. Perhaps even more sobering is the fact that 14% of respondents did not know or were unable to quantify their financial losses even though they had been victims of cybercrime.
When one thinks about all of the losses and costs just mentioned, the need for such cover becomes painfully obvious, especially for smaller to medium enterprises that would not be able to carry these costs alone.
While policies may vary when it comes to terms and conditions, businesses need to ensure that the coverage provided will meet their risk profile needs. At the same time, companies need to invest in risk management and proactively enhance their cybersecurity position.
Without the basics in place, companies are unlikely to get adequate insurance coverage and security measures like regular back-ups, incident response, business continuity plans and employee awareness training need to be in place from the outset. Too many organisations are suffering cyber losses because they did not get the basics right.
This is mostly due to insufficient executive board involvement, or because of poor system configurations resulting in inadequate controls over third parties with access to the network, companies are vulnerable without being aware of the danger. Cyber threats must be understood and planned for in the same way as any other potential business threat or disruption.
The company should include a response plan detailing roles and responsibilities, have a monitoring and scenario plan in place and must have the appropriate levels of insurance cover for maximum protection.