South African companies have suffered several cyber-crime incidents over the past few years, yet local businesses are still reluctant to insure against this risk.

Roy Wright, head of risk solutions at financial advisory group GTC, believes there are two primary reasons for this: “Many businesses are aware of cyber-crime, but they – especially small and medium enterprises (SMEs) – erroneously believe their organisations will not be targeted.

“There is a perception that this risk is more prominent in large businesses or those operating within developed markets, whilst other companies tend to believe their IT security systems are sufficiently robust to either prevent or recover easily from an attack, and therefore do not see the need for specific cyber insurance,” he says.

“Both these arguments are flawed, especially when one considers the number of cyber-crime incidents that have occurred in South Africa recently.”

During October 2017 it emerged that more than half of the population’s identity numbers had been leaked in South Africa’s worst data breach recorded. This was discovered by Troy Hunt, an Australian internet security expert and was the biggest national breach to date, affecting some 30-million South Africans.

Earlier in the year, several international organisations – including the National Health Service in the UK as well as several South African firms – had fallen victim to a global ransomware attack, also compromising millions of people’s sensitive personal information.

“These incidents have certainly made more businesses and organisations aware of cyber-crime but have not yet resulted in these same businesses taking out insurance to protect against this specific risk,” he says. “A significant change in local business owners’ mindsets is needed.

“Any organisation that has any form of client data storage or online point-of-sales system is potentially at risk. South Africa may be an emerging market, but our financial systems are highly sophisticated and globally connected, making South Africans’ data particularly valuable to cyber attackers.”

Meanwhile, a survey by CareersinAudit.com has shown that 90% of SMEs globally are vulnerable to cyber-attacks and other information technology (IT) threats.

“This is largely due to the fact that many SMEs do not have their own dedicated risk management teams or systems, as is the case with many larger organisations. These functions are often outsourced to third-party service providers. Risk management systems may therefore not be specifically designed for the business’s needs and subsequently not optimal for the organisation,” says Wright.

Despite this evidence, most businesses choose to rely on their IT teams to prevent and rectify any cyber-crime incidents and its effects.

“Companies must realise that cyber-crime is not an IT risk, but rather an enterprise risk which requires specific risk management strategies and mitigation plans – similar to business plans against damage to, or loss of, physical infrastructure. The decision to insure against cyber-attacks does not mean management doesn’t have faith in their risk management systems or IT departments – rather it is a way to protect a business against the associated effects following an attack,” he explains.

Areas of concern where cyber-insurance would assist a business’s recovery would include: loss of income due to systems outages, the cost of identifying and rectifying the breach, the cost of litigation following a breach, and possible extortion from ransomware attacks.

Wright believes ransomware attacks – which involve data hackers obtaining an organisation’s data and threatening to expose confidential information unless a ransom amount is paid – have become particularly popular globally due to the rise of cryptocurrencies, which are untraceable and therefore largely irrecoverable.

“Attackers can now be even more anonymous by demanding cryptocurrencies as ransom, instead of hard currency that would have a banking paper trail.”

Furthermore, the introduction of legislation to ensure greater protection of one’s personal data, such as the General Data Protection Regulation (GDPR) in the EU, and the Protection of Personal Information (POPI) Act in South Africa, is likely to increase the demand for cyber-insurance given the increase in the cost of attacks, as this insurance field begins to draw attention and gain traction, given the requirements of these pieces of legislation.

“The POPI Act will be a significant game-changer in the way businesses think about cyber-crime here in South Africa, as it will obligate companies to report and publish any data breaches when they occur. Coupled with this, organisations must release the strategies they have employed to rectify the breach, as well as all plans to mitigate against such risks in the future. Companies that fail to comply with these requirements, will be issued with fines, which will significantly impact small to medium businesses.”

The publication of data breaches – anticipated to be effective within the next 12-18 months – is likely to have ramifications for many organisations.

“Clients who become aware that companies have experienced a breach of their confidential personal information, especially those holding sensitive data, such as medical and banking records, often become wary of continuing business with these same defaulting organisations,” says Wright.

The social media group Facebook saw a clear demonstration of this when many businesses withdrew advertising commitments from the platform following the widely publicised Cambridge Analytica scandal.

“Regardless of how good a business’s IT team is, or how simple it believes its operating systems are, the consequences of a cyber-attack can be devastating on any organisation should they not be adequately prepared for it. Just like vehicle and home insurance gives the insured the ability to repair or replace a car or home contents, so cyber insurance provides businesses with the ability to become operational again as soon after an attack as possible. Many businesses aren’t aware that traditional insurance does not extend to cyber risks,” he explains.

While cyber insurance is a relatively new concept having been around for less than ten years, there are several product variations available locally, ranging from basic liability protection to extensions that cover social media risks, the cost of data recovery, and the cost of reputation management due to a data breach.

Wright acknowledges that the insurance industry can do more to demystify the concept of cyber insurance, given the modern nature of this risk.

“Since the concept was first introduced, we have seen insurance companies working hard at simplifying the application forms, making it easier for businesses to understand their risks and the plans in place to mitigate these risks,” he says.

Similar to the way traditional insurance operates, businesses can reduce their risk – and therefore premiums – if they have robust risk management and mitigation systems in place, explains Wright. Examples of these systems include certification for applications and websites, as well as password protection policies and firewalls.

He anticipates that, regardless of advances in risk management, cyber-crime will become more prevalent in the foreseeable future.

“As the world becomes more connected globally and hackers become increasingly sophisticated, there are bound to be more incidents of cyber-attacks targeted at all levels and sizes of organisations. Hopefully the impending privacy legislation will be a wake-up call to companies to give due consideration to this enterprise risk,” Wright concludes.