The recent data breach that made the details of nearly 31 million South Africans available on the internet has once again brought the issue of cybersecurity to the forefront. New research from the Cyber Intelligence Research Group, released in October 2017, has also shown that South African businesses are particularly vulnerable to cyber threats.
This is according to Gillian Wolman, Head of Litigation at RBS, (Risk Benefit Solutions Pty Ltd), who points out that the Cyber Exposure Index has ranked South Africa as one of the top three countries most exposed to cyber risks.
According to the report, industries with the most exposure to cyber risks include the materials, industrial and financial sectors.
“For South African business owners this should be a clear indication that they need to take their company’s cybersecurity and cyber liabilities very seriously. If not, the financial and reputational damages that they could suffer are substantial. Under South Africa’s Protection of Personal Information Act (POPI), companies or their directors that neglect their cybersecurity could face up to a R10 million fine or 10 years imprisonment.”
Wolman states that ransomware attacks have become a common form of cyber-attack, which encrypts company information, effectively holding it hostage. While no data is taken off a company’s servers, businesses in possession of personal information, face the same possible penalties under POPI.
Another issue, according to Wolman, that business owners need to be aware of is the emerging risks to companies’ physical security. “Security camera systems are increasingly connected to the internet, and there is a growing number of cloud-managed surveillance systems that allow business owners to monitor their premises remotely. Earlier this year, researchers at the Ben-Gurion University of the Negev (BGU) showed how security cameras infected with malware can receive covert signals and be used to leak sensitive information.”
In terms of risk management, every business has to put well thought out processes in place Wolman explains. “Having the proper procedures ready, and making sure that they are managed properly, are paramount. The liability that companies face if they do not have these, could easily send them into liquidation.”
Wolman adds that employee education is also very important. “Often the source of a breach is as a result of employees who did not follow the right security procedures. Everything from which devices employees are allowed to use on the company network, to how they manage their passwords, must be outlined.”
Lastly, Wolman points out that a transfer mechanism in the form of an insurance policy is vital. “Cyber claims are not covered under traditional insurance policies. Policies such as general liability, business interruption and computer all risk cover are only triggered by claims where there is physical damage. Professional Indemnity provides limited cover for third-party data loss, but generally only in relation to the provision of professional service.”
“Companies require dedicated cyber policies that cover first party expenses, loss of business income, notification expenses, crisis management expenses as well as the associated regulatory fines,” says Wolman.
She adds that business owners need to keep in mind that any insurance policy will have its terms and conditions, and companies are only adequately covered if their risk management procedures are up to standard. “Up-to-date security software, proper password protection and the right data security procedures are all the company’s own responsibility,”
“Cybercrime has now become one of the biggest threats facing all organisations no matter how big or small and the prospect of any business falling victim to some form of cyber-attack is inevitable. The risk of operating without cybercrime insurance has also become much too high, and business owners will need to put serious thought into how they are going to cover themselves,” concludes Wolman.