printer friendly version

Cyber risks for companies escalate

In the last month alone, Johannesburg’s City Power, Transnet and a number of large South African firms fell victim to major cyber-attacks. These are just the latest additions in a rising tide of high profile local cyber-attacks over the past two years. However, these well documented attacks are only just scratching the surface. With the Protection of Personal Information Act of 2013 (PoPIA) having come into full effect at the start of July, South Africans are likely to see the full impact of cybercrime for the first time.

Bertus Visser, chief executive of distribution at PSG Insure, says that many companies were still taking a lax approach to cybersecurity before PoPIA came into full effect. “Data breaches have been massively under-reported to date and it is possible many businesses opted to sweep cyber incidents under the carpet, until now. Now that disclosure is a legal requirement that will be actively enforced by a regulator, we expect to see a huge spike in reported incidents, however, this poses its own set of risks that businesses will have to protect themselves against.”

Insurance doesn’t cover it all

Visser explains that businesses need complete cyber-risk management strategies that encompass much more than simply taking out cyber insurance. “More businesses will need good cyber insurance policies. However, these policies only cover first- and third-party losses as well as some regulatory exposures. In order to adequately manage the risks that cybercrime poses, businesses will have to consult with their advisers to develop a well-planned all-encompassing strategy.”

He points out that this begins by taking a closer look at the potential damages to a business. “Third-party claims and regulatory fines are just part of a company’s total losses. Business interruption and damages to physical assets are insured under different policies. As businesses increasingly move their operations online, the potential secondary losses have increased in severity. Businesses therefore need to review their insured amounts across all of their policies, bearing in mind that a single cyber incident could trigger a number of policies at once.”

Training is critical

Next, cybersecurity training is crucial. “The human element is still the greatest threat to cybersecurity and it's unlikely insurers will cover incidents of pure negligence. Ensuring that all employees and contractors are educated and informed on the latest cyber security attacks and trends is vital. Many IT service providers offer basic cybersecurity training for staff and it can even be included as an add-on to cyber policies.”

Lastly, he says that regularly reviewing cyber risk management strategies is crucial. “Cybercrime is evolving at a frightening pace, so it would be prudent for businesses to revisit their risk management procedures at least twice a year.”

With PoPIA now in full force, Visser says that this may be the catalyst that could finally set businesses on the right path toward becoming truly cyber-resilient. “Business owners should speak to their adviser to ensure they have all the right risk mitigation measures and policies in place to safeguard their business against cybercriminals and any potential liability following an incident,” he concludes.

Share this article:

Further reading: