While still in its infancy, cyber insurance has been on offer for some time, and is seeing a soaring demand around the world. However, the uptake of cyber insurance in South Africa is still alarmingly low.
Simon Campbell-Young, CEO of MyCybercare, says that local businesses are disturbingly complacent in the face of an increasingly sophisticated and complex threat landscape, which is seeing determined attackers continually inventing new tricks to breach their networks. “In reality, it isn’t a ‘maybe’; it’s a certainty that all South African businesses are certain to suffer a cyber attack at some point, be it a ransomware attack or a data breach. And without any insurance in place, they will have to cover all associated costs by themselves, which could cripple them financially.”
He says businesses who are not sure whether or not they need cyber insurance, should ask themselves a few questions. “Firstly, does my business handle or store personal data from clients and customers?”
If the answer is yes, Campbell-Young says you definitely need cyber insurance, because this data is valuable to cyber criminals, and handling or collecting it makes you a target for data breaches and other security incidents. Moreover, he says an increasingly stringent regulatory environment means that it is a company’s responsibility to ensure that this type of information is collected, used and stored in a safe and compliant manner, and failure to do so could result in huge fines being levied against the business.
The next question, he says, is do I use cloud services? “Again, if the answer is yes, then cyber insurance shouldn’t even be a question. Cloud technologies are becoming mainstream, almost every business has moved at least a portion of their workloads to the cloud. However, not all cloud providers are equal when it comes to security. Many files that are uploaded to the cloud contain sensitive information, be it financial information or customer details.
Campbell-Young says companies should also ask themselves whether or not they would, financially speaking, be able to survive a cyber attack. “Quantifying the exact cost of a data breach is tricky, but a recent IBM study stated that the average total organisational cost of data breaches in South Africa was R32-million in 2017. Enough to cripple almost any but the largest corporates.”
And this figure doesn’t necessarily cover the indirect and hidden costs of a breach, which include business interruption or destruction, loss of trust and damage to reputation, loss of IP and revenue, falling share prices, and suchlike. “Add these costs in, and the numbers could be far higher,” he says.
“A data breach could seriously compromise your organisation’s financial viability, so having a cyber insurance policy in place is a no-brainer. At the very minimum, this will cover expenses such as financial loss associated with lost revenue, privacy fines and legal expenses.”
Remember that although some general business liability policies include cover for cyber liability, the majority do not. “Assuming you are covered because you have public liability is foolish. You need a standalone cyber insurance policy that covers your business in the event of a cyber attack, and, at the very minimum, includes cover for expenses such as business interruption, loss of data, legal expenses and data recovery,” he concludes.