Sizwe Cakwebe, Manager of Cyber Risk at SHA
The advent of the fourth industrial revolution has engendered several technological advancements. Innovations such as artificial intelligence, the internet of things and robotics have fundamentally changed the way the world operates when it comes to business. Simultaneously, however, these developments have run parallel to the skyrocketing of cybercrime, with compelling evidence suggesting that cyber will emerge as the next, most critical systemic risk to South African businesses and will dominate the liability insurance market for the foreseeable future.
This was one of the primary conclusions drawn from the results of the 2022 SHA Risk Review. 60% of SHA’s brokers reported an increase in requests for cyber liability cover over the last year. These movements are indicative of an evolving risk landscape and signal the importance of educating clients around the purpose of the cyber cover.
According to the review, over the last 12 months, one in three SME respondents suffered a cyber-attack, with the most common causes being malware (30%), phishing (26%), ransomware (25%), denial of service (13%) and theft of funds (13%). This is despite over 60% of SMEs believing that they were not viable targets for cybercriminals.
I cannot stress enough the importance of understanding that: no business is immune, and that companies with ‘valuable data’ are not the only ones at risk of cyber-attacks. The reality is that any company with an online presence, regardless of size or industry, is at risk and should therefore prioritise and formalise their approach to risk management.
Cyber risks come from several fronts, coupled with the constant threat to financial, legal and reputational damage. The financial risk involves the theft of actual funds or the payment of a ransom demand, but also extends to the cost of business interruption due to downtime or system failure.
Companies may be held legally liable by third parties should a data breach occur whereby their information is leaked and could sustain lawsuits for infringements of data protection laws, as well as negligence. Reputational damage can be extensive and have far-reaching consequences that may, in the worst case, lead to the complete shutdown of the business or impact the share price of a listed business irrevocably.
Expertise makes it possible
Behind every modern marvel is a team of experts who take innovation to the next level. In insurance, having
a risk solutions partner that understands your business the way you do is crucial to protect it.
Santam is an authorised financial services provider (licence number 3416).
SHA’s last survey found that an alarming 53% of the victims of ransomware attacks were not able to recover their stolen data. It’s also worth noting that nothing stops criminals from replicating data and selling it to criminal syndicates before ‘returning’ it after a ransom has been paid. This example drives home the importance of taking a preventative stance on cybercrime rather than a wholly reactive one.
In terms of the ways in which cyber insurance policies are structured, most policies will contain an element of first- and third-party cover, although there are cases in which policies are structured to include only third-party liabilities.
In the case of the former, a first- and third-party cyber policy will provide coverage for aspects of loss, including the cost of investigations, the financial impact of business interruption and the costs associated with executing a public relations campaign to mitigate and rectify any reputational damage. It is important to note, however, that the ongoing nature of reputational damage and the ripple effects of aspects such as loss of consumer or investor confidence cannot be truly compensated for in terms of long-term impact.
Employees are often the “weakest link in the cyber security ecosystem” the notion, therefore, that the responsibility of ensuring a business has efficient and effective cyber security systems and protocols in place should not fall solely on the shoulders of high-level executives.
In fact, Cyber security should not be framed as an IT process. Instead, it should be regarded as a company-wide, best practice process that involves buy-in from all stakeholders and team members.
While the most recent SHA Risk Review found that many South African companies are making use of the basic cyber security components like firewalls and anti-virus software, a need for training and educational initiatives aimed at employees and contractors was identified. Involving the entire company and employees at every level will help employers develop a well-rounded cyber security posture.