Don’t be complacent about cyber risk

Cyber attacks on companies are far more common than you’d imagine – and can expose companies to significant reputational and financial harm. Apio director Richard Hood offers some advice on mitigating the likelihood through robust risk management and the appropriate cover.

Cyber risk is rapidly becoming the forefront of risk to business in South Africa. Recently, the Cyber Exposure Index rated South Africa as having the 6th highest cyber risk in the world – a shocking statistic. And industrial, financial and materials businesses are the most exposed.

Don’t be complacent about cyber risk Apio can help

Naivety about the risks

Small and medium enterprises may think that they’re not a target, but specialist insurer SHA recently reported that 30% of businesses were the victims of cyber attacks – 1 in 3 businesses – while 82% of those businesses had suffered some business interruption. For 80% of the companies, the associated downtime was longer than 48 hours. For a customer-facing business, the financial consequences could prove costly.

Ransomware, where systems are held hostage for a payment (usually a significant cost in bitcoin), is also becoming prevalent. While many companies might regard this as a “one and done” crime, the reverse is true – exposing a weakness in your company’s systems through an attack might actually make you more vulnerable to repeated attacks.

Many companies place reliance on their IT department or an outsourced IT provider, without interrogating possible weaknesses in their system. And while most businesses have anti-virus software and firewalls in place, malware can be introduced through the human element of any business – imported via a USB device or from a phone connected to a computer. Equally, while you might feel confident that important data is backed up off-site, if malware has been saved as part of the back-up, you’re not as safe as you think.

New legislation adds to the burden

To add to the concern, new legislation regarding the Protection of Personal Information (POPI) comes into effect during 2019, having been signed into law in 2013. The POPI Act requires companies to protect personal data and regulates how companies process, store and regulate customers’ personal information. The legislation includes a host of penalties for companies who fail to protect personal information, including a fine of up to R10 million, and 10 years’ imprisonment.

The right cover

Cyber insurance comprises two elements. First party insurance covers a breach to your own network and systems, and this extensive cover includes elements like data recovery, business interruption and the consequential losses, as well as the provision of experts to contain and manage losses. Crisis management forms an important part of this cover, providing PR and crisis communications to potentially affected business partners, clients or customers, among others.

Third party insurance covers liability for a breach of confidentiality and legal defence costs for any litigation that might arise from this breach. However, cyber insurance will not pay for a POPI fine, as that kind of risk is uninsurable.

Having a plan

Most insurers will insist on knowing what risk management processes are in place before committing to a cyber risk policy, for example what password protocols are in place, and how you manage system access. It’s important to have a cyber response plan in place, with experts who will come in and help guide you through dealing with an incident. Some insurers will also run penetration tests to see where potential vulnerabilities lie in your system, a nice additional benefit to the cyber risk policy.

Many small and medium enterprises have not yet adapted and believe that they can manage the risks. However, with an appropriate risk management strategy, the insurance is not very costly, and the benefits of having a professional team of experts on hand in the event of a cyber incident cannot be downplayed.

When confronted with a ransomware demand, or a cyber extortion attempt, very few companies have the resources internally to deal with it. This is particularly relevant for companies that manage sensitive personal data, for example medical companies, where a ransomware demand could cause untold damage to the company’s reputation.

For this reason, insurers are seeing quite an uptake in cyber insurance policies. It’s worth discussing your options with your advisor to ensure that, should the day come, you’re both prepared for an incident and have the necessary cover to mitigate financial losses.

As Warren Buffet famously said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently”.