The advent of the Fourth Industrial Revolution has engendered several technological advancements. Innovations such as artificial intelligence, the internet of things and robotics have changed the way the world operates when it comes to business. Simultaneously, however, the developments have run parallel to the rocketing of cybercrime.
Compelling evidence suggests that cyber will emerge as 2023’s most critical systemic risk to South African businesses and will dominate the liability insurance market for the foreseeable future.
This was one of the primary conclusions drawn from the results of the 2022 SHA Risk Review.
Commenting on the results of the report, Sizwe Cakwebe, the manager of Cyber Risk at SHA, said: “Sixty percent of SHA’s brokers reported an increase in requests for cyber liability cover over the last year. These movements are indicative of an evolving risk landscape and signal the importance of educating clients around the purpose of the cyber cover.”
According to the public review, one in three SME respondents suffered a cyberattack, with the most common causes being malware (30%), phishing (26%), ransomware (25%), denial of service (13%) and theft of funds (13%). This is despite more than 60% of SMEs believing that they were not viable targets for cybercriminals.
Addressing the misconception, Cakwebe stressed the importance of understanding that: no business was immune, and that companies with “valuable data” were not the only ones at risk.
“The reality is that any company with an online presence, regardless of size or industry, is at risk and should therefore prioritise and formalise their approach to risk management.”
Cyber risks come from several fronts, coupled with the constant threat to financial, legal and reputational damage. The financial risk involves the theft of actual funds or the payment of a ransom demand, but also extends to the cost of business interruption due to downtime or system failure.
Companies may be held legally liable by third parties should a data breach occur whereby their information is leaked and could sustain lawsuits for infringements of data protection laws, as well as negligence. Reputational damage can be extensive and have far-reaching consequences that may, in the worst case, lead to the shutdown of the business or impact the share price of a listed business irrevocably.
SHA’s last survey found that an alarming 53% of the victims of ransomware attacks were not able to recover their stolen data.
It’s also worth noting that nothing stops criminals from replicating data and selling it to criminal syndicates before “returning” it after a ransom has been paid. This example drives home the importance of taking a preventative stance on cybercrime rather than a reactive one.
In terms of the ways in which cyber insurance policies are structured, most policies will contain an element of first- and third-party cover, although there are cases in which policies are structured to include only third-party liabilities.
In the case of the former, a first- and third-party cyber policy will provide coverage for aspects of loss, including the cost of investigations, the financial impact of business interruption and the costs associated with executing a public relations campaign to mitigate and rectify any reputational damage.
It is important to note, however, that the ongoing nature of reputational damage and the ripple effects of aspects such as loss of consumer or investor confidence cannot be compensated for in terms of long-term impact.
Commenting on the factors that place businesses at risk of attack, Cakwebe said employees were often the “weakest link in the cyber security ecosystem”.
“The notion, therefore, that the responsibility of ensuring a business has efficient and effective cyber security systems and protocols in place should not fall solely on the shoulders of high-level executives.”
In fact, as Cakwebe concluded, “cyber security should not be framed as an IT process. Instead, it should be regarded as a company-wide, best practice process that involves buy-in from all stakeholders and team members.
“While the most recent SHA Risk Review found that many South African companies are making use of the basic cyber-security components like firewalls and anti-virus software, a need for training and educational initiatives aimed at employees and contractors was identified. Involving the entire company and employees at every level will help employers develop a well-rounded cyber-security posture.”
BUSINESS REPORT