The year 2017 was a horrendous one in terms of the number and scale of widely publicised data breaches; the ramifications of which will be felt by the affected companies and persons for years to come. A magnitude of attacks rocked the world over the last twelve months, including an array of new ones which have become infamous due to the extent of their destruction. A few of these include, but are not limited to, the following: WannaCry, Petya, Not-Petya, the Equifax breach, Verizon and NSA breaches. Even brands which have always been synonymous with ‘unbreakable security’ such as Apple, have been sorely tested.
In 2017 thousands of Apple Mac users had a 50% chance of being infected by a Trojan (a type of computer virus) which had infiltrated Mac’s standard video encoder, HandBrake, allowing hackers to steal passwords from their keychain. To add insult to injury, 2018 did not get off to a prosperous start, either, as a new exploit was discovered which allows a skilled hacker to read the encrypted information on any device with an Intel Processor (including all Apple products).
Apple is not the only targeted enterprise. The international transport and freight giant, Maersk, suffered a USD $300m loss revenue following the Petya epidemic, according to their CEO, Søren Skou.
Whilst international companies tend to make news headlines, South Africa has not escaped the hit-list in terms of cyber-criminals looking to expand their revenue stream. Recently, the personal information of thirty-three million South Africans was found on the Dark Web. Considering the delay in the announcement of the implementation date of the Protection of Personal Information Act (“POPIA”), which will require juristic and natural persons to disclose breaches, insurers are currently well-positioned to observe the growing number of incidents within the economy (as a direct result of an adverse claims experience).
As seen in recent years, the number of records stolen in a breach and the type of companies affected becomes a blur. Gone are the days of attacks being confined to large retailers, healthcare provider’s and financial institutions. The connectivity between businesses and people is ever growing and evolving. With this, and the rapid pace of innovation within the technology sector, people and businesses are exposed to risks which traditionally did not pose considerable threat; and that historical risk-transfer mechanisms are ill-equipped to address.
Understanding the wide array of technological risk faced on a daily basis requires in-depth expertise and knowledge, which is not viable for the average business owner. Understanding what the key exposures are to one’s specific business and industry, as well as knowledge of solutions available, is an effective approach to managing and mitigating cyber risk and exposure.
For the most part, companies effected by cyber-attacks in 2017 experienced the following:
1. Loss of revenue due to a failure of the IT system and network. Think of a large online retailer whereby the payment portal on their website is compromised for just one day and the financial ramifications thereof. Large-scale manufacturers have been similarly affected when their factories are compromised.
2. When confidential information is accessed and exploited, this results in notification costs to contact the subjects whom are effected by the breach (via post, email or telephone); costly legal actions and defence costs, as well as potential regulatory fines and penalties for non-compliance with data protection laws specific to the territory in question.
As the majority of business owners are not cyber security experts, it is reassuring that there are risk management professionals whom are able to assist in identifying cyber risk and tailoring specific solutions to address these exposures. A comprehensive cyber insurance policy is one way in which a business can transfer cyber risk off its balance sheet, thereby protecting the bottom line and reputation of the organisation in the event of a cyber related incident.