On a daily basis, headlines across all media platforms report on the rampant increase of cybercrime. Discussions regarding cyber security in respect of national resources and assets abound, with fears of nuclear plants and power grids being targeted by cyber criminals. Television crime series’ plots see the hacking of personal devices such as pace makers and GPS devices. Sci-fi movies are filled with artificial intelligence, not only threatening everyday jobs, but turning on humanity. But that’s obviously all just scare tactics and Hollywood scripts. South Africa is removed from these headline horrors of data theft, of cyber warfare and all things AI. Aren’t we?
One of the largest contributing factors to this idealism, is that the Protection of Personal Information Act is not fully effective yet. The impact of this is that South African breaches or denial of service attacks do not have to be reported, nor made public. It is only natural that the custodians of compromised data would be loath to voluntarily publicize their failure at protecting their clients’ personal information. Such a publication would attract media and public scrutiny, tarnishing the organisation’s reputation for an indeterminable period, if not forever. This shroud of shame would be accompanied with a devaluation of the company’s value, and that is not even considering a potential class action suit levied against the organisation. The [self-funding] regulator would most certainly seek to impute its powers in imposing a fine [of up to R10m]. This cost would be over and above the costs incurred with having to advise the organisation’s database of the data breach. The company would surely be expected to assist with implementing risk management measures to avoid identity theft of their customers, caused by the breach. Thus, there are very few cyberattacks [on South African companies] which are publicized.
A September 2017 article featured on www.techfinancials.co.za advises that, in 2016, South Africa was ranked at 58 on the list of 117 countries suffering the most cyberattacks. South Africa now holds the 31st position on this list, with an estimated R50 billion been lost due to these attacks.
WannaCry was considered the largest virus attack of 2017, infecting between 400,000 to 1 million devices worldwide. Cyber security firm Check Point (Massive cyberattacks slated for 2018 will make Petya WannaCry) anticipate 2018 seeing new better-coordinated attacks, dwarfing Petya and WannaCry, which cost South African and global companies millions. Distributed Denial of Service attacks such as that against domain directory service DynDNS which caused an internet outage in 2016, affecting users of large web businesses such as Netflix and Amazon, are indicative of the impact which attacks on critical infrastructure can cause.
As reported in the Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview, organisations in South Africa have a 41% probability of experiencing a material data breach (involving 10,000 records or more) over the next 24 months. 40% of South African breaches studied over the two year period were due to malicious attacks, with the average number of records compromised being 19,800.
In the Ponemon Institute’s 2017 Cost of Data Breach Study: South Africa, the study revealed that the average cost of a data breach was R32m, equating to R1,632 per capita. R809 of the latter figure is in respect of direct costs expended in isolating and containing the breach. This is in stark contrast to the apathy of South Africans towards their vulnerability, as the costs cited in the survey are from actual data breaches.
The State of Endpoint Security Today, sponsored by Sophos, reports that, for South Africa, the median total cost of a ransomware attack was R1.6m (extending beyond ransom, includes downtime, manpower, device cost, network costs and lost opportunities).
The statistics detailed above all point to an evolving technological environment, where cybercriminals are continuously finding new exploit tactics which, when deployed, could cripple a company. The strong emphasis on good corporate governance worldwide dictates that strong risk management measures need to be implemented to protect organisations against cyberattacks. Given the significant costs associated with these attacks, it is imperative that cyber insurance be considered as a risk transfer mechanism, as a component of a comprehensive risk management programme which includes a cyber security framework.
Camargue Underwriting Managers (Pty) Limited (“Camargue”) has been underwriting cyber insurance since 2011. The Camargue cyber product provides comprehensive coverage, not only in respect of third party liability emanating from data breaches (whether it be from customers whose confidential information has been compromised, or from the regulator, as a result of the data breach), or viruses inadvertently transmitted by the Insured to a third party. In addition, the policy also provides crisis management and customer support, along with credit monitoring, in the event of a data breach. First party coverage includes data recovery and loss of business income coverage, because of a first party event emanating from a security breach, computer virus or malicious code, failure of a computer network, programming error of delivered programs, or damage to data. The policy offers errors & omissions coverage for companies rendering information technology services and advice.
The Camargue Cyber Attack Plus (CCAP) product was launched during 2017. This product not only covers the exposures detailed above, but further extends to cover property damage and bodily injury. Industries requiring this coverage include energy, oil and gas, critical infrastructure, utilities, mining, distribution, logistics, manufacturing, transportation and heavy industry.
Over and above the policy coverage, Camargue provides risk management services such as automated vulnerability assessments, private arbitration as well as contract vetting, to assist Insureds with a multi-pronged risk management approach.