As the frequency and voracity of cyber attacks increases worldwide, it is estimated that over 70% of South African businesses are significantly unprepared for cyber liability risks, and in turn, woefully underinsured when it comes to managing the financial and legal implications that follow a major cyber breach.
Business leaders need to get very serious about managing their cyber breach risks and it should be a priority in boardrooms, rather than left to IT departments to deal with in isolation. This is according to Jenny Jooste, account executive for professional risks at Aon South Africa.
In the wake of spectacular cyber attacks against large organisations such as Sony, Citibank, Lockheed Martin, the UK’s National Health Service (NHS), the National International Monetary Fund (IMF), and more recently, 16 Hong Kong gold and silver investment and securities trading companies, it is essential that business leaders understand the level of network security threats, the consequences of those risks, and the availability of cyber insurance policies.
Legislatively, the Protection of Private Information Bill (POPI), which has just been passed by parliament and will be signed into South African law within months, will also make onerous demands on how a client’s personal data is managed, stored and used by a business.
The growing use of cloud computing also brings with it its own set of security challenges. According to Deloitte, people refer to cloud computing without a clear knowledge of what it actually is, and cloud computing is really just accessing a server somewhere in the world and it is often that it is outside of South Africa. The reality is though that most companies have no idea where their information is stored. They know that they outsource to a company but where that company sends information, they have no idea.
Organisations need to remember that while they may be depositing their data in a public cloud, they do not transfer their risk. If any information is compromised the liability remains with the organisation and while they may have some recourse against the cloud provider, its cold comfort if their reputation gets blown.
Consequences of data carelessness
“If a company database containing personal information is compromised by a virus or hacking attack, the extent of the damage can be massive. If a client can verify that they have suffered a loss due to the data breach, they may hold the company responsible for the loss. In this regard class action is also very likely – Sony for example faced 58 class actions after breaching millions of customer accounts,” says Jooste.
Sony is by far the most publicised and recent security attack. After its Playstation network was shut down by LulzSec, Sony reportedly lost almost $171 million. The hack affected 77 million accounts and is still considered the worst gaming community data breach ever. Attackers stole valuable personal client information – names, logins, passwords, e-mails, home addresses, purchase history and credit card numbers. Now for the really bad news – Sony’s losses were not insured.
“Cybercrime costs global economies an estimated $100 billion a year. These attacks, coupled with the liability claims that they might encounter, can leave local businesses in ruins if they are not properly insured against cybercrime,” she warns.
Reports show that hackers earned $12,5 billion in 2011, mainly by spamming, phishing, and online fraud. Hackers targeted major companies including Sony, RSA Security, and Citigroup, but also governmental websites and smaller firms. Many of these attacks could have been prevented, and the business in question did not just lose money, but their clients, reputation and market shares went down the tubes with their data. Millions of people are affected by security breaches worldwide, and litigation in this regard is stepping into high gear.
In July this year, the websites of 16 Hong Kong gold and silver investment and securities trading companies – with a combined estimated daily trading volume of HK$44 billion – were compromised by mainland computer hackers. The hackers launched targeted distributed denial-of-service (DDoS) attacks on those websites and blackmailed the affected companies for a total of 460 000 Yuan (HK$563,000). DDoS attacks bombard servers running the targeted websites with more incoming data than the computers can handle, effectively shutting them down.
In August last year, a wave of DDoS attacks crashed the regulatory disclosure website of Hong Kong Exchanges and Clearing (HKEx). Investors were not able to access company announcements. That also forced the suspension of shares in seven firms with a combined market value of HK$1,5 trillion, including blue-chips HSBC Holdings, HKEx itself and Cathay Pacific Airways. Trading was also halted on a listed debt security and 419 warrants and derivatives linked to the suspended stocks.
Local risks
The South African risks are no different, however it seems that businesses are more laissez-faire in their handling of their cyber and data breach risks, despite the fact that South Africa is fast becoming a leading target for cyber criminals. There is a tendency within the South African environment to leave regulatory and security compliance until late in the game.
“Phishing volumes have increased in South Africa, making the country one of the leading targets of cyber criminals in 2011. Recent statistics have revealed that South Africa is the third most attacked country globally, with 7,5% of attack volumes,” says Jooste.
Local companies could soon also be forced to comply with US Security and Exchange Commission requirements too. “It is mandatory for companies situated in the United States to notify an entire database of a security breach, which can be very costly. This could very soon become mandatory for South African businesses who encounter a cyber attack. This in turn is expected to drive demand for insurance products to protect businesses exposed to a virus or hacking attacks as cyber and IT risks become more aggressive, and very public knowledge.”
She also says that while liability policies generally only respond to third-party claims, certain cyber liability policies will also provide first-party cover – in other words cover for the costs incurred by the policy holder to rectify and recover from the breach.
Companies need to consider the security implications that their businesses are exposed to. Those that are most at risk are those who provide technology services, and those who are heavily reliant on technological systems to provide a service.
“Companies who outsource protection and who are reliant on technology should ensure that they use reputable IT security providers who are indemnified. Businesses should ask themselves what kind of service they offer and what the business entails. For example, if they provide IT services to companies that rely on technology, and inadvertently their systems infect the client’s systems, the costs to both companies could have devastating effects. The biggest concern here, however, is the client who depends on a network to run their business,” says Jooste.
Over and above investigating insurance options, local businesses should ensure that firewalls, IT security and virus protection measures are properly in place and regular tests are run to gauge effectiveness.
2011 was not dubbed the year of the hack for nothing. Yet despite the very public and devastating financial and legal implications of various high profile hacks, many South African businesses continue to face many online threats and continue to be exploited because of poor security measures. Regardless of size or status, no business is safe from e-threats, unless it includes security as its ultimate priority.
“There is no one size fits all approach to cyber insurance. It all depends on the size of the company, nature of its business and its unique levels of exposure. In this regard, consulting with a professional risk advisor is an invaluable exercise in protecting your reputation, data, clients and income,” concludes Jooste.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version