The recently uncovered cyber-attack on Yahoo.com’s email servers once again highlights the liability that companies face relating to the security of their clients’ personal information. This according to Gillian Wolman, head of litigation at Risk Benefit Solutions.
It has been revealed that at least 500 million user accounts on Yahoo’s servers were hacked in 2014, making it the biggest publicly disclosed cyber-attack in history. The company now faces several lawsuits internationally as well as the possibility that its $4.8 billion merger with Verizon could fail.
Under South Africa’s Protection of Personal Information Act (POPI), companies could in similar circumstances, face up to a R10 million fine or 10 years imprisonment for a company director. “Cyber security is a big concern for businesses and individuals. South Africa’s GDP is estimated to lose about R5.8 billion annually to cybercrime, according to a recent McAfee Global Cost of Cyber-crime report. Internationally the report places that number is closer to $445 billion (R6 trillion). Cybercrime is increasing globally and steadily becoming quite a phenomenon in the business industry,” Wolman says.
One of the growing trends in cybercrime is the application of ransomware, which encrypts all of the information on a company’s servers, she says. “Criminals often use this type of attack to extort money from businesses, promising to decrypt the company’s files for a fee.
“Usually the programmes only encrypt company information, and no data is actually taken off the servers. Still there is no way to be sure that the criminals did not get access to the information and companies are still under obligation to report it to their clients and authorities. They also face the same possible penalties and loss of business,” Wolman notes.
While the business sector is becoming aware of the issue, Wolman says that companies need to start adapting to this emerging threat more rapidly. “In terms of risk management, more businesses need to start putting processes in place. Having the proper procedures in place, making sure that they are managed properly, and having a transfer mechanism in the form of an insurance policy in place, are paramount. The liability that companies face if they do not have these, could easily send them into liquidation.”
Wolman points out that cyber claims are not covered under traditional insurance policies. “Policies such as general liability, business interruption and computer all risks only cover claims where there is physical damage, while Professional Indemnity provides limited cover for third-party data loss, but generally only in relation to the provision of professional service.”
As a result, businesses require dedicated cyber policies that cover first party expenses, loss of business income notification expenses, crisis management expenses as well as the associated regulatory fines, says Wolman.
“Also keep in mind that any insurance policy will have its terms and conditions, and companies are only adequately covered if their risk management procedures are up to standard. Therefore, up-to-date security software, proper password protection and the right data security procedures are all the company’s own responsibility,” she adds.
Wolman says more business owners have fortunately started to realise how costly the effects of cyber-attacks can be, and are therefore putting these measures in place to protect themselves financially.
“Cybercrime is fast becoming one of the biggest threats facing organisations. It is no longer sufficient for businesses simply to guard the network perimeter with a firewall and install antivirus software on endpoints. Companies need to continually monitor the evolving threat landscape, and understand that being hacked is no longer a risk, it is an inevitability,” ,” concludes Wolman.
Risk Benefit Solutions (RBS)