Almost everyone received more than one SMS, email or social media notification regarding South Africa’s new Protection of Personal Information Act (PoPIA) on 1 July 2021. If your client’s company processes personal information, it probably issued a similar notification to their clients and customers. PoPIA compliance means exposure to penalties, fines and legal liability from third parties should the personal information they process be compromised – cyber liability insurance is specifically designed to respond and indemnify your clients should they suffer loss or damages as a result of a data or network breach.
Section 2 (1) of PoPIA states that the purpose of the Act is to “give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party”. In practical terms, the responsible person is the one who decides why and how personal information should be processed. If one of your clients, their customers or even an employee (the data subject) suffers damage because the responsible party (your client) failed to secure their information, the responsible party can be held liable for those damages.
Your client’s business needs Cyber Liability insurance if:
- they store or process data of their employees or a third party; or
- if they have an internal or external IT system.
So your client thinks that they’ve followed all protocols and that their databases are safe so, why would they need Cyber Liability insurance?
What happens if an employee’s work laptop or cell ‘phone containing private information is lost or stolen? Could a disgruntled employee maliciously publicise private information or sell it to a third party? Could a colleague accidently launch malware that disrupts operations? Could the network be breached by a hacker?
The answer to all of these questions is, unfortunately, yes. But there’s more. Besides a potential breach of confidentiality, infringement or violation of any right to privacy that results in harm to third parties or employees, your client may be vulnerable to hacking. Hacking, or a cyber-attack, can cause the unauthorised access to, unauthorised use of, theft of data from, denial of service to or the transmission of malicious code to their network system. Have they considered the impact that the loss of digital corporate data such as intellectual property or proprietary information could have on their business? What if this information fell into the hands of their biggest competitor?
Your client’s system could also be hijacked and used to attack another party’s network – a process known as a downstream attack. Ransomware is another form of a cyber-attack that systems may be vulnerable to. This is where all the information on a computer or network is encrypted or scrambled. A ransom is usually extorted from the victim before the information will be decrypted or unscrambled.
As part of an effective risk management plan, organisations must routinely decide which risks to avoid, accept, control or transfer. Transferring risk is where Cyber Liability insurance comes into play. Most individuals and companies conduct business via technology, social media and transactions over the Internet. These channels, while convenient and effective, also provide opportunities for cyber-attacks and -crime. The unfortunate truth is that a cyber-attack is likely to be launched on any business, big or small. And, as mentioned, these may be perpetrated by petty hackers, criminals, insiders or even nation states. Cyber Liability insurance will provide your clients with the necessary protection against incidents that occur within the cyberspace.
Standard Cyber Liability insurance products are likely to cover: multimedia liability; data extortion; security and privacy liability; crisis management costs (including customer notification, support and credit monitoring); technology; legal consultation; identity monitoring for victims of a privacy breach; expert consultation including I.T. risk management; digital forensic investigation; theft of access codes from the premises, employees, or computer system; hardware theft; reimbursement for costs attached to repair of reputational risk; and insurable fines payable to a regulator or government authority regarding breach of data protection laws.
Different companies offer various forms of Cyber Liability insurance and there are a number of factors one must consider when recommending the cover that suits your customers’ operations.
What should your clients do in the interim? The can reduce cyber-attack security risks through regular penetration testing. Suggest that they evaluate system and data dependence and the impact its disappearance may have on business operations. What is the nature and volume of data stored, processed and that can be reasonably accessed? Who can access this data and how secure is it actually? An incident response process that also identifies necessary service providers and calculates relevant costs should be developed.
The processing, storage and effective protection of data are critical to doing good business. While the use of technology is as important, it also creates an environment in which opportunistic cyber criminals operate. Even if security measures have been breached or if an accident occurs, Cyber Liability insurance means that your client’s business won’t have to bear the financial brunt of an unfortunate cyber-related incident.