Subscribe
  • Home
  • /
  • Security
  • /
  • Ashley Madison hack highlights need for cyber insurance

Ashley Madison hack highlights need for cyber insurance

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 24 Jul 2015

The slew of high-profile breaches that has flooded the headlines in the past few years proves that no company is safe, regardless of size or security budget.

Giants, including Google, Sony and Target, have all suffered incidents that have seen millions of customers' personal details being exposed.

The latest hack on the notorious dating Web site Ashley Madison, whose site provides a platform for married or involved individuals to cheat on their significant others, saw the details of 37 million of its global users being compromised.

Of this number 175 000 are South Africans, who now fear that their personal information, including banking details, could be made public.

Candice Sutherland, business development consultant at SHA Specialist Underwriters, says this incident is yet another example of how easy it is for hackers to target business and breach its security systems.

She says a 2015 Security Report released by Check Point Security revealed around 106 pieces of new malware bombard businesses every hour, and 83% of the 1 300 businesses surveyed were infected with malware that enabled the exfiltration of sensitive data.

The total monetary loss as a result of cyber crime in SA is estimated at over R5.8 billion, says Sutherland, and in 2014, over 974 million records were lost or stolen due to cyber crime. "If cyber crime were a nation it would be the 27th biggest in terms of GDP."

POPI

She adds with the introduction of the Protection of Personal Information Act (POPI), any breach could render the affected organisation in violation of the Act, which could result in a fine of up to R10 million or 10 years in prison.

Sutherland cites several examples of uninsured SA businesses who have suffered an attack, including the Gautrain, KFC, Vodacom, Cell C and now Ashley Madison.

According to her, businesses can ensure they are financially covered against the reputational damage and costs associated with cybercrime attacks and data breaches with a cyber liability policy.

She says a good cyber insurance policy will protect an organisation against breaches and will cover first party expenses, including the actual costs to restore, re-collect or replace data; expenses of specialists, investigators, forensic auditors or loss adjusters; costs for the use of rented, leased or hired external equipment, services, labour, premises; or additional operating costs, including staff overtime.

In addition, she says it will cover loss of business income such as the net income that would have been earned had the breach not occurred. "In addition, it will take care of notification expenses, for example, the expenses incurred to comply with privacy legislation such as the legal costs as well as the communication expenses including e-mail, call centres, Web site and customer support expenses."

Other costs that are covered include crisis management expenses, including the services of a public relations consultant, related advertising or communication expenses, as well as associated regulatory fines and penalties to the extent insurable by law.

True costs

However, when it comes to measuring the true cost of an incident, she says reputational damage and loss of customer trust is unquantifiable. "The cost of losing shareholders and customers can bankrupt a business and force them to close their doors."

In addition, there could be legal fees, depending on how many affected parties there are, which would take into account whether or not it was a large scale breach that could result in a class action.

Sutherland says other costs, such as notification costs, investigators, forensic auditors, and similar, are variable, as these specialists generally charge an hourly rate so again it depends on the size and magnitude of the breach.

"It is imperative for an organisation to consult with a reputable insurance provider to ensure that all the possible vulnerabilities and threats relating to the business and the industry have been taken into account to avoid the financial and reputational risks of cybercrime," concludes Sutherland.

Share