Imminent privacy law drives cyber insurance

Martin Czernowalow
By Martin Czernowalow, Contributor.
Johannesburg, 23 Jan 2015
Cyber crime losses in SA are estimated at R5.8 billion for 2014, says a market observer.
Cyber crime losses in SA are estimated at R5.8 billion for 2014, says a market observer.

South African companies are increasingly looking to cyber insurance policies to cover themselves in the event of security breaches, a trend driven by the imminent introduction of the Protection of Personal Information (POPI) Act.

The Act was signed into law by president Jacob Zuma in November 2013, and promotes transparency with regard to what information is collected and how it is to be processed. Once the Act comes into effect - a date is yet to be announced - non-compliance will carry a maximum penalty of 10 years in prison, or a R10 million fine.

Candice Sutherland, business development consultant atSHA Specialist Underwriters, says the imminent implementation of the POPI Act is driving the interest in cyber insurance cover among local businesses.

"We are definitely seeing an uptake. There has also been a huge increase for quote requests, and many companies are taking out limited policies on an exploratory basis. Even though there has been a much slower mentality when it comes to local businesses protecting themselves against security breaches, this is definitely changing."

However, Sutherland warns small companies should not be lulled into a false sense of security, as they are more likely to be targeted by cyber criminals than large corporations that have more sophisticated security systems and resources at their disposal.

"In 2014, cyber crime losses are estimated at R5.8 billion and statistics show it takes on average 200 days for an organisation to identify a breach," she says, adding the global figure for last year is $388 billion in financial losses from cyber crime.

Sutherland explains that currently cyber crime in SA falls under the Electronic Communications and Transactions Act 25 of 2002, which states a person convicted of an offence could be liable for a fine or imprisonment for a period not exceeding five years. However, the much stricter requirements of the POPI Act mean more onerous demands will be placed on companies to protect data and ensure they have adequate systems in place to protect against breaches.

"We are never going to stop cyber crime, [and] to catch hackers is very difficult," says Sutherland, adding that, globally, there are on average one million cyber attacks per minute. "A breach can sink a smaller company, so they should consider covering themselves against such an event."

Sutherland says organisations should ensure their cyber insurance policies cover the following:

* First party expenses: the actual costs to restore, recollect or replace data, costs and expenses of specialists, investigators, forensic auditors or loss adjusters, costs and expenses for the use of rented, leased or hired external equipment, services, labour, premises or additional operating costs including staff overtime.
* Loss of business income: net income which would have been earned had the breach not occurred.
* Notification expenses: expenses incurred to comply with privacy legislation such as legal expenses and communication expenses through mail, call centres, Web site and customer support expenses.
* Crisis management expenses: services of a public relations consultant, related advertising or communication expenses.
* Associated regulatory fines and penalties to the extent insurable by law.