Liberty cyber breach: it could happen to you
In the wake of Saturday night's notification that Liberty has been "subjected to unauthorised access to their IT infrastructure, by an external party who requested compensation for it", this should be a wake-up call to any organisation in South Africa (regardless of size or incorporation) that this could happen to you.
What Liberty has done right:
* Informed all clients of the situation on Saturday and provided an update on Sunday;
* Release media statements;
* Deployed an incident response team and is investigating the breach;
* Working with law enforcement authorities; and
* Supplied email and contact details for customers to contact.
We must be cognisant that data is the most important asset you own, for without it you cease to exist, and, cyber crime is a daily occurrence in South Africa.
Cyber insurance, more than any other insurance, allows access to the correct channel of service providers needed to recover fully from a cyber incident.
Designed to cover the resultant costs and damages from a network security or privacy breach, a cyber insurance policy covers what has previously been uninsurable. While called cyber insurance, the policy is far broader than the name implies, extending to cover a host of incidents, including, but not limited to:
* Cyber extortion (ransomware, to prevent denial of service or publishing of stolen data);
* Denial of service (disruption to operations);
* Downstream attack (a compromise of the insured's environment resulting in damages to others);
* Insider and privilege misuse (unauthorised access and unauthorised use of systems and data, including by employees and service providers);
* Malware (virus, ransomware, etc);
* Physical theft and loss (both devices and physical hard copy data); and
* Threats posed by third-party access into a client environment.
So, how would a cyber insurance policy respond to an incident such as that suffered by Liberty?
* Cover would be provided for the costs of the cyber-crime and IT security specialists to determine how the breach occurred and regain control of the environment.
* Costs for the forensic investigations to determine what data has been compromised and who is affected.
* Costs for specialists to engage with the attackers.
* Legal guidance and assistance in dealing with and making representations to regulatory bodies (both for POPIA and GDPR) and law enforcement agencies.
* Crisis communications and public relations costs. This includes the costs for media campaigns, communications with affected parties and ongoing communication costs required in responding to the incident.
* If required, the costs for remediation services to prevent the affected customers from suffering further damages. A common remediation service would be credit and identity theft monitoring, whereby affected parties can sign up for notification services should there be any activity on their credit record.
* Business interruption and increased cost of working to cover the loss of earnings resulting from systems being unavailable as well as costs to recover and get operations back up and running.
* Costs related to ensuing litigation.
What sort of businesses need cyber insurance?
* Any entity that has an IT system (internal or external); and
* Any entity that stores data (employees and third parties).
The policy provides comprehensive cover to respond to a network security or privacy breach. Cover extends from the incident response process through to business interruption losses and the defence and settlement of ensuing liability claims.
* Business interruption losses and increased cost of working resulting from a disruption to operations including from a denial of service attack;
* Costs to obtain professional (legal, public relations and IT forensics) advice, including assistance in managing the incident, coordinating response activities, making representation to regulatory bodies and coordination with law enforcement;
* The costs to perform incident triage and forensic investigations, including IT experts to confirm and determine the cause of the incident, the extent of the damage, including the nature and volume of data compromised, how to contain, mitigate and repair the damage, and guidance on measures to prevent reoccurrence:
* Costs to restore, recollect or replace data lost, stolen or corrupted;
* Crisis communications and public relations costs to manage a reputational crisis, including spokesperson training and social media monitoring;
* Communication costs to notify affected parties;
* Remediation services such as credit and identity theft monitoring to protect affected parties from suffering further damages;
* Cyber extortion costs to investigate and mitigate a cyber-extortion threat and where required pay ransoms; and
* Fines and penalties to the extent insurable by law.
Defence and settlement of liability claims arising from:
* Compromised, sensitive or personal information, this extends to include physical hard copy information;
* A system security incident which results in harm to third party systems and data e.g. the insured's environment is compromised and used to launch attacks against others including via access to third party environments; and
* Disseminated content (including social media content) resulting in defamation, unintentional copyright infringement or infringement to right to privacy.