How good is your cyber risk management strategy?
The ransomware attack against Transnet was the latest in a number of attacks against large South African entities, including City Power and several top banks.
However, these well publicised incidents are only scratching the surface, says Bertus Visser, chief executive of distribution at PSG Insure.
“With the Protection of Personal Information (POPI) Act having come into full effect at the start of July, South Africans are likely to see the full impact of cyber crime for the first time.”
According to him, many businesses were still adopting a careless approach to cyber security before POPI came into full effect. To date, data breaches have been vastly underreported, and it is likely that cyber incidents have been swept under the rug in the past.
“Now that disclosure is a legal requirement that will be actively enforced by a regulator, we expect to see a huge spike in reported incidents,” he adds. “However this poses its own set of risks that businesses will have to protect themselves against.”
To date, data breaches have been vastly underreported, and it is likely that cyber incidents have been swept under the rug in the past.Bertus Visser, PSG Insure.
Visser says that organisations must have complete cyber-risk management strategies in place that encompass far more than cyber insurance alone, and although he believes that more companies will need cyber insurance policies, these policies only cover first- and third-party losses as well as certain regulatory exposures.
A well planned strategy starts by scrutinising the potential risk to a business. Third party claims and regulatory fines make up a fraction of an organisation’s total losses. Business interruption and damage to physical assets, for example, are covered under different policies.
In addition, as businesses move more of their operations online, the potential secondary losses increase in severity, and businesses must review their insured amounts across all of their policies, bearing in mind that a single cyber incident could trigger a number of policies at the same time
Next, Visser says cyber security training is critical. The human factor is still the greatest threat to any business, and it is unlikely that insurers will cover incidents of pure negligence. Ensuring that employees and contractors are educated and informed on the latest cyber security attacks and trends is key, and many IT service providers provide basic cyber security training for staff, and this can also be included as an add-on to cyber policies.
Lastly, he says that regularly reviewing cyber risk management strategies is important. He advises businesses to revisit their risk management procedures at least twice a year, and to ensure they have all the right risk mitigation measures and policies in place to safeguard their business against any potential liability following an incident.