Companies ramp up cyber liability strategies
The adoption of Protection of Personal Information (POPI) Act is pushing South African companies to ramp up their cyber liability strategies as they try to get a better understanding of the impact this can have on their business.
So says Jonathan Healy, divisional executive of Marsh Africa's financial and professional liability practice, who notes cyber attacks are escalating in frequency and intensity, posing a growing threat to businesses and countries' national security.
The POPI Act is about to come into effect after the Department of Justice announced it would start the ball rolling for the appointment of an Information Regulator. The appointment of the regulator was one of the main issues holding up the new law.
According to Healy, South African companies are in ever-larger numbers seeking financial protection through insurance, buying coverage for losses from data breaches and business outages.
From 2013 to 2014, Marsh has seen a 32% growth in the number of new cyber insurances and a 22% increase in limits purchased by its existing cyber insurance.
Cyber policies can provide direct loss and liability protection for risks associated with the use of technology and data. Policies can also be expanded to include business interruption, he adds.
Natalie van de Coolwijk, MD of CyGeist, says in the wake of an information security or privacy breach, a well-planned and executed response can be instrumental in limiting potential damage to the affected organisation, as well as those whose data was compromised.
She points out there is a common misconception that traditional insurance policies provide cover for the above costs. While some traditional coverage options might have cyber crime extensions, the cover provided by cyber insurance is significantly broader and has been tailored to assist organisations in responding to a breach, she notes.
"As opposed to just covering the insured for direct financial losses, cyber insurance policies cover the resultant expenses of a breach. Furthermore, the product not only provides cover for breaches resulting from cyber crimes committed by external parties, but also breaches as a result of malicious or negligent acts carried out by employees," Van de Coolwijk explains.
Meanwhile, Healy says insurance is only part of the solution, and to manage risk effectively, companies should also have their ducks in a row in terms of audits, procedures, policies and compliance.
"Insurance is not a substitute for good cyber security, but is an important addition to a company's overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats," he states.