Cyber crime, including data kidnapping and data ransom remains on a steady increase not only abroad but also in South Africa over the past few years thus increasing the demand for cyber insurance as companies become more vulnerable to online security threats. According to a report by McAfee, cyber crime is estimated to cost South African companies more than R5.8 billion a year. According to Santam, it takes approximately 200 days for a South African company to identify an online security breach.
When the Protection of Personal Information Act 2013 (POPI) comes into force, companies will be mandated to establish or upgrade their cyber safeguards or face hefty fines. Principle 6 of the Act deals with security safeguards and states, inter alia:
17. (1) "The responsible party must implement appropriate technical and
organisational measures to secure -
- the integrity of personal information by safeguarding against the risk of loss of, or damage to, or destruction of personal information; and
- against the unauthorised or unlawful access to or processing of personal
(2) The responsible party must take measures to -
- identify all reasonably foreseeable internal and external threats to personal information in its possession or under its control;
- establish and maintain appropriate safeguards against the risk identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new
risks or deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted
information security practices and procedures which may apply to it
generally or required in terms of specific industry or professional rules
Recent cyber crime cases that have made headlines include Cell C and Vodacom’s online portals being hacked and exposing account and banking details and the City of Joburg’s online e-statements being hacked and exposing residents personal details. Russian cyber security firm, Kaspersky Lab, said that cyber criminals have stolen approximately 1 billion US Dollars from world financial institutions since 2013. And, who could forget the famous case of Ashley Madison, an online dating site that now faces potential damages claims from it members after being hacked.
POPI seeks to minimise these threats, however, following the signing of the act into law by the President on 27 November 2013, the actual commencement date of the Act is yet to be determined. Many companies have already spent the last year getting their houses in order to ensure compliance (although companies have one year from commencement date of the Act to show compliance). For this reason, more and more companies are taking up cyber liability insurance cover. Cyber liability policies cover liability for data breaches of personal information / company records. Policies cover expenses relating to breaches which include:
- Operational risk;
- Media coverage;
- Technology assets (costs to restore data, systems and hardware);
- Credit monitoring;
- Regulator claims;
- Fines and penalties;
- Loss of business income as a result of systems downtime;
- Security specialists, attorneys, forensic investigators and loss adjusters to contain and manage the breach; and
- Loss resulting from theft of employees identity / identities.
Traditional insurance policies do not necessarily provide cover for these costs (unless they have detailed cyber-crime adendums). Cyber insurance goes beyong just covering companies for any direct financial losses. Cyber insurance policies cover the consequent expenses of a data / systems breach, as well as maliciouls / negligent breaches committed by employees (they cover external breaches as well).
We recommend that companies ensure they have solid risk awareness and IT security and risk management strategies in place, and that they have an expert walk them through cyber crime liability and cyber insurance so that they they are aware of the consequenes of a breach, as well as the remedies available to them.
For any queries on the above, or if your company would like to take a POPI / Cyber Crime seminar, please contact:
The Cybercrimes and Cybersecurity Bill was release for public comment on 28 August 2015. The Bill has been drafted to limit the harm caused by cyber crime to individuals‚ business and the government. The Bill is set to be presented to Parliament in early 2016.
The Bill aims to:
- Define offences and prescribe penalties;
- Regulate jurisdiction and powers to investigate‚ search and gain access to or seize items;
- Regulate aspects of evidence; regulate aspects of international co-operation regarding investigations;
- Identify and declare national critical information infrastructures and ways to protect these; and
- Create obligations for electronic communications service providers regarding issues that affect cyber security.
The Department of Justice and Correctional Services has invited the public to comment on the Bill before November 30.