Philippa Wild, Chief Underwriting Officer at Santam Broker Solutions
According to research conducted by Interpol, South Africa had the third highest number of cybercrime victims globally in 2022, with accumulated losses of over R2 billion. These attacks were levelled at organisations of various sizes and across sectors such as healthcare, financial services, and online education. Having a robust risk mitigation strategy is therefore the key to preventing the potentially devastating financial impact of business disruption caused by cybercrime.
Businesses of any size should treat cybersecurity as a matter of priority. While cybercrime has seen a dramatic upsurge globally in recent years, South Africa in particular, has been identified as a hotspot for crimes such as identity theft, data breaches, malware and phishing scams.
The real cost of cybercrime
According to the same Interpol report, the average hack of a small business system can amount to anywhere between R50 000 and R250 000 – a cost simply too large for many small businesses to recover in time to save their operations.
The cost of commercial cybercrime can amount to millions in lost revenue and productivity. This may be compounded by the cost of litigation in the case of third-party claims where data has been stolen. From a reputational perspective, the damage to a brand or business can have far-reaching consequences in terms of its ability to recruit top talent and expand its market reach. Dedicating time and resources to implementing measures that will protect the business’s digital assets and confidential information is therefore an investment well made.
Cyber policies as an industry-wide best practice
To safeguard against cybercrime, it is now standard practice for businesses to have cyber policies in place. These policies should govern how employees share, transfer and store data, how cloud technology is used and how hardware is protected by password and access management.
Cybersecurity is not an aspect of business that should be relegated to technical or IT departments alone. Every employee, supplier or individual accessing the company’s system represents a potential vulnerability. Therefore, cybersecurity should be framed and communicated as a shared responsibility. Mandatory training and contractual agreements with all stakeholders are therefore an important way of ensuring that the company’s security measures are pervasive and clear.
Consistent and constant monitoring of the cyber risk landscape
It’s also important for businesses to realise that cyber risk is not a static concept. With the current wave of industry-wide digital transformation and the accelerated speed of technological advancement, cyber risk is ever evolving. Unfortunately, the reality is that as digital technology becomes ‘smarter,’ so do cybercriminals. And despite every attempt to secure emerging software and technology, cyber criminals are highly capable of finding loopholes to exploit.
For this reason, companies should firstly secure their operations by conducting a comprehensive risk assessment and prepare for all possible threats. Secondly, companies need to invest in the expertise of professionals who can dedicate their time to staying on top of the latest developments in cybersecurity as a whole, but also in terms of any changes within their specific sectors.
Half the job of managing cyber risk is keeping abreast of how vulnerabilities are being exploited as industries become more digitised. A good example of this is the global shift to remote or hybrid working. Employees connecting to external sources of WiFi and making greater use of mobile technology has resulted in the broadening of many companies’ risk exposure. This is a factor that needs to be closely monitored so that companies can stay one step ahead of cyber criminals.
Cyber insurance as part of effective risk mitigation
Research from the 2022 SHA Risk Review – an authoritative annual study of the risks impacting SA businesses – stated that 60% of SHA’s brokers reported an increase in requests for cyber liability cover over the last year, indicative of an evolving risk landscape.
Once the necessary procedures become commonplace and widely adopted across all stakeholders in a business, cybersecurity insurance can provide an all-important safety net. While cyber policies will vary according to the unique risk profile of the business, most policies include protection against crimes such as data breaches, theft of data and cyber extortion.
Extensions to policies can include aspects such as data breach response or the cost of investigations, credit and identity theft monitoring costs, public relations expert costs and the cost of restoring data.
This is where the relationship between a business and its insurance advisor can serve as an invaluable tool for futureproofing its operations and preventing business interruption. By working closely with an advisor, businesses can ensure that their cybersecurity measure evolve as their business changes and grows. Having adequate cover in place can make the difference between whether a cybercrime leads to a company closing its doors or whether it is able to recover its losses and reputation in the long-term.
ENDS