Vigilance is a key component
At the beginning of October, it was reported that South Africa had faced a massive cyber breach where the personal details of members of the South African public was leaked on the internet.
According to an article published by TechCentral, the breach affected millions of people at a time when there was a worldwide focus on cyber security after several high profile incidents.
What are the liability concerns following these types of incidents? FAnews spoke to Santho Mohapelo, a Cyber Risk Underwriter at SHA, to get more information about where these breaches leave companies and the standard operating procedure (SOP) once a breach has occurred.
Reinforce positions
On the majority of occasions, a breach such as the one South Africa experienced will be covered by a cyber policy.
“The sooner the cyber incident is reported to the insurer, the sooner the insurer will be able attend to the query. These experts handling the claim will not only assist the insured in dealing with the immediate threat (if there is a ransom demand), but also to contain the threat and to put in place the necessary actions to mitigate the fall-out of the incident,” said Mohapelo.
He adds that another reason why it is important for the insured to notify insurers of a cyber-incident is not only to ensure compliance with the policy conditions, but also because the insured requires official consent from the insurer before certain costs can be incurred.
In trouble with the law
Like the US, South Africa currently does not have a law which governs the storage of private information.
However, we are in the process of establishing this and will eventually promulgate the Protection of Private Information (POPI) Act which would offer South African citizens official legal protection against the illegal accessing of private information.
Mohapelo points out that companies may be subjected to civil lawsuits stemming from the failure to protect data belonging to third parties.
"Section 107 of the POPI Act states that any person convicted of an offence in terms of the Act may be liable for a fine or imprisonment for a period not exceeding ten years, or both a fine and imprisonment, depending on which section of the Act has been contravened," says Mohapelo.
Duty of care
A fine and imprisonment is something that company executives can ill afford. But perhaps more debilitating is the loss of trust between the company and its client.
When Equifax suffered its major data breach, the company did not immediately inform its clients of the issue. Surely a company should be compelled to do so? How many data breaches are being swept under the carpet in an effort to retain customer loyalty?
“Actions to conceal and not report cyber attacks that result in a data breach to the relevant stakeholders would be contravention of the POPI Act which would have dire consequences for a company. Section 22 (1) of the POPI Act states that where there are reasonable grounds to believe that the personal information of a data subject (client) has been accessed or acquired by any unauthorised person, the responsible party must notify the regulator and – subject to Subsections 3 of the Act – the client. The only exception that is applicable is if the identity of the client cannot be established,” says Mohapelo.
Mohapelo adds that the notification referred to in Section 1 of the Act must be made as soon as reasonably possible after discovery of the incident. This must be done taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
Important factors to consider
While South Africa is fairly advanced when it comes to the establishment of the POPI Act, we must remember that the Act itself has not been passed yet.
The only section that has been fast-tracked by government is the section that gives the President the power to appoint the Information Regulator, which has been done. Reports show that this will take approximately a year to establish and that the Act should be passed in early 2019, provided the timeline is unaffected.
It is also interesting to read reports that cyber policies seem to be the providence of large companies. Smaller and medium companies seem willing to take their chances and hope that cyber crimes do not knock on their doors. If anything, cyber crimes should indicate that cyber policies are for everyone.
So what protection can companies expect? Mohapelo points out that depending on the type of cover taken up by the insured, the insured may be able to claim for the costs of restoration of data lost due to the attack/breach, business interruption losses suffered, and costs incurred in dealing with the fall-out of the incident, whether from a regulatory or reputational perspective. This will have to be assessed, in conjunction with the breach response adviser and possibly other experts.
Editor’s Thoughts:
Vigilance is key when dealing with these issues. In determinations handed down within the financial services industry, the question regarding systems and processes to prevent the problem from occurring is always asked. Manage the fallout effectively! Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts [email protected].
Comments