Don’t be left in the dark

26 August 2019 Jonathan Faurie

For the past five years, cyber risks have been rated as one of the top risks that global businesses face.

On 26 July, it was reported that cyber criminals targeted City Power in Johannesburg and caused a major blackout in the city. The attack caused blackouts across the city as cyber criminals took control of the City’s power servers which prevented residents from purchasing electricity. 

CityPower Johannesburg successfully restored its encrypted servers within hours of the security breach being identified. 

In an exclusive interview with FAnews, John McLoughlin, MD J2 Software, and Candice Sutherland, a Cyber Insurance Underwriter at iTOO Special Risks, pointed out why this is attack was so significant. 

Major risk

In the past, cyber criminals were targeting companies which had specific information that criminals wanted. As a result, the impact of the criminal activity affected a specific number of people. 

While the motive has not changed, the attack on City Power is one of the first of its kind on a service provider where the impact of the criminal activity would be indiscriminate and far reaching. This is very scary. 

McLoughlin points out that companies need to be aware of the risks they face and how they can counteract them. 

“Businesses and individuals share information on a daily basis. If you are not visible online, you are not visible. In the same way your customer will find you online, the attackers do their research this way too. Online information often includes details of customers and successes. The more successful the company and the greater the online activity, the bigger a target they become. Once a company is identified it is easy to target specific individuals at the business. This is initially done through social media sites,” says McLoughlin. 

He adds that once this is done, the attacker interacts through email and even by phone. This way, when they deliver an email with a link or malicious attachment, the user is very likely to open it.   

Necessary protection
When the threat of cybercrime first came to light, companies were very much of the opinion that they would deal with the issue if they became a victim. However, in the current landscape, it is more a case of when they become a victim. This can be catastrophic if they don’t have the necessary protection in place. 

“Attackers first look to gain access. Once they have established access, they are essentially inside the network and can easily find vulnerabilities to exploit. In cases where there is cyber hygiene was not undertaken, this can be a very easy task. The more time attackers spend on the inside, the greater their chances of success. I always recommend that the basics are done without fail. This includes patching machines, devices and applications. Deploying modern end-point protection, internet security and active monitoring. With the basics in place, you need to ensure there is user awareness. The entire system can fall on its face if the people operating it do not know what they need to look out for and what the risks are,” says McLoughlin. 

He adds that businesses need to understand that compromise will happen; live with the fact that it is a matter of time until there is an issue. A security layer will fail. “This is why it is critical that each business has a cyber resilience strategy in place. Cyber resilience, when correctly implemented, will ensure that a single failure may lead to a compromise, but this can be identified and stopped before it becomes a full-blown breach,” says McLoughlin. 

A booming industry

Cybercrime is a booming industry. Sutherland points out that:

  • If cybercrime were a country by gross domestic product (GDP), it would be the 13th largest country in the world;
  • Cybercrime generated $1.5 trillion in profits for hackers at the end of 2018;
  • Global cybercrime damages are predicted to cost $6 trillion annually by 2021; and
  • The South African Banking Risk Information Centre (SABRIC) says South Africa has the third highest number of cybercrime victims worldwide, losing about R2.2 billion a year. 

“Traditional liability policies were not designed to respond to intangible losses, so it is imperative to acquire a policy specifically designed to respond to a network breach or privacy breach. Cyber insurance policies were created to cover both events as well as allow access to the correct service providers needed to recover fully from a cyber incident,” says Sutherland. 

She adds that a cyber insurance policy extends to cover numerous incidents including but not limited to:

  • cyber extortion (ransomware, to prevent denial of service or publishing of stolen data);
  • denial of service (disruption to operations);
  • downstream attack (a compromise of the insured’s environment resulting in damages to others); and 

Important questions

Before making any decisions on the physical measures that need to be put into place to combat cyber crime, companies need to assess their business model and establish certain parameters. 

Sutherland says that companies need to ask questions like what is the company’s level of dependency on your IT systems? How long would it take the company to recover operations following criminal activity? And what is the company’s daily business interruption exposure? 

Editor’s Thoughts:
The attack on City Power is a sobering reminder about the potential havoc cybercrime can cause. Imagine cyber criminals turned their sights on a bigger target, like an SOE that is barely treading water and is dealing with so many other problems that cyber resilience is not a top priority. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts

Comment on this post

Email Address*
Security Check *
Quick Polls


In terms of vicarious liability, damages should not be borne by companies in all conditions, but only in those circumstances which it is reasonable for them to do so. Do you agree?


Yes, damages should only be borne by companies in those circumstances which it is reasonable for them to do so.
No. If there is a sufficiently close link between the employee’s acts and the purposes and business of the employer, the employer should be held liable for delicts committed by their employees.
As long as the employee is acting within the course and scope of his or her duty… the employer will be held liable.
A E fanews magazine
FAnews October 2019 Get the latest issue of FAnews

This month's headlines

Non-disclosure - a question of fairness
Level of insurance regulation notably tightened
The cost of treating cancer
Employee Benefits… an untapped opportunity
Bound to NHI… whether you like it or not
A stormier world for marine insurers
Examining the application of reinstatement clauses
Subscribe now