FANews
FANews
RELATED CATEGORIES

TIA2023 Task Solutions... maybe it was not that obvious? - Episode 2 - SHA

15 June 2023 Myra Knoesen
Alicia Narainsamy

Alicia Narainsamy

We asked the TIA2023 task sponsors to guide us, as to what they were looking for in their tasks. Below is a for Episode 2 from SHA.

Growing cyber-attacks make cybercrime one of the most potentially fatal risks businesses face today. 

As a result, cyber insurance is crucial for everyone with an online presence, more so for businesses responsible for protecting customers' information. Cyber insurance plays an essential role in helping organisations recover from any business interruptions and financial loss incurred from these attacks. 

Detailing the task

Pharmabites Limited, a fictitious pharmaceutical manufacturing company, was due to release a novel vaccine for malaria. The company was ramping up production, following health funding to roll the vaccine out across the African continent. It, however, suffered a denial of services cyber-attack, where it was locked out of its business.

The Insurance Apprentice 2023 contestants had to take on the role of risk advisers, when they are tasked to report back to the board (the judges) of Pharmabites on whether they have an insurance policy to cover the loss and what financial impact this was going to have on their balance sheet.

As the episode revealed, the breach occurred at a pivotal time in this company’s life cycle as they were manufacturing a groundbreaking malaria vaccination. The cyber breach, as a result, caused serious financial harm and reputational damage. 

The necessary steps

In a perfect world, if Pharmabites had cyber insurance, the policy would respond to protect the company from the costs associated with recovering stolen or patent information, paying the ransom demanded by the hackers, as well as the legal costs if the company is sued for the consequences of the cyber-attack. It is, thus, essential for businesses to have cyber insurance, in order to secure their continued existence and to protect their finances and reputation in case of a security breach. 

However, the contestants quickly learned on this day, it is not enough to merely point fingers around a board room. When a company experiences a cyber security breach, it is essential to act quickly and decisively. In the first few hours following a breach, it is necessary to take steps to ensure that the business may continue to operate and get all systems back up and running. It is also necessary to make sure all stakeholders are informed, the insurer is notified, and public relations statements are prepared. 

Additionally, it is important to take the necessary steps to initiate a cyber forensics investigation in order to identify the cause of the breach and ensure similar incidents do not occur in the future. It is essential for businesses to have appropriate protocols in place so that they can effectively respond when an incident occurs. 

The desired solution

The judges would have appreciated the below aspects to have been addressed in the presentation: 

  1. Immediate steps to get professionals to assist in resolving the cyber issue (to regain control of the system, whether by paying ransom or other actions).
  2. Communication to our stakeholders - a clear communication crisis plan to mitigate the impact on the share price.
  3. Notification of circumstance that could lead to a claim disseminated to the insurers who hold the company’s Directors and Officers cover (preferably a meeting with them to discuss best practice and next steps).
  4. Initiating PR statements with the relevant spokespeople to contain and mitigate reputational damage.
  5. As risk advisers, the contestants’ role was to minimise exposure to loss. As such, to deal with the ransom and potential leakage of the company’s IP, support in acquiring the services of Cyber Digital Forensics who could assist in the facilitation of the ransom with the hackers was certainly required.
  6. Section 76 of the Companies Act speaks to the duties and liabilities of directors. The Act addresses the standard conduct expected from directors and extends it beyond the common law duty, imploring them to act honestly, in good faith and in a manner that holds the best interests of the business. In light of the fact that cybercrime is regarded as a high risk, a reasonable director would procure cyber protection to guard against those risks, such as a cyber policy. Due to the fact that the ‘board’ did not act as a standard ‘director’, they were open to claims held against them personally for not complying with the Act. 

If Pharmabites had secured cover via SHA, for example, the cyber policy would have responded in the following ways: 

  • IT Security & Incident Response: the expertise and services of an internationally recognised IT Security & Incident Response service provider.
  • Cyber Liability: after a breach, the business may find it has to defend itself against and/or pay damages to third parties. This provides cover for legal defense costs and damages if the case is unsuccessfully defended.
  • First Party Expenses: once a breach occurs, there are costs and expenses to get the business back on track. This extension covers the costs to restore, re-collect or replace data, and of specialists, investigators, forensic auditors or loss adjusters.
  • Loss of Business Income: there will be a negative impact on the income of the business. This extension covers the net income which would have been earned, had the breach not occurred.
  • Crisis Management Expenses: every business cares about how its customers perceive it. This extension covers the costs of a public relations consultant or related advertising expenses, in order to mitigate any reputational or material brand damage.
  • Cyber Extortion & Data Ransom Demand: should company data or its system be locked by ransomware, or the company is threatened by cyber extortionists, there may be costs in negotiating with the hackers or paying a ransom demand. This extension covers the costs of the investigation into the cause of, or the payment of monies in response to or as a result of, an extortion threat or ransom demand.
  • Notification Expenses: there will be costs to notify affected parties and monitor any possible identity theft. This extension covers the expenses incurred to comply with privacy legislation and includes legal and communication expenses, as well as credit monitoring and identity theft education and assistance.
  • Regulatory fines and penalties to the extent insurable by law: legislation such as POPIA (Protection of Personal Information Act) introduced the imposition of hefty fines, penalties, and even jail time. This extension covers the legal defense costs against the sanction.

 

Alicia Narainsamy
Business Head, Digital Distribution, Marketing & PR
SHA Risk Specialists

 

 

Comment on this post

Name*
Email Address*
Comment
Security Check *
   
Quick Polls

QUESTION

How do you respond when a business or individual offers you a ‘too good to be true’ investment?

ANSWER

Call my adviser for advice
Go all in, 10x returns are awesome
Ignore, stick with my financial plan
Scam alert! Report it to the regulator
Share it on TikTok for a laugh
fanews magazine
FAnews November 2024 Get the latest issue of FAnews

This month's headlines

Understanding treaty reinsurance – and the factors that influence it
Insurance brokers: the PI scapegoat
Medical Schemes' average increases for 2025
AI is revolutionising insurance claims processing and fraud detection
Crypto arbitrage: exploring the opportunities and risks
Subscribe now