Hollard recently highlighted cybercrime as one of the main business risks for 2017. Cyber insurance’s largest customer is the United States (US), where legislation regulates how companies have to respond to cyber-attacks.
Here in South Africa, the government is set to promulgate similar legislation soon. The Cybercrimes and Cybersecurity Bill has recently been approved by Cabinet and Parliament is set to discuss it in the next few weeks. In addition, the Protection of Personal Information Act (POPI) was promulgated last year and is likely to be operational around May this year. The United States, which already has regulations on what businesses should do in the event of a cybercrime, constitutes the largest market share of cybersecurity insurance in the world.
Since December 2015, Hollard has provided cyber liability insurance, within its Specialist and General Liabilities division, with Ryan van de Coolwijk as product manager.
Van de Coolwijk says that, while POPI will focus attention on safeguarding personal information, says companies will have at least 12 months to comply with the new legislation, meaning that little concrete may happen until May 2018.
Even so, Van de Coolwijk says: “We have seen tremendous growth in the South African cyber insurance market over the past year. As more South African companies suffer from cyber incidents and start to see the costs and implications of that the need to insure is becoming ever more apparent.”
The internet has increased South Africans’ vulnerability to events elsewhere. Last October Twitter, PayPal, Netflix and Spotify – online companies many South Africans subscribe to – were taken offline by an attack that affected them globally. In May South African-based Standard Bank was the victim of fraud amounting to around R300-million in an attack a Japanese report linked to hacking. The bank confirmed the fraud, and that it expected to lose around R300-million, but not the mode of attack. Each of these attacks causes downtime, share price drops and reputational damage.
Allied Market Research (AMR), which estimated that the global the cyber insurance market would reach $14-billion by 2022, a combined annual growth rate of 28% for 2016-22, said in the US it was healthcare organisations that took up a third of all premiums. Large companies generated around 70% of the overall cyber insurance market revenue in 20156, AMR said.
Along with South Africa, the European Union (EU) is working up to regulating how businesses must react to cybercrime. EU data regulations are set to come into force in 2018, and companies that don’t follow the EU guidelines face EUR20-million fines.
South Africa’s Bill focuses on criminalising the theft of and interference with data and compels business entities (mostly banks, internet service providers and cellphone companies) to assist in any investigation around these crimes.
Over 50 new crimes are listed in the Bill, all relating to accessing personal data; intercepting or interfering with personal data; using hardware or software to commit offences; acquiring, providing, receiving or using passwords and access codes; prohibited financial transactions; the dissemination of data messages that advocate or incite hate, discrimination or violence; copyright and participating in terrorism, spying, extortion, fraud, pirating or forgery. Fines of between R1-million and R10-million and jail sentences of between one and 10 years are provided for.
Van de Coolwijk says the Cybercrimes and Cybersecurity Bill, along with POPI “provide an important statutory framework to aide in the fight against cybercrime. It’s important that South Africa continue to take positive strides in this regard.”
One of the most common forms of cybercrime at present is the dissemination of ransomware – software designed to block a computer system until a sum of money is paid. Other forms of extortion are also becoming common.
“While there are various forms of cybercrime being encountered in South Africa, the prevalence of ransomware is astounding,” says Van de Coolwijk.“Two years ago very few had been affected by cybercrime, now most people I speak to have been or known of somebody who has been affected by cybercrime, often ransomware.”
Announcing the Cybercrimes and Cybersecurity Bill’s passage to Parliament, Deputy Justice and Constitutional Development Minister John Jeffrey said: “Technological advances have gone beyond our wildest imagination. But with great technological advances come greater risks. Research shows that our country’s comparatively high levels of internet connectivity bring with it a higher risk for cybercrime. Cybercrime activities are growing fast and evolving at a pace, becoming more aggressive and technically proficient.”
“The pervasive nature of IT and data mean that most organisations have some level of cyber risk exposure,” says Van de Coolwijk. “As technology advances and the prevalence of cybercrime continues to increase, both from internal and external threat actors, the exposures are set to increase further driving the relevance of cyber insurance as part of a company’s risk management strategy