Don’t wait for the POPI act to cyber-insure

March 13, 2017

Ryan van de Coolwijk | 13 March 2017

With the stage set for the implementation of the Protection of Private Information Act – although probably not for at least the next two years – questions are doing the rounds about the need for cyber insurance to protect an organisation or a client in the face of a breach of privacy.

Firstly, let me clear something up about POPI and cyber insurance. I am often asked, “Why does my company need insurance against a breach of clients’ personal information if the POPI laws are not yet in place?” Despite all the hype in the past, the two concepts are completely mutually exclusive.

Granted, there is no legislation in place at the moment that enforces notification or owning up to an incident. Businesses can (and often do) simply sweep it under the carpet and hope for the best. But in reality, cyber insurance is very relevant, irrespective of POPI. Yes, the Act will make some of the actions provided for by the cover mandatory, but companies are still exposed and can suffer costs and damages for things like:

  • Loss of business income and increased cost of working
  • Liability claims from those suffering damages, for example if a bank’s customer data is stolen and used to commit fraud
  • Investigation costs to determine the cause, contain the issues and understand how to protect against further incidents
  • Responding to cyber extortion demands such as ransomware, which is quite rampant in the South African market

It’s worth noting that traditional business interruption policies require a physical or tangible damage in order to trigger cover. Downtime from a cyber attack or malicious employee modifications to code would typically not create physical damage and trigger traditional policies.

South Africa is generally seen as quite an easy target, with many local companies falling victim to various forms of cyber crime.

Many of the risks and exposures are very relevant irrespective of POPI being in place. Following an incident, even if you don’t notify the media, a company would want to conduct forensic investigations to understand the incident and manage it accordingly.

Through a forensic investigation you get insight into:

  • How the compromise occurred and what actions were taken, including alternate mechanisms established to gain access to the network. This is important in understanding the vulnerabilities compromised and what needs to be done to remediate the environment
  • What data was compromised and when. This is important in determining whether further incident response activities are required, including notifications to affected parties and remediation services such as credit monitoring

Attackers typically do not pilfer the first server they are able to gain access to. Rather, they tend to spend time mapping out the network looking for the most valuable data or key systems to affect as well as establish various mechanisms in order to gain access to the network.

Similarly, attacks such as ransomware are rarely isolated events, often serving as a smokescreen for some other nefarious activities. For many victims, once they have paid the ransom, and with a bit of luck received the key to decrypt their data, they assume the worst is over only for another attack to follow soon thereafter. A forensic investigation will identify if the original vulnerability has been resolved, if the malware or ransomware left behind any additional malware, or if it was merely a smokescreen to implant malware to steal data.

Forensics and post-event monitoring can play an important role here to determine if any additional actions were taken and check for potential indicators of further malicious behavior.

So don’t wait for POPI to be signed into law before getting your systems checked and your cyber insurance in place. A good policy will not only give you liability cover, but will also pay for forensic investigations to find out what happened and assist in preventing future incidents.