Internet-based liability and risks
Many business owners and executives assume that the risk of business interruption and cyber-crime will be covered by the company’s existing commercial insurance products. However, with the nature of cyber-risk growing more complex, it needs a more specialised and focussed approach. Those responsible for risk management and for technology need to work closely together to understand and mitigate the risks through an integrated approach that incorporates a suitably designed insurance policy.
The risks are wide-ranging, from the danger of losing a notebook that contains sensitive company information or experiencing a malware attack that takes down the network, to the danger of the business’s cloud service provider leaking the company’s information or a prolonged systems outage. Companies also need to align their security and cyber-risk management with the regulatory landscape.
A range of existing and pending laws, standards and regulations sets out guidelines on how companies should protect customer data and other sensitive information – these include the Protection of Personal Information Act (POPI) and the Electronic Communications and Transactions Act.
No matter how robust a company may believe its business continuity planning and information security to be, a suitably qualified broker should nevertheless be engaged to assess the extent of indemnity offered for cyber incidents. A prudently designed insurance product will protect a company against the risk of being uninsured in the face of a potentially crippling threat to its business. The approach should encompass an evaluation of risk exposure, dealing with this exposure through systematic risk management. Small companies are constantly under pressure to manage their costs, so many of them are not aware of the consequences of lacking proper cyber-cover.
A comprehensive policy will cover a wide range of losses and costs related to a cyber incident, including:
- Third-party liability: Reimbursing customers, partners and other stakeholders for damages caused by a cyber-incident.
- Legal costs: Providing cover for the costs of fighting legal action that results from a cyber-incident; appointment of a legal team.
- Notifications and alerts: Mobilising resources to alert customers of a data breach or other technology issue that affects them.
- Fines and regulatory action: Covering against penalties and fines imposed by regulators.
- Monitoring: Helping customers to monitor for credit identity theft after a breach.
- Business interruption and systems/data recovery costs.
- Forensic investigation costs.
- Public relations: Appointing a reputation management team to help minimise long-term damage to the company’s brand and reputation.