Various media reports were published detailing how a syndicate could have possibly loaded software with the intention to damage computers onto a server at fast food outlets (mostly KFC and Famous Brands outlets), before it captured data stored on the magnetic strip of a bank card. The software is said to have been installed on Point-Of-Sale (POS) devices.
In an interview with Bloomberg the Chief Executive Officer of PASA, said that the syndicate "then either produced its own fraudulent cards or sold the compromised data to a third party".
Not only was card data stolen but losses ran into the tens of millions of rands for the banks.
Although there are several measures and tools that can be used to protect against the technical threat and installation of malware, the main question is how does a company protect itself against the financial losses (e.g. customers claiming for fraudulent loss of funds) as syndicates are always looking at new methods?
Also, often times Cyber Risk Managers tend to analyze cyber vulnerabilities by only looking at one specific technology and not addressing how the risk might emerge from the interaction of those technologies, resulting in a much larger risk.
Cyber Risk and its Financial Impact
Cyber Crime is the most popular risk associated with Cyber Security related risks as illustrated by the incident involving South African fast food outlets and banks above. Other risks exist and also carry a possibility of hefty financial impact as a result of a Cyber Security breach, namely:
- Loss of and Damage to Digital Assets
- Data Breaches that result in leaking of Intellectual Property and Trade Secrets
- Online and Social Media Exposures
Take a Data Breach as an example, apart from Intellectual Property and and Trade Secrets being leaked there is also financial costs associated with:
Restoring the Company's reputation (Legal, Public Relations, Advertising and other communications related costs) and managing the crisis resulting from the breach.
Loss business due to interruption as normal services are in the process of being restored.
Loss of and damage to digital assets
These are just some of the financial costs directly and indirectly related to a company suffering data breach.
In South Africa, there are also legal implications over and above what is mentioned behalf thanks to the introduction of the Protection Of Personal Information Act (POPI).
The South African POPI Act is data protection legislation that encourages government, government organisations and businesses to protect people's personal information they process. It also contains a clause for people to request their "Right to be forgotten". Should an organisation not comply with POPI, the Act includes fines of up to R10 Million and
imprisonment for a period not exceed 10 years.
There is no doubt that (in South Africa at least) that companies and government will start taking the protection of information more seriously, more so with the heavy fines set to be imposed and possbile jail time.
But what options does an organisation have in protecting against the financial costs of cyber risk and recouping some of the financial losses in South Africa?
Cyber Risk Insurance
Normal business insurance does not cover incidents related to cyber risk, having said that most companies and organisations only discover this after they have suffered a breach. As such, organisations should not only implement measures (trained staff, processes and systems) to avoid being penalised in terms of thee POPI Act, but should also consider having a Cyber Risk Insurance Policy to avoid also suffering the financial impact of cyber risk.
A typical Cyber Risk Insurance Policy in South Africa covers:
Financial costs related to hiring professionals such as attorneys, forensic investigators and any specialists required by the organisation.
Communication and crisis management related costs such as media announcements and advertisements.
Data / Systems recovery and restoration related to the breach.
Financial losses due to business interruption.
At the time of writing, we could only find two companies that offer Cyber Risk Insurance Policies, namely AIG South Africa and Zurich South Africa. With other insurance companies considering to offer similar policies.
Although the policy is available to almost all types of organisations, the insurance companies interviewed did mention that they may not cover (or use their discretion) some or all of the following types of organisations:
Online Tradig Platforms
Online Gambling and Gaming
Cover Image Credit: Ivan David Gomez Arce