By Rob Rafferty
I was sitting in a client’s reception, paging through an October 2022 edition of De Rebus, when my eye caught a well written article ‘The need for cybercrime insurance’ by Mapula Oliphant (2022 (Oct) DR 3). It was interesting to read that the Legal Practitioners Indemnity Insurance Fund NPC (LPIIF) differentiates between professional indemnity as a risk versus cybercrime as a risk. I agree wholeheartedly. Cybercrime is a business risk and is not unique to the legal profession. With the result that cybercrime is not covered by the LPIIF. I then started paging through the other De Rebus editions and only found a few articles touching on cyber insurance as a solution to cybercrime.
I, however, do not think that cyber insurance is the solution. Let me explain.
Cyber insurance is a complex, and expensive solution, and guess what? It still does not mean you are covered. There are companies who provide software and data-related work to many banks and attorney firms, and as such, have really had to beef up their risk management and cyber security. But many people reading this article, probably think that they bought a better firewall, or a better anti-virus … again, let me explain.
The human element remains by far the biggest vulnerability for you and your business. AAG, an international provider of information technology and cyber security, published that, in 2023, 82% of all cyber security breaches against businesses in America, involved a human element (Charles Griffiths ‘The Latest 2023 Cyber Crime Statistics (updated January 2024)’ (https://aag-it.com, accessed 31-1-2024)). This ‘social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables’ (Clayton State University ‘Social engineering’ (www.clayton.edu, accessed 31-1-2024)). Users (ie, you or your staff) are lured into exposing data or spreading malware infections or giving others access to restricted systems. These hackers, in short, rely on, and then exploit, a user’s lack of knowledge.
If you do not have processes in place to limit this exploitation and increase these user’s awareness of cybercrimes, you are at risk.
Now, let us fast forward and look at the biggest reasons why cyber insurers will deny your claim.
The bottom line is this: Your insurance provider will assess whether you took ‘due care’ to protect your business from being compromised by a cyberattack, before approving your claim.
This is why I believe the proactive ‘due care’ part, plays a much bigger role in cyber security, than trying to cover your business retrospectively with cyber insurance. Do not get me wrong, cyber insurance may be very important, but if you do not implement the right tools, policies, training, and practices, in your business, you are getting the basics wrong, and you are simply under a false sense of security.
In the next article, I will endeavour to look closer to these prevention practices and how to incorporate them into policies.
Rob Rafferty BProc (UFS) LLM (UNISA) Adv Tax Cert (UNISA) Post Grad Financial Planning CFS (UFS) ISO 27001 Practitioner Certificate is a non-practising lawyer, director, and the CFO of FutureSoft in Centurion.
This article was first published in De Rebus in 2024 (March) DR 12.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|