Cyber security is getting closer to the boardroom, and it is only a matter of time before a failure to implement basic cyber security protocols will result in claims against directors and officers (D&O) in South Africa – as is already happening elsewhere. This was one of the points made by attorneys from insurance law firm Clyde & Co who participated in a recent webinar, hosted by SHA Risk Specialists, on cyber claims.
Lee Astfalck, a partner in the firm, and legal director Christopher MacRoberts drew on some case studies (see below) to highlight important lessons and trends that intermediaries can bring to their clients’ attention when selling cyber insurance and advising them on managing cyber risks.
Clyde & Co has seen a significant increase in cyber claims in the past 12 months, and “an explosion” in the number of claims in the past month, Astfalck said.
These claims have been across a broad range of industries and have involved entities of all sizes, from SMEs to listed corporates. It is worth emphasising at the point of sale that any entity can be the victim of a cyber-attack, he said.
Note the liabilities and fines provided for in Popia
Astfalck highlighted some of the provisions of the Protection of Personal Information Act (Popia) that can have significant implications for the liability of responsible parties in the event of a data breach.
Section 99(1) enables data subjects to institute proceedings against responsible parties for non-compliance with or breaches of the Act, irrespective of whether there has been intention or negligence. This sets a fairly low threshold that the claimant has to overcome to prove a claim in law.
Clyde & Co anticipates that section 99(1) and the relatively low threshold will encourage data subjects to pursue claims against responsible parties, Astfalck said.
Section 99(3) affords the courts the discretion to award data subjects compensation in the form of just and equitable damages, including aggravated damages.
Currently, it is not known how the courts will interpret “just and equitable damages” or “aggravated damages”, but the wording of the section suggests the possibility of fairly significant damages in appropriate circumstances, and these could include punitive damages, Astfalck said.
Section 109 enables the Information Regulator (IR) to impose administrative fines of up to R10 million. In imposing such fines, the IR is entitled to consider various factors, of which an important one is the failure by a responsible party to carry out a risk assessment or a failure to have policies, practices and procedures in place to protect personal information.
The board of directors has the responsibility to ensure that the company complies with the relevant laws and regulations, including Popia. If a company faces civil claims or administrative penalties, it is foreseeable that the knock-on liability could mean that scrutiny will turn to its individual officers, particularly because of their responsibility to ensure the company has appropriate risk assessments, policies and procedures, Astfalck said.
He said it is important to emphasise to clients that is not only the company that might be in the firing line in the event of a data breach but the individual directors and officers too – which would have to be addressed by a D&O policy.
Turning to the recent data breach at TransUnion, Astfalck said this seems to be the first time the IR has exercised its powers in terms of section 22(6): to direct a responsible party to publicise in the manner specified the fact of any compromise of personal information if the IR believed such publicity would protect an affected data subject.
He said the IR’s response suggests it is starting to flex its muscles when it comes to information breaches and is moving towards assuming a more active role.
Case study 1. An attack on one company in a group can have a knock-on effect on the group’s subsidiaries.
In this case, a malware attack on a warehousing and logistics company resulted in a further ransomware attack on one of its subsidiaries. This also highlights the potential risk that arises when a company acquires new subsidiaries. The insured should be made aware of the need to integrate a subsidiary into the group’s IT structure and security system.
The malware attack caused business interruption-related losses not just to the target company but also to its subsidiary.
Astfalck said the incident highlighted the devasting impact that a cyber-attack can have on a company’s services, particularly in first 72 hours and in the first seven days of the incident.
He said it is not overstatement that certain cyber incidents can halt a company’s operations completely. Meanwhile, the company must devote all its resources to ensuring that the hackers are no longer within the IT environment and the company’s data is secure. It also has to assess what data has been potentially accessed or compromised. As a result, it can take a number of days before the company is up and running again.
Another noteworthy take-away from this incident was that the company’s customer agreements contained some onerous non-disclosure and confidentially clauses and reporting obligations.
Astfalck said responsible parties did not only have to watch their reporting obligations in terms of Popia, but also their contractual reporting obligations to customers and suppliers, which might be more onerous than the legislative requirements.
Section 22 provides that the responsible party must notify the IR and data subjects, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. In other words, Astfalck said, this section provides responsible parties with some breathing space to report to the IR once they have taken control of their IT environment. But this might not be the case in terms of their contractual obligations.
Case study 2. Failing to implement basic security protocols could have serious consequences.
An employee clicked on a phishing email link while on a music streaming site. He was taken to a spoof website, where he input his account details. The hackers used a credential harvesting tool to obtain administrator privileges on the insured’s IT system and acquired four terabytes of data before encrypting the system.
The company, a payment authorisation service provider, had not implemented multi-factor authentication (MFA), which enabled the hackers to enter its IT system undetected. Fortunately for the company, the disruption was relatively minimal.
MacRoberts said the insurer was concerned about the implications of inadequate basic security and whether this could trigger D&O cover if a claim was made against the company’s information officer because of a breach of Popia.
The insurer confirmed that because MFA would be mandatory only at the next renewal, the policy would respond despite the absence of MFA.
However, following notification, no response was received by the affected data subjects or the IR, and no claims were lodged against it or the information officer.
MacRoberts said the key take-aways from this incident are:
- The importance of implementing MFA is part of the global shift to tougher onboarding assessments for cyber insurance.
- Businesses need to prioritise their IT security and adapt more quickly to global best practice by, for example, implementing MFA and conducting cyber-security training for employees. However, one of the challenges in South Africa is that there are no prescribed minimum standards for cyber security, so it is up to the insured to determine its level of cyber security.
- Insurers are looking to their clients to take more responsibility for their IT security and to participate in the risk. This is evident in the revised limits and excesses at renewal.
- Cyber security is getting closer to the boardroom. It is only a matter of time before a failure to implement basic cyber security protocols will result in D&O claims in South Africa.
Case study 3. Effective incident response management can save time and money.
When an engineering company suffered a ransomware attack, its IT department immediately followed their incident response playbook and notified the head of legal, who notified the insurer.
The insurer appointed an incident response manager (IRM), which had already conducted “a meet the breach coach” preparedness session with the insured, so the company was familiar with how the response team would work.
MacRoberts said this case was a rare situation where everything “just worked”.
The insured leveraged the pre-existing relationships it had built with the IRM and other specialists to respond quickly to the incident. As a result, all the costs were “remarkably” contained within the 72-hour emergency response period, and the insured did not have to pay anything out of its excess.
All the costs were submitted timeously to the insurer and accepted.
He said the broker “was pivotal in managing expectations between the insured and the IRM” and played a crucial role in communicating and providing feedback and giving comfort to the insured.
Dos and don’ts for building cyber resilience
MacRoberts said the case studies highlighted some important dos and don’ts when it comes to cyber incidents.
- Brokers should set up a “meet the breach coach” session where the IRM team will discuss the insured’s response plan and provide advice on how it can be developed. This can result in massive savings in time and impact when an incident occurs.
- Run breach scenarios to test an organisation’s readiness for a cyber incident. These can even be live simulations without the company’s executives being informed beforehand.
- The organisation’s data must be backed up regularly and stored in a separate, secure server environment. Separate storage is important because if malware runs through the organisation’s server and contaminates the back-ups, it cannot be used to restore the system.
- Communication is crucial, particularly in the initial stages of an incident. Establish strong communication channels between the cyber security, security operations centre and management within an organisation and know who is responsible for what.
- Don’t make a cyber insurance policy generally accessible. In the case of ransomware attacks, hackers look for the policy so they can apply leverage once they know the policy limits. Store the policy in a separate, high-security environment or, better still, keep a hard copy in a secure place.
- Don’t try to negotiate with hackers without third-party assistance. IT staff sometimes think they can get ahead of an issue if they engage in negotiations. But cyber claims often go wrong during negotiations. Ransom negotiations are difficult, and as with a human hostage situation, they should only be conducted while receiving specialist advice from an insurer or law firm.
- Don’t wait until after an incident to implement improved cyber security measures, such as MFA.
- Don’t create panic in the organisation. Cyber incidents are stressful in themselves without employees leaking information to outside parties and the media. Work through the incident systematically.