Though most South African banks and fast food chains were affected by a variant of the Dexter malware last year, many are still not ready for the next cyber crime: here’s how to prepare​

Last year, Payments Association of South Africa (PASA) revealed and confirmed that most of South Africa’s banks were affected by a variant of the Dexter malware.

Various media reports were published detailing how a syndicate could have possibly loaded software with the intention to damage computers onto a server at fast food outlets (mostly KFC and Famous Brands outlets), before it captured data stored on the magnetic strip of a bank card. The software is said to have been installed on Point-Of-Sale (POS) devices.

In an interview with Bloomberg, the Chief Executive Officer of PASA said that the syndicate “then either produced its own fraudulent cards or sold the compromised data to a third party.”

Not only was card data stolen but losses ran into the tens of millions of rands for the banks.

Although there are several measures and tools that can be used to protect against the technical threat and installation of malware, the main question is how does a company protect itself?

Cyber risk managers often analyze cyber vulnerabilities by only looking at one specific technology and not addressing how the risk might emerge from the interaction of those technologies, resulting in a much larger risk.

Cyber risk and its financial impact

As illustrated by the incident involving South African fast food outlets and banks above, cyber crime is the most commonly known risk associated with cyber security. Other risks exist and also heavily damage companies’ financial health, namely:

• Loss of and damage to digital assets
• Data breaches that result in leaking of intellectual property and trade secrets
• Online and social media exposure (in the bad way)

Take a data breach as an example: Apart from intellectual property and and trade secrets being leaked, there are also financial costs associated with:

• Restoring the company’s reputation (legal, public relations, advertising and other communications related costs) and managing the crisis resulting from the breach
• Forensics investigations
• Loss business due to interruption as normal services are in the process of being restored
• Loss of and damage to digital assets

These are just some of the financial costs directly and indirectly related to a company suffering a data breach.

In South Africa, there are also legal implications over and above what is mentioned above thanks to the introduction of the Protection Of Personal Information (POPI) Act.

Legal implications

The South African POPI Act encourages government, government organizations and businesses to protect any personal information that they process. It also contains a clause for people to request their “right to be forgotten.” Should an organization not comply with POPI, the act includes fines of up to R10 Million and imprisonment for up to 10 years.

There is no doubt (in South Africa at least) that companies and government will start taking the protection of information more seriously, more so with the heavy fines set to be imposed and possible jail time.

But what options does an organization have in protecting against the financial costs of cyber risk and recouping some of the financial losses in South Africa?

Cyber risk insurance

Normal business insurance does not cover incidents related to cyber risk. Having said that, most companies and organizations only discover this after they have suffered a breach. As such, organizations should not only implement measures (trained staff, processes and systems) to avoid being penalized in terms of the POPI Act, but also consider having a cyber risk insurance policy to avoid also suffering the financial impact of cyber risk.

A typical cyber risk insurance policy in South Africa covers:

• Financial costs related to hiring professionals such as attorneys, forensic investigators and any specialists required by the organization
• Communication and crisis management related costs such as media announcements and advertisements
• Data and systems recovery and restoration related to the breach
• Financial losses due to business interruption

At the time of writing, we could only find three companies that offer cyber risk insurance policies, namely CyGeist, AON South Africa and Zurich South Africa.

Although the policy is available to almost all types of organizations, the insurance companies interviewed did mention that they may not cover (or use their discretion) some or all of the following types of organizations:

• Adult content
• Payment processors
• Online trading platforms
• Data aggregators
• Online gambling and gaming