Are you looking for cyber insurance (cyber liability insurance) to mitigate your liability for risks associated with the cyber or digital environment? Insurance that covers your liability to others where you have failed to meet your responsibilities relating to the internet or ICT. Whilst attending our workshops people start to understand what they could be held liable or responsible for and then ask whether there is cyber insurance available. The answer is yes, there are a few insurance companies that provide it. But what is it and what are the important things to consider?
What Cyber Liability are we talking about?
The person who decides why and how to process personal information is responsible for protecting it. If someone (a data subject) suffers damages because they fail to do so, they can be liable for those damages. In the context of data protection, this is what cyber insurance is designed for.
You could be liable to various people in the cyber world
From a cyber security perspective, the law places various obligations on ISPs and organisations that have national critical information infrastructure (NCII). If they fail to comply with those obligations, they could be liable to someone who has suffered damages. For example, the law might require you to make people aware of the cyber security threats they are exposed to. If you don’t make them aware, you might be liable for the money they lose when they fall victim to a scam you knew about.
In South Africa, the two important laws that are relevant are the Protection of Personal Information Act (POPI) and the Cybercrimes and Cybersecurity Bill (Cybercrimes Bill). The POPI Act sets conditions for how you can process information. If your organisation processes personal information, then complying with POPI is your problem. One requirement is to secure the personal information that you process. Absolute security is impossible, so no matter how good your security is, you could have an incident or a breach. You are not necessarily liable if you have a breach, it is how you respond to it that is important. This is why incident response or data breach management is so important.
Please note: We are not an insurance broker and are not qualified to advise you on insurance.
What are some of the Cyber Risks?
What could happen to you if you don’t comply with cyber laws or your responsibilities in the cyber world?
- Suffer reputational damage
- Lose customers and fail to attract new ones
- Lose profits if you cannot operate for a period of time
- Be investigated by the Information Regulator
- Incur significant costs securing personal information after a breach
- Pay millions in damages to data subjects who institute a civil class action
- Be fined or jailed
- Lose data
You should be taking proactive steps now to comply with cyber laws and therefore, mitigate these risks (including privacy-related legal risks). But, in addition to that, insurance can be an effective way of managing some of the risks. You should always aim to meet your responsibilities, protect others from harm, and thereby not be liable to them.
Cyber insurance is not a get out of jail free card
There are various different kinds of insurance and it is important for you to analyse and determine whether you are covered for the different kinds of liability you might face.
How we can help?
We are currently helping many organisations to comply with IT laws (like data protection and cyber security laws). We are expert practical legal advisers with experience with cyber laws. We can also:
- help you to find the right insurance for your needs by giving you the details of the people who offer cyber insurance,
- support and advise you if you have an incident or breach,
- advise you if you are fined or if you face a civil action by one data subject (or a class of them),
- raise your awareness about cyber liability by attending a workshop.