Is cyber risk insurance a priority for your school? You may not fully understand your organisation’s cyber and data privacy risks until an event occurs and then it may be too late.
We live in a technologically connected environment and cyber security has become a widespread concern. School management teams must consider the overlap of the Cybercrimes Act with the Protection of Personal Information Act 4 of 2013 (POPIA), as well as other related regulatory codes and pieces of legislation. These laws make schools culpable when data breaches occur, and schools, like all businesses, can be especially hard hit by such claims.
The Cybercrimes Act criminalises, inter alia, the disclosure of data messages which are harmful. Examples of such data messages include:
- those which incite violence or damage to property
- those which threaten persons with violence or damage to property, and
- those which contain an intimate image.
Schools and, in fact, all organisations should look carefully at the malicious communications provisions of the Cybercrimes Act.
Other offences include cyber fraud, forgery, extortion and theft of intangible property. The unlawful and intentional access of a computer system or computer data storage medium is also considered an offence, along with the unlawful interception of, or interference with, data.
What does the Cybercrimes Act cover?
The above-named offences create a very broad ambit for the application of the Cybercrimes Act, which defines ‘data messages’ as data generated, sent, received or stored by electronic means, where any output of the data is in an intelligible form.
The Act also now imposes obligations upon service providers to assist in the investigation of cybercrimes, for example, by furnishing a court with certain particulars which may involve the handing over of data or even hardware on application; and a duty to report, without undue delay, cyber offences and, where feasible, within 72 hours of becoming aware of them.
There is now an even greater need for organisations to ensure they are covered against cybercrime. In South Africa, there is an increasing range of companies that offer comprehensive risk cover.
This may include among other things: cover for business interruption loss; data loss and restoration cover; incident response and investigation costs; legal costs and liability arising from failure to maintain confidentiality of data, or unauthorised use of your network or even extortion.
While there is no standard for cyber insurance, most companies that do offer this specialised insurance in South Africa, tend to offer a combination of first party coverage, which covers direct losses incurred by your organisation, and third party coverage, which would cover external claims from clients or partners.
Do your homework
Research is vital when looking into acquiring such a policy.
You will need to make sure that the policy is designed to minimise the effects of a cyber event for your own organisation (first party cover). The policy must protect your school, assist with the costs of recovering and restoring your data, provide cover if there is an extortion claim (especially one arising from a ransomware attack), and offer crisis management expenses following an incident.
The policy also must extend cover to protect against claims made against you from clients or partners in the event of a data breach (third party cover). This cover will protect your rights as the insured from liability claims resulting from the loss of personal confidential information.
Cyber insurance is specifically meant to cover the diverse costs and damages from a network security or privacy breach and it covers what has previously not been considered as a business risk for schools.
What should a cyber insurance policy cover?
It is advisable that each prospective policy holder ensures that any such policy is carefully customised to meet possible needs according to the nature of each policy holder’s business.
The policy must at least cover:
- Data liability – covering the damages and defence costs associated with a breach of personal or corporate data. You must consider the costs of identifying the breach, repairing it (including any disciplinary actions necessary) and also the compulsory notification to all affected parties, including the Information Regulator, now that the Protection of Personal Information Act has been promulgated. Remember how much detailed and very personal information each school processes.
- Data security – damage resulting from any breach of duty that ends in:
- contamination by malicious code from third party data (malware)
- improper or wrongful denial of access by an authorised third party to data (outsourced storage and cloud storage)
- the theft or fraudulent use of an access code or biometric device from premises, mobile devices or storage, such as briefcases, computer systems (including a virtual private network), or employees
- the destruction, modification, corruption, damage or deletion of data stored on any computer system, whether on premise or in a remote storage system due to a breach of data security
- the physical theft of hardware as well as the simple failure of hardware and data restoration costs
- data disclosure due to a breach of data security. This also extends to the physical security of files, notes and copies of personal documents in your own office.
- Data administrative investigation – provides costs and expenses for legal advice and representation in connection with a formal investigation by the Information Regulator or other regulator or state organisation.
- Notification and monitoring costs – provide for the costs and expenses of the data user for the legally required disclosure to data subjects.
- Data administrative fines – insurable fines and penalties due to a government authority, regulator, or data protection authority for a breach of data protection laws or regulations. Remember the enhanced additional fines that have been applicable since 25 May 2018 in terms of the General Data Protection Regulation if your school deals in any way with European Union citizens’ personal data (international students or data storage).
- Repair of the company’s and individual’s reputation – reimbursement of costs incurred in relation to reputational damage due to a claim covered by this policy. Repair of reputational damage is by no means an easy task and may, in fact, be far easier said than done, so the embedding of personal data protection principles and practices throughout your firm is really important.
While all cyber insurance providers may not provide exactly the same coverage, there should be a fair number of similarities across offerings and providers. Investigate all possible options and ensure that your service or business and its particular risks are covered. Always look carefully at your client base and your own existing risks, including physical and digital weaknesses.
Remember that humans pose as much of a risk as anything else. If you and your staff are not sufficiently cyber aware and alert to risks, then education on a continuing basis is critical.
The value of data as an asset, the oil of the new economy, cannot be overstated.