A kind of digital vaccine: The importance of insurance coverage for cybercrime

COVID-19, in and amongst all its other ramifications, has been a catalyst for digital evolution. In this context, it is important to note that the threats and vulnerabilities of the digital world are not new but have become more frequent. The Federal Bureau of Investigation (FBI) reported a 300% increase in cybercrimes in April 2020. In March 2020, ransomware attacks increased by 148%. Between February and April 2020, phishing was up 600% and, in April, Google blocked more than 18 million COVID-19-related phishing mails each day.

13 Apr 2021 3 min read Dispute Resolution Alert Article

At a glance

  • The COVID-19 pandemic has accelerated digital evolution and increased the frequency of cybercrimes, such as phishing and ransomware attacks.
  • South African organizations face underreported risks of cyber breaches, and the implementation of the Protection of Personal Information Act (POPIA) may lead to further disclosure and potential liability for companies.
  • Standalone cyber insurance policies have become crucial as traditional insurance policies often do not cover cyber-related risks adequately. However, a majority of South African businesses lack specialist cyber insurance coverage.

A number of high-profile data breaches affecting South Africans have reiterated the danger posed by the remote-working and digitalised environment we find ourselves in. Simply put, an increasing online world means heightened risk and liability for companies and organisations. The extent of the risk in the South African context may in fact have been underreported and the implementation of the Protection of Personal Information Act 4 of 2013 (the Act) will likely lead to further disclosure of cyber breaches, as the Act is embedded with a requirement to inform customers and regulators of any breach as soon as reasonably possible. The Act also makes provision for the imposition of penalties and potentially claims for damages in the event of breaches of its requirements, creating further potential liability for companies in relation to cyber breaches.

In the face of heightened risk and an increasingly regulatory legal environment, the use of standalone cyber insurance policies has become ever more important. This is largely because traditional insurance policies do not necessarily provide cover for these cyber-related risks. Despite this, most South African organisations are not adequately prepared for the growing risks of cybercrime, particularly in the current pandemic and the associated remote working environments. According to a 2020 SHA Report, only 18% of South African businesses surveyed possessed specialist cyber cover.

In a recent foreign case, the importance of specialised cyber insurance was emphasised. The Ontario Court of Appeal, the Canadian province’s highest court, in a March 2021 ruling upheld an insurers refusal to defend based on policy exclusion clauses. In the case of Family and Children’s Services of Lanark, Leeds and Grenville v Co-operators General Insurance Company, 2021 ONCA 0159, Co-operators General Insurance Company (Co-operators) denied a claim for a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (FCS), a children’s aid society, and Laridae Communications Inc. (Laridae) against data-related claims.

In August 2015, Laridae was instructed by FCS to conduct communication and marketing services. Less than a year later, a hacker accessed FCS’ internal network and obtained a confidential report with case files and investigations of nearly 300 people. The document was subsequently shared on social media. As a result of the disclosure, a multi-million-dollar class action suit was filed against FCS.

FCS and Laridae were insured by Co-operators in terms of a Commercial General Liability policy and Laridae, in addition, also in terms of a Professional Liability Policy. Both parties claimed that Co-operators owed them a duty to defend against the class action in terms of the policies. 

Both policies contained data exclusion clauses, which provided that, “There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly or indirectly from the distribution, or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data””. The court accordingly upheld Co-operators refusal to defend based on the policy exclusions.

South African courts have yet to substantively delve into the matter of cyber insurance. Nonetheless, it is evident that traditional insurance policies do not necessarily adequately cover cyber risk. Commercial general liability insurance is more commonly offered to protect businesses against asset damage such as property destruction, employee injury and natural disasters.

It is therefore vital for companies to assess the current risks brought about by COVID-19, particularly those associated with remote working and the current regulatory environment and establish whether they are adequately covered against potential cyber threats.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.