IIG News

IIG Insights: Cyber Risk – A Reality Check for SME’s

Darryl Grater welcomed IIG members and all attendees. Our sponsor for the webinar was Santam and the IIG thanked them for covering the costs of the webinar as it has enabled the IIG to host the webinar event for free to our industry. Darryl also briefly reminded all of the upcoming IIG/GWII ladies day event and encouraged participation and attendance.

Our speaker for the day was the charming Simon Colman who also enjoys his alternate persona of “Judge Dread” as the head judge in the ever-popular Insurance Apprentice. Simon is the Managing Director of Digital & Financial Lines at SHA and has 27 years experience within the short-term insurance industry.

Simon kicked off his presentation by unpacking the word “virus”, whereby he advised that the source of the word is biological before it became a part of the digital world. Our current pandemic climate is a grim reminder of the speed & efficiency of a virus. He went on further to underline how a viral effect works in the context of cyber and how easy it is for businesses to get infected.

Cyber Risk – SME’s sector

A recent reality check for SME’s is how Covid-19 inflamed the fault lines already in existence. We have a relatively poor plan in dealing with cyber risk and crimes. POPI is now in full force and businesses have a year to comply and SME’s will need to have an increased awareness in this regard.

Cyber Crimes:

  • ID theft
  • Theft of funds
  • Theft of data
  • Ransom & extortion
  • Vandalism or hacktivism
  • Espionage and terrorism
  • email scams (NO) – It is a digital scam but not covered under a cyber policy.

Criminals are always motivated by the potential of easy financial gain. There is an enormous market that continues to sustain these criminal events. Simon delved a bit into the workings of the deep, dark web which is a part of the internet that most people are unable to access. This space is a frightening and extremely dangerous area where criminals trade weapons, pornography, drugs and other illegal activities. An example of a product found in the dark web is ATM malware whereby hackers receive rankings based on the quality of their criminal goods. Strange, but true! It’s a nightmarish marketplace designed to attract the dredges of society. One can purchase the software and/or malware or even hire a hacker if one doesn’t have the skills.

www.haveibeenpwned.com – is a site where one can check if your info has been hacked.

LinkedIn, the business media platform, has lots of information on individuals as well as emails and passwords which people sometimes out of laziness or convenience duplicate on several personal accounts including bank accounts. Sometimes companies do reach out and inform people that their credentials have been compromised, but this is not always the case.


Each year new viruses are produced, and hackers want to maximise their efforts so normally Windows is targeted rather than MAC as there are more uses on this software. Mobile devices are attracting more android based malware. Ransomware has seen an increase since people have been working remotely. SME’s tend to pay ransom more readily rather than bigger businesses as they do not have the budget or capacity to risk having their data compromised. A short video was played to demonstrate the impact of viruses sent via email attachments. LOCKY infections are whereby hackers embed a word doc. inside a PDF doc. Your existing files become encrypted and you can only access these release codes by following the instructions of criminals. The ransoms, usually not very high, can range between $350-$1000 which for most companies and individuals is easily payable. Therefore, the volume of constant payment yields high dividends for criminals. A 2017 report indicated that South Africa was at the top of phishing attacks which are completely random attacks. Spear phishing is more targeted, more convincing and much more difficult to spot as an email could be disguised to look like it’s originated through a familiar source.

When viewing cyber risk globally, South Africa has the sixth highest average exposure to cyber crime, with businesses in the industrial and financial sectors being the most common targets for cyber crime attacks.  South Africa has a lack of publicity of attacks as businesses don’t always disclose their breach, but now with the POPI Act, disclosure will become compulsory. Financial institutes are often hacked, but often these big brands sustain these breaches without going public.

Why hack SME’s:

  • Random attack
  • Targeted clientele
  • Disgruntled employees
  • Valuable info
  • Poor security
  • Credential reuse online

Small businesses have insufficient training around cyber-attacks. Some SME’s have targeted clients with a high net-worth or executive decision makers in their companies.

Cyber & COVID-19:

Due to lockdown implementation there has been an increase in remote working and the subsequent exposures. There is unsecured storage of information on personal devices. We are also seeing an increase in phishing attacks due to the lack of awareness. COVID-19 has been an accelerator to businesses having to working remotely. Some useful risk mitigation tips are purchasing antivirus subscriptions, employee training, virtual private networks and regular vulnerability assessments.

With the sudden onset of Covid-19, many corners were cut whereby employees were using their own personal devices and their hardware could have been infected prior to having access to their company site. People are also more relaxed at home and less vigilant of phishing attacks. People have copied large files of confidential info onto hardware further increasing exposure and risk.

Business interruption:

87% of businesses who suffered a loss, indicated that they were offline between 48hrs and 12% were offline for up to three days. There have been huge losses due to the cost of downtime. 30% of reported cases exceeded R250K per incident and 7% were above R1 million.  Negligent clicking on email and transferring money to fraudulent bank accounts is not covered.

Cyber risk management:

  • 45% of companies believe they are not exposed
  • 40% relied on free anti-virus packages which are usually infected themselves
  • 27% don’t conduct regular back-ups.

No backups = 1 in 5 ransomware attacks and 34% of affected entities always paid the ransom. The average ransom being between R10 000 to R25 000.

26% of brokers have had the confidence in selling cyber coverage whilst 58% of clientele have confirmed that their brokers have not mentioned cyber insurance in their sales pitch.

In order to understand cyber risk, one needs to understand that in commercial insurance, data is an asset, assets need protecting and therefore one needs to “incentivise” cyber criminals to move next door. This simply means that firewalls in a cyber environment = perimeter fence in a residential/physical environment. One needs to build your own protection to ward away criminals.

Some simple risk management tips are having an increased awareness, managing staff behaviour, password management, consulting a security specialist, reducing unnecessary info, limiting access internally and avoiding complacency.  A large hack can impact individual credit profiles which is outside of the affordability of small companies without insurance.  When selling cyber, don’t confuse technology PI with cyber insurance. Understand the client’s business and pitch the right cover. Not all businesses have theft of data exposure cover, but most importantly, don’t confuse email scams with cyber-attacks. It always best practice for a broker to not attempt to be a tech expert with one’s clients, rather advise on employing the services of an expert.

Simon closed his highly informative session and thereafter allowed for a Q&A .  His closing remarks included that no system out there is 100% secure and South Africa does not yet have adequate qualified personnel in place. Currently, there is mostly the utilisation of global suppliers which can be extremely costly.

Darryl thanked Simon and advised all that a recording of the presentation will be available on IIG’s social pages.


By: Asiya Swaleh