COVID-19, in and amongst all its other ramifications, has been a catalyst for digital evolution. In this context, it is important to note that the threats and vulnerabilities of the digital world are not new but have become more frequent. The Federal Bureau of Investigation (FBI) reported a 300% increase in cybercrimes in April 2020. In March 2020, ransomware attacks increased by 148%. Between February and April 2020, phishing was up 600% and, in April, Google blocked more than 18 million COVID-19-related phishing mails each day.
A number of high-profile data breaches affecting South Africans have reiterated the danger posed by the remote-working and digitalised environment we find ourselves in. Simply put, an increasing online world means heightened risk and liability for companies and organisations. The extent of the risk in the South African context may in fact have been underreported and the implementation of the Protection of Personal Information Act 4 of 2013 (the Act) will likely lead to further disclosure of cyber breaches, as the Act is embedded with a requirement to inform customers and regulators of any breach as soon as reasonably possible. The Act also makes provision for the imposition of penalties and potentially claims for damages in the event of breaches of its requirements, creating further potential liability for companies in relation to cyber breaches.
In the face of heightened risk and an increasingly regulatory legal environment, the use of standalone cyber insurance policies has become ever more important.
This is largely because traditional insurance policies do not necessarily provide cover for these cyber-related risks. Despite this, most South African organisations are not adequately prepared for the growing risks of cybercrime, particularly in the current pandemic and the associated remote working environments. According to a 2020 SHA Report, only 18% of South African businesses surveyed possessed specialist cyber cover.
In a recent foreign case, the importance of specialised cyber insurance was emphasised. The Ontario Court of Appeal, the Canadian province’s highest court, in a March 2021 ruling upheld an insurers refusal to defend based on policy exclusion clauses. In the case of Family and Children’s Services of Lanark, Leeds and Grenville v Co-operators General Insurance Company, 2021 ONCA 0159, Co-operators General Insurance Company (Co-operators) denied a claim for a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (FCS), a children’s aid society, and Laridae Communications Inc. (Laridae) against data-related claims.
In August 2015, Laridae was instructed by FCS to conduct communication and marketing services. Less than a year later, a hacker accessed FCS’ internal network and obtained a confidential report with case files and investigations of nearly 300 people. The document was subsequently shared on social media. As a result of the disclosure, a multi-million-dollar class action suit was filed against FCS.
FCS and Laridae were insured by Co-operators in terms of a Commercial General Liability policy and Laridae, in addition, also in terms of a Professional Liability Policy. Both parties claimed that Co-operators owed them a duty to defend against the class action in terms of the policies.
Both policies contained data exclusion clauses, which provided that, “There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly or indirectly from the distribution, or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data””. The court accordingly upheld Cooperators refusal to defend based on the policy exclusions.
South African courts have yet to substantively delve into the matter of cyber insurance. Nonetheless, it is evident that traditional insurance policies do not necessarily adequately cover cyber risk. Commercial general liability insurance is more commonly offered to protect businesses against asset damage such as property destruction, employee injury and natural disasters.
It is therefore vital for companies to assess the current risks brought about by COVID-19, particularly those associated with remote working and the current regulatory environment and establish whether they are adequately covered against potential cyber threats.
Byron O’Connor Vaughn Rajah