Evolving cyber risks and the Protection of Personal Information Act (POPIA) has created a greater awareness of the financial impact of cyber risks, considering the fact that maximum penalties under POPIA are a R10 million fine or imprisonment for a period not exceeding 10 years or both.
It emphasises the need for organisations to increase their understanding of cyber insurance. Aon South Africa, insurance brokerage and risk advisors, today released its Insurance & Data Privacy report, which highlights the impact that POPIA will have on organisations and identifies how cyber insurance can assist.
POPIA came into effect on 1 July 2020 and following the 12-month transition period, organisations must be compliant with POPIA by 1 July 2021. The act was adopted to protect the rights to privacy of natural living persons and in addition, extended to include existing legal persons, putting forth minimum requirements for processing personal information[2], aiming to:
- Give effect to the constitutional right of privacy, in particular the safeguarding of personal information.
- Regulate the processing of personal information in harmony with international privacy standards.
- Prescribe minimum requirements for the lawful processing of personal information.
- Provide rights and remedies to protect data subjects against unlawful and illegal uses of their personal information.
- Establish an Information Regulator – to promote, enforce and fulfil the rights protected by POPIA.
As organisations seek to comply with the requirements set out in POPIA, it will become increasingly important for their businesses to make operational changes to the way they process personal information.
“One of the requirements set out in the act is for organisations to appoint an independent member of their organisation to perform the function of a data protection officer (referred in POPIA as ‘information officer’), ensuring that the principles of POPIA are adhered to and form part of the overall organisational culture,” Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa explains.
“The function can be performed by an individual or a group of individuals, who are familiar with the organisation’s operations and processes. This stipulation, alone, highlights the operational changes that need to be adopted in order to comply with the legislation,”
Cyber insurance and POPIA
The scope of POPIA is broader than most cyber insurance policies which are often triggered by privacy or security incidents, whereas POPIA violations can also be triggered by non-compliance, separate and apart from a privacy or security incident.
“The current insurance market does allow for some expansion of cover to specifically address certain instances of non-compliance as it relates to POPIA, but the language of such insurance policy must be carefully drafted and reviewed. Where a cyber insurance policy is intended to cover such fines, a key issue for organisations is the extent to which those fines are insurable,” says Zamani.
Typical cyber insurance policies only insure fines when insurable by applicable laws, and generally stipulate that the insurability of fines or penalties shall be determined by the “laws of any applicable jurisdiction that most favours coverage for such monetary fines or penalties.”[3]
“From a South African perspective, it is not possible to insure against criminal fines as a matter of law and public policy. Insuring administrative fines is not expressly prohibited but such fines are likely to be found uninsurable as a matter of public policy. Organisations should also consider other costs and liabilities that could result from non-compliance with POPIA,” says Zamani.
“Cyber insurance policies do, however, play a central role in how an organisation manages and mitigates cyber related risks. It may protect an organisation by not only providing financial indemnification after a cyber incident has gone wrong, but also offering other term consultancy to help improve security and on-the-ground incident response support during a period of crisis following a cyber incident,” Zamani explains.
“POPIA fundamentally changes business requirements in processes such as, incident response and business continuity, making it crucial for organisations to evaluate the value that can be unlocked from the insurance market via forensic consultants, experience in handling claims and incidents that may be somewhat unfamiliar to the business.
“Consulting with a professional broker that specialises in cyber risk will be well worth the effort in achieving a better understanding of their exposures and to navigate the complex relationship that exists between POPIA and cyber risk,” urges Zamani.