The South African insurance industry accounts for 18% of the financial sector in South Africa. According to the Veeam Data Protection Trends Report in 2022, 85% of South African organizations suffered ransomware attacks, making cyber attacks one of the biggest causes of business interruption and it is only predicted to get worse. To break down the industry, Catherine Pienaar completed a comprehensive analysis of the cyber risk in the South African insurance industry as part of the completion of her Certified Cyber Insurance Specialist (CCIS) training.
Lack of Legislation in the South African Insurance Industry
South Africa has generally been slow to adopt appropriate cybersecurity measures, especially in the insurance industry. South Africa’s data privacy legislation, The Protection of Personal Information Act, only became effective on July 1, 2021. Before then, there was no legislation requiring the reporting of data breaches. The lack of well-publicized South African breaches further perpetuated ignorance regarding cyber attacks against South African entities. Moreover, many South African companies have no basic cyber security controls in place, namely multi-factor authentication, appropriate backup processes, suitable patch management, employee awareness training, access management, mail filtering, or encryption. In the absence of these protective measures, there are huge vulnerabilities that can be exploited. 49% of South African organizations reported accidental deletion, and overwriting of data or data corruption as a primary cause of IT outages. The average cost of a data breach in South Africa was 58 million rand in 2021, highlighting the financial implications of cyber risk in the insurance industry.
AI in the South African Insurance Industry
The South African insurance industry has begun to implement AI tools to create customer behavioral models. Additionally, the industry is moving toward digital client interaction and back-office processes, for example, a significant technological shift was experienced in response to lockdown measures during the pandemic. Some AI tools and algorithms, like Natural Language Processing (NLP), are employed in chatbots for claims processing and robo-advisors for product selling. These technologies enable profiling of existing policyholders for lifetime analysis, informing product innovation, and assessing the suitability and sufficiency of cover.
Third-party risks and cybercrime In the South African Insurance Industry
The large companies in the South African insurance industry have several entities within their portfolio, leading to interconnected systems and an increased attack surface. The usage of third-party software for policy and claims administration further expands this attack surface, heightening cybersecurity concerns. Additionally, load-shedding in South Africa, due to challenges faced by power provider Eskom, poses a significant risk to physical security systems. Without sufficient redundancies, these systems are vulnerable during power outages, potentially leading to increased cyber risk.
Astronomical Financial Loss in the South African Insurance Industry
South Africa ranks sixth globally, in terms of the top 10 countries found to have experienced the most cybercrime, with 52 victims per one million internet users. Interpol reports that cybercrime cost the South African economy 573 million rand in 2016. A 2021 Accenture report indicates that this cost has increased to 2.2 billion rand per year, with ransomware plaguing public and private institutions. According to estimates, South African businesses’ annual loss experienced due to phishing attacks and internet fraud amounts to 250 million rand. It is crucial for insurance companies to take immediate action by implementing cybersecurity measures, conducting regular risk assessments, and providing comprehensive training to employees, in order to safeguard sensitive data, protect financial interests, and maintain trust in the insurance sector. Insurance professionals must be aware of these risks to help safeguard any clients they might have in the region and to protect themselves.
In conclusion, it is important that insurance professionals are aware of these risks in order to help protect the clients they might have in the region and for their own safety. To ensure that sensitive data, financial interests, and trust are maintained in the insurance sector, it is imperative that insurance companies take immediate action by implementing cybersecurity measures, conducting regular risk assessments, and providing comprehensive employee training.