The findings from SHA Risk Specialist’s 2022 Specialist Risk Review report, have revealed that South African businesses ranked cyber related risks in third position, behind power disruptions and labour related matters.
In contrast to these findings, the 2022 Directors Liability Survey conducted by WTW in partnership with Clyde & Co, revealed that the top three risks faced by directors worldwide related to cyber risks (cyberattacks, data loss, and cyber extortion).
Cyber risk management
One might wonder why South African entities have a different perspective of cyber risks, compared to the rest of the world. One explanation might be that the risks faced by businesses, locally, have a more immediate impact that threatens the survival of the businesses, as opposed to cyber risks that represent a future possibility. Another reason might be that directors are simply unaware of their responsibilities in this regard.
The SHA Specialist Risk Review found that 22% of firms did not discuss cyber risk management at board meetings.
Directors should focus on cyber threats, because they pose a systemic risk to businesses and could place their personal assets at risk.
Some of the risks
The following are some of the risks that could affect the personal assets of directors:
POPIA - The regulatory environment in South Africa has intensified its focus on data protection. The Protection of Personal Information Act (POPIA), which became effective on 1 July 2021, places the responsibility for securing the confidentiality of personal information that it processes on the head of that organisation (such as the CEO). POPIA stipulates standards for safeguarding personal information and generally includes taking reasonable technical and organisational measures to prevent loss of or damage to personal information and unlawful access or processing thereof. The consequences of non-compliance with the Act are severe and can include fines and imprisonment up to 10 years for breach of certain sections of the Act.
Actions against directors following a fine - If a fine is imposed on the entity, the entity may look to recover the fine from the directors personally, if they had not taken sufficient measures to secure the information technology systems of the entity in accordance with the duties placed upon them by the Act.
Civil liability for breach of POPIA - POPIA entitles a data subject to hold the entity liable for damages suffered, as a result of breach of the Act, including for aggravated damages. The directors remain responsible for implementing data security measures. If they have breached this duty resulting in loss to the company (due to paying damages to a data subject), the company may pursue the directors.
Shareholder actions - If the entity refuses to pursue directors for recovery of the fines or other damages, the Companies Act provides mechanisms for shareholders to pursue directors. Cyber breaches could also lead to reputational harm to the entity. Many cyber policies provide cover for public relations costs, in order to mitigate against this harm. Despite such mitigating actions, the share value of such entities could be diminished by the reputational damage and could provide grounds for action against directors for the loss. We have not seen such actions locally, but the South African market generally mirrors claims trends experienced in foreign jurisdictions after a lag period, and such shareholder securities claims have been pursued in North America and Australia. While these are novel responsibilities for directors, directors should not be ignorant of these risks. The Companies Act only regards a director as having complied with their duties when they have taken reasonably diligent steps to become informed of any specific matter (such as cyber security risks and directors’ responsibilities under POPIA, and they may be held liable under the Companies Act if they have not).
Complex insurance environment
These increased risks to directors add to an already complex insurance environment known as a hard market cycle, which is characterised by the limitation of covers, reduction of capacity, and increased pricing, as underwriters globally attempt to balance the risks and ensure the sustainability of product lines.
Pierre Lombard
Senior Claims Specialist, Financial Lines
SHA Risk Specialists
Photo: Pierre Lombard
According to SHA Risk Specialist’s 2022 Specialist Risk Review report, what was ranked in third position by South African businesses?
Riots and strikes
Cyber related risks
Power disruptions
Labour
According to the 2022 Directors Liability Survey, conducted by WTW in partnership with Clyde & Co, what are the top three risks faced by directors related to?
Business interruption
Liquidity risk
Operational risk
Cyber risks
According to SHA Risk Specialist’s 2022 Specialist Risk Review report, what percentage of firms did not discuss cyber risk management at board meetings?
17%
25%
36%
22%
When did the Protection of Personal Information Act (POPIA) become effective?
On 1 June 2021
On 1 July 2022
On 1 July 2021
On 1 June 2022
What is one of the consequences of non-compliance with the POPI Act?
Fines and imprisonment up to 10 years
Imprisonment up to 3 years
Debarment on an industry-wide basis
Closure of company
What does the Companies Act provide?
A data subject to hold the entity liable for damages suffered
Mechanisms for shareholders to pursue directors
Cover for public relations costs, in order to mitigate against harm
Technical and organisational measures to prevent loss of or damage to personal information and unlawful access or processing thereof