You have decided to take out insurance against loss due to cyber-crime related activities. But what are your obligations to mitigate loss that may be incurred. Just as you may be required to have an alarm system fitted in your house to comply with your household contents insurance policy. Similarly, it is also important to read the fine print of your cyber-crime related insurance policy.
Examples of policy clauses are:
- Exclusions: “this policy does not cover any deliberate or intentional loss, damage or liability or omission caused or incurred by you or by any person acting with your express or implied consent”
- Obligations: “you as well as your employees, representatives and agents must do all that you reasonably can do to prevent legal liability, or loss.”
The terms and conditions of your ‘cyber-crime’ policy may oblige you to take measures to protect your information. If you must do this, then are you lawfully permitted to do this?
Chapter 2 (Bill of Rights) of the Constitution of the Republic of South Africa, 1996, provides that ‘everyone has the right to privacy, which includes the right not to have … the privacy of their communications infringed’ and accordingly, this must be kept in mind at all times. The right to privacy, however, is not absolute.
The Regulation of Interception of Communications and Provision of Communication Related Information Act 70 of 2002 (‘RICA’) governs the interception or monitoring of communications, both paper-based and electronic forms. RICA sets out exceptions to what it otherwise prohibits, being the interception of communication, which term is broadly defined in RICA. So, employers must make sure they do not fall foul of RICA and do so by taking steps, which ideally would be to obtain employees’ prior consent to interception of their communications during their employment (for example, by way of an appropriate clause in the employee’s employment contract). It would also be advisable to require employees to use only specified email addresses and designated mobile devices when conducting employment-related communication. Employers could also rely on the exception contained in section 6 of RICA as a means of intercepting ‘indirect communication’, as defined in the section, but the provisos in this section need to be kept in mind.
Other provisions to be aware of which may appear in a cyber insurance policy include:
- encryption requirements that you need to adhere to for communication that your business engages in;
- the level of cover relating to hardware or software that is damaged may be limited to the actual hardware or software damaged, and it is possible that it will not provide for any upgrades;
- exclusion of certain types of loss incurred, such as future revenue or harm to reputation;
- exclusion of breach of privacy that relates to hard copy (paper-based) files or information;
- exclusion of loss to you due to a cyber attack on a third-party service provider.
With cyber crime being a relatively new and ever-changing threat to business, it is important to have the necessary business processes in place to facilitate compliance with policy provisions, and also to implement best practice to ensure your business is in the best possible position in what could seem the worst possible of times.
If you need assistance with a review of your insurance policy, we are well placed to assist you. Alternatively, if you are an insurer, we will be able to advise you on appropriate text for your policy documents to enable your clients to navigate the cyber insurance wording mine field.