Legal updates and opinions
Authors
News / News
Cybercrimes and Business Interruption
by Darren Willans, Director, Sarah Passmoor, Director and Chiara Ferri, Candidate Attorney
Cybercrimes and Business Interruption
Cybercrimes and Business Interruption are becoming increasingly prevalent in the technological age, posing a potentially significant threat to companies, especially those with online business models. If your company stores significant customer data, you may be targeted for ransomware attacks, as well as other sinister forms of cybercrimes. Cyber insurance should therefore be an essential aspect of a company’s risk strategy in response to this form of business interruption.
In 2021, cyber incidents were ranked as one of the highest threats to businesses in South Africa, having increased by 150% since 2020. Because this area of insurance law is constantly evolving and can be vague, it is essential that your company ensures that the policy clauses are not only clear and unambiguous, but also that the policy is up to date so that it caters for the current cyber risks, which are evolving at a rapid pace.
South Africans must up their game against cybercrime
Many businesses are operating under the false belief that their current insurance policy adequately covers data security and privacy exposure. This is not necessarily the case, as traditional insurance policies often do not adequately cater for the exposure organisations face in this sphere. Companies are in this regard cautioned to be particularly mindful of specific aspects of their insurance coverage, some of which are set out below.
The all-risks clause
A potential issue that may arise in a business interruption claim, is where a cybercrime is only covered under all-risks clauses. All-risks policies have historically included claims for business interruption, which respond to loss arising from physical damage to property. This may prove problematic if your business is subject to a cyberattack, as “physical damage resulting in financial loss” typically does not cover ransomware attacks, or other cybercrimes.
This is because electronic data or information is often not interpreted as having a physical existence. As such (in the absence of special extensions under the policy), a cyberattack and cybercrimes affecting electronic data, and in turn causing an interruption to one’s business, is often not covered under an all-risks clause, as physical damage to property is not something that is easily established.
Time deductibles and indemnity periods
Another aspect of general liability clauses which may prove problematic in the face of a cyberattack is that all-risks clauses often include time deductibles and indemnity periods, stating that loss coverage only begins after a specified period. However, a cyber-attack lasting for a fraction of the applicable time period could be devastating for a business.
For example, in 2016 Delta Airlines experienced a network failure for 6 hours, which cost the airline approximately USD 150 million. Another example is the Facebook outage of 2021, also only lasting for approximately 6 hours, which resulted in a decrease in revenue of over USD 60 million.
The nature and quantum of the loss
Establishing a cause and identifying the nature and quantum of the loss incurred is a further aspect to be mindful of insofar as your insurance contract is concerned. Damage to property is generally easier to prove than establishing a virtual cause. This is all the more reason for your company to ensure that an estimated quantum and the potential nature and cause of a cyberattack, is clearly delineated in the relevant policy.
Coverage for ransomware
Whilst most stand-alone cyber policies cover ransomware as a peril, not all policies offer the necessary coverage for losses associated with it. Coverage for loss associated with ransomware should fall under “cyber-extortion coverage”. This coverage should ensure that extortion payments are accounted for, as well as coverage for an IT forensic investigator who would be required to asses what data has been accessed, as well as the level of sensitivity of that data.
Third-party coverage
Companies may also be held accountable for third-party liability in relation to privacy and security incidents and should therefore have coverage which protects the company (as the insured) for liability resulting from the loss of personal and corporate confidential information. The coverage should extend to the failure to protect client records and data, intellectual property infringement through mismanaging customer data, impaired customer access to the insured’s computer systems and privacy intrusion through cyber activity.
It is important to bear in mind that a company itself does not necessarily have to be the target of a cyber-attack, to be affected. Cybercrimes can permeate a company’s suppliers and outsourced technology providers, which may in turn cause collateral damage to the company.
The insurance industry as a whole seems to be moving toward tackling cyber business interruption risks by consulting with IT security companies, not only to calculate risk but also to provide for specific delineated coverage in this area. Very few cases have to date been tested in court. From a risk mitigation perspective, companies are advised to carefully analyse the scope of their cover and to have careful regard to the wording of their policies.
Not every crime is a cybercrime – The dichotomy of cyber-enabled crimes and cybercrimes
Latest News
Defamation in Labour Law – Manqele V Baloyi Masango Inc Attorneys and Others (896/2023) [2025] Zampmbhc 75 (12 August 2025)
by Bankey Sono, Director and Neo Sewela, Senior Associate It is not unusual for employers to appoint a law firm [...]
Voluntary liquidations: A cost effective and efficient method of conducting a corporate clean-up, and for ending the existence of dormant companies
by Brendan Olivier Quite understandably, the word 'liquidation' can send shivers down the spine, and cause a company director to [...]
Substance dependence in the workplace- misconduct or incapacity?
by Bradley Workman-Davies - Director, Nasheetah Smith - Senior Associate & Isabella Keeves - Candidate Attorney One of the challenges [...]
Cutting the baby in half – when equality meets reality: Paid maternity leave after Van Wyk v Minister of Employment and Labour
by Bradley Workman-Davies, Director and Kerry Fredericks, Director The Constitutional Court's recent judgment in Van Wyk and Others v Minister [...]
SME cashflow threats: when liquidation strikes a supplier or customer
by Brendan Olivier An SME that permits its customers and suppliers to trade with it on credit terms, does so [...]
Global developments in gambling, betting and e-sports regulation: Lessons for South Africa
by Tebogo Sibidla, Director Like many other sectors of the economy that rely on technology, online gambling, gaming and betting [...]
