The 2018 Allianz Risk Barometer report ranks cyber incidents, including cybercrime, IT failure and data breaches, as the number one risk to South African businesses with 38% of respondents citing it as their most important corporate peril, up 8% from last year.
Bhagattjee, speaking on dealing with data breaches, gave examples of organisations whose data had been breached, including Uber, Sony, Walmart, Fedex, JP Morgan, Equifax and, most recently, Facebook.
She said in the Equifax data breach, which affected about 150million customers, unauthorised access took place from May to July last year, but the firm only went public about the breach in September.
Equifax lost about a quarter of share value since the disclosure, said Bhagattjee.
The firm had failed to apply a patch to a software vulnerability, of which it had been advised and it had implemented measures after the fact to prevent further breaches and assist with customer-identity fraud.
Bhagattjee advised organisations to be cyber-ready and to formulate a road map for compliance (covering data protection and cybersecurity laws). She said cybersecurity should be a board-level agenda item, which required a pro-active management strategy rather than a crisis-driven response and an effective response/business continuity plan in place.
Zaakir Mohamed, CDH’s director in dispute resolution practice, said the risks companies faced appeared to be increasing.
“Pay careful attention to mitigating these risks. Incidence response plans are critical. Never say never. Be prepared,” he said.
He advised that when a commercial crime had been discovered, company representatives needed to stay calm and not to panic but to ask questions, including: How did suspicion/knowledge come about? How credible/reliable is the source of information? Could the source have any motive/agenda? Has conduct been ongoing or is it a once-off incident? Who is implicated/who could be involved, potentially? Is there an alternative/reasonable explanation?
Mohamed also advised that the facts should be established before deciding on the best approach, identifying immediate risk areas and informing only those who absolutely needed to know as there was the risk of suspects becoming aware and of vital evidence being destroyed.