According to the Allianz Risk Barometer 2019, cyber incidents are the top risk for medium-sized businesses in South Africa and around the world, alongside business interruption, which was ranked first in 2018. Natural catastrophes are now in third place, followed by changes in legislation and regulation in fourth place, and market developments in fifth place.
The annual survey on global business risks, presented by Allianz Global Corporate & Specialty (AGCS), incorporates the views of a record 2 415 experts from 86 countries, including CEOs, risk managers, brokers and insurance experts.
According to Nobuhle Nkosi, Head of Financial Lines, AGCS Africa, medium-sized companies increasingly recognise their cyber exposure and are more apt to secure adequate insurance cover than in the past. “This stems from the fact that advances in cloud computing and social media have increased companies’ exposures while large data breach events, such as the breach experienced at Liberty and numerous other cyber security-related issues, have necessitated greater protection of customer data,” he explains. “Medium-sized businesses see the need for adequate cyber cover to feel more protected in case of an event such as a breach.”
He says there is a clear relationship between cyber attacks, data breaches and loss of reputation – medium-sized businesses often refrain from reporting these incidents as they fear loss of contracts. A comprehensive risk management approach is necessary as insurance is only one part of the solution.
“Once you have purchased cyber insurance, it does not mean that you can ignore IT security. The technological, operational and insurance aspects of risk management go hand in hand,” explains Nobuhle. “Cyber risk management is too complex to be the preserve of a single individual or department, so we as AGCS recommend a ‘think-tank’ approach to tackling risk whereby different stakeholders from across the business collaborate to share knowledge.”
While cyber incidents increased in the medium-sized company space, BI dropped from first place to fifth in the ranking for 2019. A severe interruption can even have a terminal impact for companies, given the significant effect it can have on income and revenues. Nobuhle sees significant BI exposure among medium-sized businesses from fire and explosion, cyber risk and changes in legislation and regulation.
Changes in legislation and regulation
In general, the directors of a company in many African countries can be held personally liable for their executive actions where such actions are not in conformity with the Memorandum of Incorporation or their fiduciary duties. In South Africa, a company may indemnify its directors in respect of arising from a director’s negligence.
However, the permissibility of a company to indemnify its directors and officers varies from country to country. Many jurisdictions do not permit the reimbursement of a fine as a consequence of a director’s criminal conviction. There is also no guarantee that the company will pay the financial burden of defence costs in prolonged legal proceedings or damages awards, which can spiral very quickly. Even if the company is permitted to indemnify the director, it may not have the financial resources to provide for such an indemnity in the event of a claim.
“There has been a recent trend towards shareholders seeking to hold directors liable for losses as a result of the negligent or reckless conduct. In South Africa, the Companies Act No.71 of 2008 codified the derivative action and the class action. Class actions are now permitted which altered the previous common-law rule that a claimant must have a personal and direct interest in the subject matter of the claim. A recent example would be the Dutch-led class action of the alleged destruction of over R185 billion in shareholder value resulting from the long-running accounting irregularities at Steinhoff,” says Nobuhle.