CONTENTS LIST OF FIGURES .................................................................................................................................... 5 LIST OF TABLES ...................................................................................................................................... 5 ANNEXURES ........................................................................................................................................... 5 DEFINTIONS ........................................................................................................................................... 6 ABSTRACT ............................................................................................................................................ 16 1. Introduction ............................................................................................................................. 17 2. Emerging cyber exposures ....................................................................................................... 19 2.1 Cyber-crime ..................................................................................................................... 20 2.1.1 Business Disruption and Misuse .................................................................................. 20 2.1.2 Online scams ................................................................................................................ 23 2.1.3 Theft and Fraud ........................................................................................................... 27 2.2 Hackers ............................................................................................................................ 32 2.3 Cyber obscenity ............................................................................................................... 38 2.4 Cyber activism .................................................................................................................. 39 2.4.1 Hacktivism .................................................................................................................... 39 2.4.2 Cyber terrorism ............................................................................................................ 44 2.4.3 Cyber warfare .............................................................................................................. 45 2.4.4 Information warfare .................................................................................................... 49 2.5 Bring Your Own Devices ................................................................................................... 50 2.6 Social media ..................................................................................................................... 52 3. Cost of cybercrime ................................................................................................................... 53 3.1 Perception of cybercrime exposures ................................................................................... 53 3.2 Economic cost of cybercrime ............................................................................................... 56 3.3 Financial cost of cybercrime ................................................................................................ 58 3.4 Cost of cybercrime involving confidential business information and market manipulation 60 3.5 Opportunity cost and cybercrime ........................................................................................ 60 3.6 Cybercrime recovery costs ................................................................................................... 61 4. Data breaches statistics ........................................................................................................... 63 4.1 Types of breaches ................................................................................................................ 72 4.1.1 Point-of-Sale (POS) intrusions ...................................................................................... 74 2 4.1.2 Web application attacks .............................................................................................. 76 4.1.3 Insider and privilege misuse ........................................................................................ 78 4.1.4 Physical theft / loss ...................................................................................................... 81 4.1.5 Miscellaneous errors ................................................................................................... 83 4.1.6 Crimeware ................................................................................................................... 84 4.1.7 Card skimmers ............................................................................................................. 86 4.1.8 Cyber-espionage .......................................................................................................... 88 4.1.9 Denial of Service Attacks .............................................................................................. 91 4.1.10 Everything else ............................................................................................................. 92 5. Data Protection Legislation ...................................................................................................... 94 5.1 European Union ............................................................................................................... 94 5.2 United States ................................................................................................................... 99 5.3 South Africa ................................................................................................................... 101 5.3.1 Electronic Communications and Transactions Act No. 25 of 2002 ............................ 101 5.3.2 Protection of Personal Information Act (POPIA) ........................................................ 105 6. Risk management .................................................................................................................. 109 6.1 Risk management and corporate governance policies ...................................................... 120 6.1.1 King Code of Governance for South Africa 2009 (King III) ......................................... 122 6.1.2 Organisation for Economic Co-operation and Development (OECD) Privacy Principles 131 6.1.3 Staff awareness and training ..................................................................................... 141 6.1.4 Security configuration ................................................................................................ 144 6.1.5 Network security ........................................................................................................ 147 6.1.6 Managing user privileges ........................................................................................... 153 6.1.7 Incident Management ............................................................................................... 156 6.1.8 Malware Prevention .................................................................................................. 161 6.1.9 Monitoring ................................................................................................................. 165 6.1.10 Removable Media Controls ....................................................................................... 169 6.1.11 Home and Mobile Working ........................................................................................ 171 7. Risk financing ......................................................................................................................... 175 7.1 Insurance ........................................................................................................................... 176 7.2 Cyber liability insurance ..................................................................................................... 178 7.2.1 Development of cyber liability product ......................................................................... 180 7.2.2 Cyber liability insurance alternatives ............................................................................. 183 3 7.2.3 Cyber liability coverage under non-cyber liability insurance products .......................... 186 7.2.3.1 Commercial general liability (CGL) policies .................................................................... 187 7.2.4 Cyber liability product offerings .................................................................................... 192 7.2.4.1 Coverage ........................................................................................................................ 192 7.2.4.1.1 First-party insurance .................................................................................................. 193 7.2.4.1.2 Third-party (liability) insurance .................................................................................. 195 7.2.5 Challenges experienced by cyber liability insurance providers ..................................... 197 7.2.5.1 Inherent nature of cybercrime risk ................................................................................ 197 7.2.5.2 Lack of standards, metrics and governance for cybercrime insurance .......................... 200 7.2.5.3 Reasons for not purchasing cyber liability insurance .................................................... 201 7.2.6 Cyber insurance market ................................................................................................