SA actuaries gear up to fight cybercrime

By: Actuarial Society of South Africa

Actuaries around the globe are getting to grips with quantifying and managing cybersecurity risk and making provision for the potential financial implications of cyberattacks. South African actuaries are no exception.

The World Economic Forum, in its Global Risks Report for 2018, highlights cybersecurity as a growing risk with disruptive potential. According to the Report, attacks against businesses have almost doubled in the last five years and the financial impact of cybersecurity breaches is rising.

In South Africa, a number of companies have experienced embarrassing and worrying data breaches – including one life insurer.

This is not surprising, since the UK’s Institute and Faculty of Actuaries recently concluded that cybersecurity risks are still very much uncharted territory for insurers and that there are as yet no accepted best practices to protect a company from a potential attack. To kickstart the conversation around this key business risk issue, the Institute’s Cyber Risk Investigation Working Party last month released a proposed framework to guide actuaries in assessing cybersecurity risk.

As risk professionals, actuaries are well positioned to cost and price for financial losses following a cyberattack. This is, however, a new field, and actuaries need to be made more aware of how they can reduce cyber risk within a company. At the same time, actuaries could find themselves being the targets of cyberattacks, and they owe a duty of care to clients to minimise the risks of any data breach, and to mitigate the consequences should such a breach occur.

The Actuarial Society of South Africa has therefore established the Systems and Technology Practice Area Committee with cybersecurity high on the Committee’s list of priorities.

Mia Geringer, Systems and Technology Practice Area Committee chairperson, says that a key challenge for the Committee is the fact that there are no one-size-fits-all protocols on technology and cybersecurity, as different industries and companies operate different systems. The Committee has therefore established sub-committees that will deal with the risks and challenges unique to each industry.

Geringer notes that the Committee is on track to release the first set of systems and technology guidance notes for actuaries early in 2019.

Rajiv Singh, chair of the Banking sub-committee, explains that these guidance notes and education papers will flag identified cybersecurity risks for each industry and suggest practices that could prevent systems from coming under attack.

Singh observes that although actuarial science is not commonly associated with information technology (IT) and cybersecurity, actuaries are increasingly drawn to this field because they are major consumers of data produced by IT systems.

“Actuaries are recognised for their risk assessment and management skills, but applying these skills to IT systems and cybersecurity can be daunting. The first step will be to put in place standards to guide actuaries across all sectors.”

Geringer points out that actuarial science is no longer confined to traditional fields such as life insurance and the retirement fund industry. Instead, actuarial skills are now also sought after in industries as diverse as banking, healthcare and mining.

“As all these industries rely heavily on data and systems integrity, cybersecurity has become a key challenge for actuaries,” concludes Geringer.