Cyber insurance in South Africa: what it covers and when you need it

ITHQ 5 min read Security
cybersecurityinsuranceriskcompliancebreach

A ransomware attack or data breach can cost a South African business hundreds of thousands of Rands in recovery, legal fees, regulatory fines, and lost business. Cyber insurance is designed to help absorb some of that cost. But it is not a substitute for security – and it is not always straightforward to obtain or claim. This article explains what it covers and when it makes sense.

What cyber insurance typically covers

Policies vary, but most cover:

  • Data breach response – forensic investigation, notification costs, credit monitoring for affected individuals.
  • Ransomware – ransom payment (if legal and permitted by the policy), recovery costs, business interruption.
  • Regulatory fines – some policies cover POPIA or other regulatory penalties, subject to terms.
  • Legal liability – claims from customers or partners whose data was exposed.
  • Business interruption – lost income when systems are down due to a cyber incident.
  • Crisis management – PR, communications, and legal support.

Coverage limits and sub-limits vary. A policy might offer R 5 million total with a R 1 million sub-limit for ransomware. Read the fine print.

Typical coverage structure

Coverage typeWhat it pays forCommon sub-limits
First-partyYour own costs (forensics, notification, recovery)Often 50–70% of total limit
Third-partyClaims from others (customers, regulators)Often 30–50% of total limit
RansomwareRansom, recovery, business interruptionOften capped separately
RegulatoryPOPIA fines, regulatory defenceSubject to policy terms

What it usually does not cover

  • Prior incidents – known breaches or vulnerabilities that existed before the policy start date.
  • Negligence – some policies exclude claims arising from failure to implement basic security controls (e.g. no MFA, unpatched systems).
  • Certain attack types – nation-state attacks, war, or terrorism may be excluded.
  • Contractual penalties – fines or penalties that you agreed to in contracts (e.g. with a customer) may not be covered.
  • Reputational damage – hard to quantify; often not covered.

Insurers are increasingly asking for evidence of security controls before offering or renewing. If you cannot demonstrate basic hygiene (MFA, backups, patching), you may be declined or offered limited coverage at premium rates.

When you need it

Cyber insurance is most relevant when:

  • You hold sensitive data – customer PII, financial records, health data. A breach could trigger POPIA notification, regulatory action, and reputational damage.
  • You have contractual obligations – some clients require cyber insurance as a condition of doing business.
  • You cannot afford a major incident – a small or mid-sized business may not have the reserves to recover from a ransomware attack without insurance.
  • You are in a high-risk sector – healthcare, finance, legal, and retail are common targets.

It is less critical for very small businesses with minimal data and low digital dependency. But as you grow, the risk grows with you.

Sector-specific considerations

  • Financial services – often required by regulators or partners. Expect higher premiums and stricter underwriting.
  • Healthcare – sensitive patient data; POPIA and sector regulations apply. Strong controls improve insurability.
  • Professional services – client data, confidentiality obligations. Many firms require cyber insurance in contracts.
  • Retail and e-commerce – payment data, customer PII. PCI DSS compliance may be a prerequisite.

How insurers assess risk

Underwriters will ask about:

  • Security controls – MFA, backup, EDR, patch management.
  • Incident response – do you have a plan? Have you tested it?
  • Compliance – POPIA, ISO 27001, or industry frameworks.
  • Third-party risk – how do you manage vendors and cloud providers?
  • Prior incidents – have you had a breach or ransomware event before?

Some insurers require a penetration test or security assessment before offering coverage. A cybersecurity assessment can help you prepare and identify gaps.

Preparing for the application

Before you apply, gather:

  • Security policy summary – access control, backup, incident response, acceptable use.
  • Control evidence – screenshots or reports showing MFA, backup success, patch levels.
  • Risk assessment – if you have one, it demonstrates due diligence.
  • Incident history – disclose any prior breaches. Non-disclosure can void the policy.

Cyber insurance complements security – it does not replace it

Insurance pays for some of the cost of an incident. It does not prevent the incident. The best approach is:

  1. Implement baseline security – MFA, backups, EDR, patching. See our IT Health Check for a self-assessment.
  2. Document your controls – insurers want evidence. Policies, procedures, and audit trails matter.
  3. Get cyber insurance – as a financial backstop for incidents you cannot fully prevent.
  4. Test incident response – know your plan, and practice it before you need it.

The right order of operations

Do not buy cyber insurance as a substitute for security. Insurers will ask what controls you have. Weak controls mean higher premiums, lower limits, or declined applications. Invest in security first; then insurance becomes affordable and meaningful.

Next steps

If you are considering cyber insurance, start by understanding your current security posture. We can help with cybersecurity assessments, penetration testing, and incident response planning. Contact us to discuss your situation.

Need help with security?

Our team can help you implement the solutions discussed in this article.

Get in touch