Whether you’re facing challenges or looking for tailored solutions, our team is here to help. Get in touch with us today and take the next step towards securing your business’s future.
Three weeks ago, I sat across from a CFO whose company had just paid R17.6 million in ransom to unlock their systems. They had cyber insurance. They thought they were protected.
The insurer denied 40% of the claim because the company hadn’t implemented multi-factor authentication on admin accounts, a requirement explicitly stated in their policy that nobody had actually read.
That’s an R7 million lesson in the difference between having cyber insurance and having cyber insurance that actually pays out when you need it.
Important: This is a composite scenario based on real South African claim patterns and underwriting outcomes. It is illustrative, not a description of a specific Berkley Risk client or case.
If you’re a board member, C-suite executive, or risk manager in South Africa right now, here’s what you need to understand: the cyber insurance market has fundamentally changed between 2020 and 2025. The policies that used to approve claims with minimal scrutiny now have pages of technical requirements that must be documented and verified at the time of the incident – not implemented after the fact.
South Africa has become one of the key ransomware hotspots in Africa. Interpol’s Africa Cyberthreat Assessment 2025, drawing on Trend Micro telemetry, reports that South African entities were associated with 17,849 ransomware detections in 2024, one of the highest totals on the continent and more than other highly digitised economies such as Egypt (12,281), Nigeria (3,459) and Kenya (3,030). (Interpol / Trend Micro summary)
At the same time, the broader financial crime picture is deteriorating. According to the South African Banking Risk Information Centre (SABRIC), digital banking crime incidents increased by around 86% year-on-year, with associated losses rising to roughly R1.88 billion in the latest reporting year. (SABRIC data via TechAfrica)
Critical infrastructure has not been spared. The National Health Laboratory Service (NHLS) – which operates more than 265 laboratories and provides pathology services for roughly 80% of South Africa’s population – suffered a major ransomware attack in June 2024 that forced labs to revert to manual processes and disrupted services countrywide. (example coverage) The Development Bank of Southern Africa (DBSA) disclosed a serious ransomware incident in 2023, compromising internal systems and project data. (MyBroadband) The Department of Defence/SANDF had sensitive data leaked by the Snatch ransomware group in 2023, (ITWeb) and the South African Weather Service (SAWS) reported a crippling cyber attack in 2025 that took forecasting systems offline for an extended period. (ITWeb)
But here’s the part that should concern every board: in Sophos’s State of Ransomware 2024 research, summarised for the South African market, 47% of organisations that had cyber insurance and suffered a ransomware attack had part of their claim denied. (Sophos data via Belgium Campus summary) Nearly half. That’s not an edge case, that’s the new normal.
The underwriting requirements that determine whether your R20 million claim gets paid or denied have become hyper-specific, technically demanding, and strictly enforced. If you don’t know what they are before an incident occurs, you’re effectively uninsured.
Let me walk you through exactly what changed, what underwriters now require, and what your organisation needs to do before 31 December 2025 to ensure your cyber insurance actually functions when you need it most.
What Changed Between 2020 and 2025: The Threat Evolution That Rewrote Underwriting
Five years ago, cyber insurance was relatively straightforward. You filled out a questionnaire, paid your premium, and generally got your claim paid if an incident occurred. The focus was on response costs, forensics, legal fees, notification expenses.
That era is over.
Ransomware became industrialised. In 2020, ransomware was often opportunistic – attackers would infect whoever clicked a phishing link and demand modest ransoms (R50,000 to R200,000). By 2025, it is a sophisticated, targeted operation. According to Sophos’s State of Ransomware 2024 survey data for South Africa, the mean ransom demanded now sits around US$975,675 (about R17.9 million), with the mean ransom paid at US$958,110 (about R17.6 million). (summary of South African findings)
Attackers research their targets, identify which systems are most critical, steal data before encrypting it (double extortion), and time attacks for maximum disruption. They know your revenue, your cash reserves, and exactly how much you can afford to pay. This isn’t petty cybercrime; it’s a professional, financially motivated ecosystem.
Business Email Compromise (BEC) syndicates went transnational. Interpol’s assessment notes that BEC has spread widely across Africa, with about a dozen countries generating most of the continent’s BEC fraud and with Nigerian networks such as Black Axe and the Opera1er group playing a prominent role. These syndicates don’t just send fake invoices anymore. They compromise legitimate email chains, study payment approval workflows for months, impersonate senior executives using AI-generated voice deepfakes, and execute wire fraud schemes worth millions. South African corporates and financial institutions sit squarely in this target zone.
Supply chain attacks became the preferred entry point. Instead of attacking your organisation directly, attackers compromise your IT service provider, your software vendor, or your cloud hosting platform and use that trusted access to infiltrate your systems. You can have strong internal security controls and still get breached because a third-party vendor had weak controls.
AI-powered attacks eliminated the “human error” defence. Phishing emails used to have spelling mistakes and grammatical errors that trained employees could spot. Now they’re flawless. Deepfake voice and video impersonation technology is available through low-cost subscription tools, making it affordable for attackers to mimic executives convincingly and at scale. Attackers create error-free content, convincing impersonations, and sophisticated social engineering campaigns that bypass traditional awareness training.
The result: underwriters can no longer rely on “employee training” or generic “security awareness programmes” as meaningful risk mitigation. They need verifiable technical controls that can be audited and proven at the time of claim.
South africa's cyber five-year picture (2020–2025): what boards must do before year-end 37
Top 5 Control Failures That Void Cyber Insurance Claims in South Africa
This is the section you need to print, laminate, and put on every board agenda for the rest of 2025.
These five control failures account for a large share of denied or reduced cyber insurance claims in South Africa. If you don’t have documented evidence of implementation at the time of an incident, expect your insurer to reduce or deny your claim regardless of what your policy says about coverage.
Multi-Factor Authentication (MFA) Not Enabled on All Admin and Privileged Accounts
Why it matters: Multiple industry studies show that stolen or compromised credentials are one of the most common initial access vectors in ransomware attacks – alongside exploitation of known vulnerabilities and phishing. When an attacker gets an admin username and password (from phishing, credential stuffing, or dark web credential dumps), strong MFA is often the only control that stops them.
What underwriters require: MFA is generally expected on all administrative accounts, remote access, email, cloud services, and any account with privileged access to systems or data. Many underwriters now explicitly prefer authenticator apps or hardware tokens for high-risk accounts and may treat SMS-only MFA as inadequate.
The claim denial scenario: You suffer a ransomware attack. During the forensic investigation, it’s discovered the attacker used compromised admin credentials to access your network. Your policy required MFA on all admin accounts. You had it enabled on some accounts but not all – or not enforced in practice. Result: claim denied or reduced by 30–50% on the basis of non-compliance with explicit policy conditions.
How to document compliance:
Screenshots or reports showing MFA enabled and enforced on all relevant accounts
Documented MFA enforcement policy with approval date
Quarterly access reviews or audit reports confirming MFA status
Conditional access policies blocking non-MFA logins and logs proving they are active
Inadequate Patch Management and Vulnerability Remediation
Why it matters: Known vulnerabilities remain one of the easiest entry points. If a critical patch has been available for weeks or months and you haven’t applied it, underwriters will often treat a resulting breach as preventable.
What underwriters require: A documented patch management process; evidence of regular patching (typically monthly for security updates); an asset inventory that shows patch status; and vulnerability scanning with tracked remediation.
The claim denial scenario: Ransomware exploits a Windows or VPN vulnerability. A security update had been released 45 days before the attack. Your organisation delayed patching due to “testing requirements” or “business disruption concerns” but did not document or formally accept the risk. Underwriters classify this as a preventable breach due to weak patch management. Claim denied or significantly reduced.
How to document compliance:
Patch management policy with defined timeframes (for example, critical vulnerabilities remediated within 30 days)
Monthly patch deployment reports
Vulnerability scan results with remediation tracking and proof of closure
A formal exception process for delayed patches with documented risk acceptance
Insufficient Endpoint Detection and Response (EDR) / Endpoint Protection
Why it matters: Traditional signature-based antivirus is no longer sufficient on its own. Ransomware and other advanced malware evolve too quickly. Underwriters increasingly expect Endpoint Detection and Response (EDR) solutions that provide behavioural detection, automated response, and detailed forensic capability.
What underwriters require: EDR deployed on all endpoints (desktops, laptops, servers – and, where feasible, mobile devices), 24/7 monitoring enabled, alerts configured and reviewed, evidence of active threat hunting, and functional quarantine and remediation capabilities.
The claim denial scenario: Malware spreads across your network because your legacy antivirus solution fails to detect the threat. Forensics show the malware was a known variant that a modern EDR solution could reasonably have detected and contained. Underwriters argue that your endpoint protection fell below the standard expected in the market. Claim denied or reduced.
How to document compliance:
EDR deployment status report showing near-100% coverage
Monitoring configuration and alerting documentation
Monthly threat detection and response logs
Incident response playbooks
Quarterly threat hunting reports from your internal team or MDR provider
No 24/7 Security Monitoring and Incident Response Capability
Why it matters: Ransomware operators typically execute attacks outside business hours (weekends, holidays, 2am on a Friday). If you don’t detect and respond quickly, the attack will spread across your infrastructure long before your IT team logs in on Monday.
What underwriters require: A Security Operations Centre (SOC) capability, either in-house or outsourced through a Managed Detection and Response (MDR) provider, with 24/7/365 monitoring. Defined escalation procedures, a documented incident response plan, and evidence of regular testing are all expected.
The claim denial scenario: You’re attacked on a Saturday night. Nobody notices until Monday morning. By then, 80% of your systems are encrypted. Underwriters argue that 24/7 monitoring could reasonably have detected and contained the attack in its early stages. Claim reduced by up to 60% based on contributory negligence and failure to meet stated policy conditions.
How to document compliance:
SOC/MDR contract or internal capability documentation
Evidence of 24/7 monitoring (staffing schedule, service agreements)
A current incident response plan with escalation procedures
Quarterly incident response tests or tabletop exercises with documented outcomes
Missing or Untested Data Backup and Recovery Strategy
Why it matters: Ransomware now explicitly targets backup infrastructure. If attackers compromise or encrypt your backups, you may have no realistic recovery option other than paying the ransom – which is increasingly discouraged by regulators and underwriters.
What underwriters require: An offline or immutable backup strategy (typically aligned with the 3-2-1 rule: 3 copies of your data, on 2 different media, with 1 copy offsite), regular backup verification, documented recovery procedures, and periodic restoration testing.
The claim denial scenario: You’re hit with ransomware. Your backups are encrypted along with primary systems because they were permanently connected to the network. Forensics show attackers had access to your environment for 10–14 days before detonation, enough time to locate and corrupt backup repositories. Underwriters argue that proper offline or immutable backups would have enabled recovery without paying the ransom. Result: the ransom component of the claim may be denied, with only forensics and notification costs covered.
Backup success/failure logs reviewed at least weekly
Quarterly restoration tests with documented results
Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems
POPIA Reporting Basics: What Triggers Mandatory Notification (And Insurance)
The Protection of Personal Information Act (POPIA) fundamentally changed cyber incident response in South Africa. It’s not just about fines – it’s about when your cyber insurance actually triggers and what your obligations are.
From April 2025, the Information Regulator introduced an e-Services portal for mandatory reporting of security compromises online, replacing the old email-based process. (Information Regulator guidance) Failure to report properly can result in enforcement action and administrative fines of up to R10 million, or criminal penalties of up to 10 years’ imprisonment for serious offences, depending on the provisions breached.
The Regulator’s own reporting shows how quickly incidents are rising. In an October 2025 briefing, its executive for education and communication indicated that 2,374 security compromise incidents were reported during the 2024/25 financial year, and a further 1,607 incidents were reported from April to the end of September 2025 alone. (ITWeb summary)
Yet massive under-reporting persists. Check Point Research’s July 2024 data shows that South African organisations experienced an average of 2,113 cyber threats per week, (Check Point via ITWeb) while SAPS statistics recorded only 544 cyber-related fraud cases in the same period – a clear indication that many incidents involving personal information are not being reported through formal channels.
When you must notify:
Unauthorised access to personal information
Unauthorised disclosure of personal information
Loss of personal information
Any compromise that poses a risk of harm to data subjects
Timeline: POPIA requires notification to the Regulator and affected data subjects as soon as reasonably possible after becoming aware of a qualifying security compromise.
What this means for cyber insurance:
Most cyber policies require notification to the insurer within 24–72 hours of discovery of an incident. If you delay reporting to the insurer because you’re trying to contain the incident quietly, you risk breaching policy conditions. If you notify too early (before you understand the scope), you may trigger costly response services without clear objectives.
The sweet spot: notify your insurer and the Information Regulator in parallel within 24 hours of confirming that a qualifying breach has occurred. Let your cyber insurance response panel (forensics, legal, PR) guide your POPIA compliance from that point forward.
Pro tip: Your cyber policy should explicitly include POPIA notification costs, legal advice on disclosure obligations, credit monitoring or similar mitigation for affected individuals where appropriate, and regulatory defence if the Information Regulator investigates your breach response.
How Cyber Insurance Dovetails With Business Interruption, Crime, and D&O Coverage
Here’s where most organisations have dangerous gaps in their insurance programmes: they treat cyber insurance as standalone coverage when it actually intersects with multiple other policies.
Cyber + Business Interruption (BI)
Standard property insurance BI cover is typically triggered by physical damage to insured property. As a result, most property policies exclude purely cyber-related downtime. If ransomware shuts down your systems for 10 days, your property BI cover will usually not respond, even though you have suffered real business interruption.
What you need: Cyber business interruption coverage that pays for lost revenue and continuing expenses during system downtime, including contingent BI for supply chain disruptions (for example, your key vendor or cloud provider is hit with ransomware and you cannot operate).
The gap: Many cyber policies have BI sub-limits (often 10–20% of the total policy limit) that are grossly inadequate. If your organisation generates R50 million in monthly revenue and loses 10 days to ransomware, that’s roughly R16.6 million in lost revenue – but your cyber BI sub-limit might be R5 million. Who absorbs the R11.6 million shortfall?
Cyber + Crime/Fidelity
Business Email Compromise, social engineering fraud, and wire transfer fraud are cyber-enabled crimes. The difficulty is working out whether they are covered under your cyber policy or your commercial crime/fidelity policy.
The overlap:
Crime policies often cover employee theft and certain forms of third-party fraud, but may exclude “voluntary parting of funds” where an employee was tricked into paying a fraudulent beneficiary.
Cyber policies may cover social engineering and BEC, but often with relatively low sub-limits (for example R1–2 million) compared with potential loss values.
What you need: Coordinated wording where cyber and crime policies complement each other, with clear trigger language defining which policy responds first and how excess coverage from the second policy kicks in once the first is exhausted.
Cyber + Directors & Officers (D&O) Liability
Cyber breaches now routinely trigger shareholder complaints, regulatory investigations, and potential personal liability for directors who fail to implement adequate cybersecurity governance.
For financial institutions, the bar is even higher. The Prudential Authority and Financial Sector Conduct Authority (FSCA) have published Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience Requirements for Financial Institutions, which takes effect on 1 June 2025. (Joint Communication) This standard, together with the IT governance and risk management standards, explicitly places responsibility on governing bodies to ensure sound cyber risk management and resilience.
What you need: A D&O policy with cyber-specific endorsements covering regulatory investigations, shareholder derivative actions, and alleged governance failures related to cyber and information security – and which coordinates with the entity cover in your cyber policy.
The nightmare scenario: Your organisation suffers a massive data breach. The Information Regulator opens an investigation. Shareholders file a derivative suit alleging that directors breached their fiduciary duties by failing to implement adequate cybersecurity. Your cyber policy defends the company. Your D&O policy defends the directors personally. But the two policies have overlapping exclusions and neither wants to respond first. You end up litigating coverage with your own insurers while simultaneously defending against regulators and shareholders.
This is why you need an insurance broker who understands how these policies interact and can structure coordinated coverage from day one – not after the incident occurs.
Your Cyber Controls Audit Checklist: What to Verify Before 31 December 2025
Print this checklist. Take it to your next board meeting. Assign an owner to each item. Verify compliance before year-end.
✓ Multi-Factor Authentication
[ ] MFA enabled and enforced on all administrative accounts (verify via access logs) [ ] MFA enabled on all remote access (VPN, RDP, cloud services) [ ] MFA enforced on all email accounts (no exceptions for executives) [ ] Authenticator app or hardware tokens used for high-risk accounts (not SMS-only) [ ] Conditional access policies block non-MFA logins [ ] Quarterly audit of MFA status with documented evidence
✓ Patch Management & Vulnerability Remediation
[ ] Written patch management policy with defined timeframes [ ] Monthly security patch deployment (documented evidence) [ ] Asset inventory showing patch status for all systems [ ] Quarterly vulnerability scans with remediation tracking [ ] Exception process for delayed patches with risk acceptance [ ] Critical vulnerabilities remediated within 30 days (documented)
✓ Endpoint Protection
[ ] EDR deployed on all endpoints (coverage checked and documented) [ ] 24/7 monitoring enabled and actively reviewed [ ] Threat detection alerts configured with response playbooks [ ] Quarterly threat hunting reports (internal or MDR provider) [ ] Quarantine and remediation capabilities tested [ ] Monthly EDR performance/coverage reports
✓ 24/7 Security Monitoring
[ ] SOC capability (internal) or MDR contract (external) in force [ ] 24/7/365 monitoring coverage with documented staffing/contract [ ] Incident response plan with defined escalation procedures [ ] Contact tree with after-hours accessibility tested [ ] Quarterly tabletop exercises with documented results [ ] Evidence of monitoring effectiveness (detection/alert logs)
✓ Backup & Recovery
[ ] 3-2-1 backup strategy implemented (3 copies, 2 media, 1 offsite) [ ] Offline or immutable backups for critical data (not permanently network-accessible) [ ] Weekly backup success/failure logs reviewed [ ] Quarterly restoration tests with documented results [ ] RTO and RPO defined for critical systems [ ] Backup architecture diagram current and accurate
✓ Third-Party Vendor Management
[ ] Inventory of all vendors with system/data access [ ] Cybersecurity requirements included in all vendor contracts [ ] Annual vendor security assessments with documented evidence [ ] Vendor breach notification requirements contractually required [ ] Vendor liability and insurance requirements defined [ ] Quarterly vendor risk reviews for critical providers
✓ POPIA Compliance
[ ] Data breach notification procedures documented and tested [ ] Information Regulator e-Services portal account established [ ] Breach notification timelines defined (24–72 hours from confirmation) [ ] Data subject notification templates prepared [ ] Legal review of POPIA obligations completed [ ] Cyber insurance policy explicitly covers POPIA notification and regulatory defence costs
✓ Cyber Insurance Policy Review
[ ] Policy reviewed within the last 12 months [ ] Coverage limits adequate for current business scale [ ] Sub-limits reviewed (BI, social engineering, data restoration, POPIA costs) [ ] Policy conditions verified as achievable (MFA, EDR, backups, monitoring) [ ] Retention/deductible appropriate for risk tolerance [ ] Policy coordinates with property, crime, and D&O coverage
✓ Incident Response Preparedness
[ ] Written incident response plan with roles and responsibilities [ ] Cyber insurance breach response contacts documented (legal, forensics, PR) [ ] Crisis communication plan for customers, stakeholders, and media [ ] Data breach notification templates prepared (regulators and customers) [ ] Legal privilege framework for incident response communications [ ] At least one incident response test in the last 12 months with lessons learned documented
What Happens Next: Your Cyber Controls Audit With Berkley Risk
Here’s the uncomfortable reality: most organisations don’t know if they’re actually insured until they file a claim and discover gaps in their controls or policy coverage.
We’ve seen companies pay cyber insurance premiums for years, suffer an incident, and then discover that:
Their EDR wasn’t deployed everywhere or correctly configured (claim denied or reduced)
Their backups were permanently network-accessible (claim reduced because the loss was considered preventable)
Their policy had a R1 million sub-limit for social engineering, but they lost R8 million to a sophisticated BEC scheme
Their incident fell into a grey area under war/terrorism or “hostile act” exclusions because the attack was linked to a state-sponsored group
The time to discover these gaps is before an incident occurs, not during a R20 million claim negotiation with your insurer.
At Berkley Risk, we arrange specialised Cyber Insurance with A-rated international carriers that actually pay claims when you need them. But more importantly, we conduct cyber controls audits before structuring your policy so we know exactly which underwriters will accept your risk profile and what policy conditions you need to meet.
Our cyber controls audit process includes:
Technical controls verification – We review your MFA, EDR, patch management, monitoring, and backup implementations against current underwriter requirements.
Policy coverage analysis – We compare your existing policy to your actual exposures and identify gaps in BI sub-limits, social engineering coverage, regulatory defence, POPIA-related costs, and coordination with other insurance lines.
Incident response readiness testing – We assess whether your organisation can realistically execute its incident response plan under the pressure of a real breach.
Underwriter evidence mapping – We document exactly what evidence you’ll need at claim stage (screenshots, logs, audit reports, governance documents) to support a full claim payment.
Remediation roadmap – Where gaps exist, we provide a prioritised implementation plan with cost estimates and timeframes.
This audit typically costs a fraction of what you might lose from a denied or heavily reduced claim.
If your organisation:
Generates over R50 million in annual revenue
Stores customer personal information or payment data
Relies on IT systems for core operations
Operates in a regulated industry (financial services, healthcare, energy, etc.)
Has cyber insurance but hasn’t verified in the last 12 months that your controls match policy requirements
…then you should complete a cyber controls audit before year-end.
Request a cyber controls audit from Berkley Risk or call us on 011-702-8250. We’ll identify exactly what your underwriter will scrutinise during a claim, document your compliance gaps, and structure cyber insurance coverage that actually pays out when you need it most.
South Africa recorded 17,849 ransomware detections in 2024 – one of the highest totals in Africa. Interpol’s data and local threat reports show that ransomware, BEC, and data breaches are not abstract risks; they are daily realities for South African organisations. At the same time, studies show that a significant share of cyber insurance claims – close to half in some ransomware surveys – are partially denied due to control failures or non-compliance with policy conditions.
The question isn’t “Will we get attacked?” The question is “When we do, will our cyber insurance actually pay?”
We can help you answer that question with certainty before you’re negotiating with your insurer while your systems are encrypted and your business is offline.
The five-year threat picture is clear: attacks are more sophisticated, damages are more severe, and underwriters are more demanding. The organisations that survive are the ones that treated cyber controls as insurance requirements, not just IT projects.
We’ve helped dozens of South African organisations structure cyber insurance that actually functions. We’d like to help yours.
Hello 👋 How can we assist you with your insurance needs today?
By opting in, you agree to receive messages from Berkley Risk regarding our specialised insurance services. We respect your privacy and will use your contact information solely for communication related to your inquiries and our services. You can opt out at any time. For more details, please review our Privacy Policy.
