R2m Lost to Phishing Email—Insured or Uninsured?

One click triggered a national system shutdown, exposing a major revenue loss and raising urgent questions about cyber cover and risk structure.

 

Real Event

In January 2025, the South African Weather Service suffered a serious breach after staff responded to a phishing email.

 

The message triggered a wider cyberattack that encrypted SAWS systems and disrupted critical services to the aviation and marine sectors. Paid weather products could not be delivered, backup channels were activated, but normal operations remained down for weeks. Revenue losses approached R2 million. There is no confirmation that SAWS had cyber insurance or that any claim was submitted. The incident highlights how quickly a single point of failure can halt a large state operation or nay business operation and leave major losses uninsured.

 

Risk – What Was Missed or What May Be Missed?

The missed structure in this case was the absence of enforceable cyber risk controls at user level, supported by a dedicated commercial cyber insurance olicy. Most phishing attacks rely on human error. In this case, one staff member actioned a fake communication, bypassing technical safeguards and triggering a chain reaction.

 

A cyber insurance policy may require the policyholder to meet certain minimum security standards, which is always a good thing, especially from a risk management point of view. These include endpoint protection, staff awareness training, multi-factor authentication, incident detection capability and a tested response plan. If these are not met or if training is inadequate, the insurer may reject the claim or limit the benefit.

 

The Cost – Consequence of the Missed Step

SAWS lost nearly R2 million in revenue after the breach. The exact source of that loss was the inability to supply paid products to clients in the aviation and maritime sectors—who rely on real time data for operational planning and compliance. These clients do not wait. When delivery stops, revenue stops.

 

Even when systems were partially restored using backups, the trust and commercial link to clients had already been disrupted. These were not theoretical losses. They were realised shortfalls in income, stemming directly from an event that is insurable. More importantly, there is no public indication that SAWS recovered these funds through insurance. The cost of rebuilding systems and restoring encrypted servers would also have required significant internal budget reallocation. These are operational burdens that could have been mitigated if a suitable cyber policy was in place and active at the time of loss.

 

The Correction – What Should Have Been Done?

Any business that relies on digital systems, whether private or public, must start by mapping its cyber risk structure. This includes identifying which users have access to critical systems, where vulnerabilities exist and what would happen if these systems were breached or go offline.

 

The following minimum actions should be implemented or tested:

• Confirm that cyber risk is not assumed to be included under general business insurance—request and carefully review separate and specialized cyber insurance cover and test for phishing, ransomware and business interruption cover. Using a seasoned Risk Advisor is strongly recommended
• Verify internal cyber controls meet insurer minimum and industry requirements, especially those related to user access, system updates and staff training
• Document the location and value of paid or income generating systems, this ensures cyber insurance and business interruption cover is correctly structured and policy limits are commensurate with your risk
• Test the internal response to a fake phishing attempt at least once per year and track remedial actions across the organisation

 

Each of these steps is observable and a professional external Risk Advisor is a crucial component. Without this structure, the organisation is relying on hope, chance and goodwill to navigate complex cyber loss events.

 

Closing Reflection – Avoid Becoming the Next Case

Most cyberattacks are not sophisticated. They usually succeed because someone clicked.

 

The cost of missing a basic structure—a tested response plan, enforceable controls, a fit for purpose policy, is not always reputational. It is operational. It shows up in lost income, strained resources and an exhausted team trying to recover from a preventable failure.

 

Have you confirmed who is responsible for your cyber risk map? Have you reviewed what would happen if your own income producing systems went offline for several days? Do you have proper Cyber Insurance? And if so, have you checked the terms and limits of your cover? Do you have a professional Risk Advisor?

 

Most critically, have you tested the real world response to a fake phishing attack in the last six to twelve months?

 

These are not IT questions. They are business continuity questions. In today’s digital and interconnected world, every business must answer them.

 

*This article was based on a recent article on News24 by Lameez Omarjee