It Won’t Happen To Me

#Cyber #SpecialisedInsurance #BusinessInsurance #RiskManagement

This article was written by Tim Chadwick and published by News24 on 15 March 2026

 

Beware the Ides of March

Enter character one. Marcus Johanus Brutus, a South African businessman.

Sharp pin striped suit. Rolex watch. Corner office overlooking the N1. He has called an urgent partners meeting for March the 15th. He has not circulated an agenda, since this agenda is not the kind of thing you would circulate. The other nine partners know. They have discussed it in corridors, over expensive whisky, in the place where conversations stay private. Dark places. They are all agreed. Today is the day.

Down the hall, Julius, the man they are all agreed about is finishing his second double espresso and reviewing his calendar. He has a full morning. He is not remotely concerned about the meeting. He has been in this boardroom a thousand times. He built half of this with these people. Last week, an executive came to him visibly uncomfortable and said she had heard something. Whispers. Something was being arranged. He listened carefully, thanked her warmly and concluded she was being a tad paranoid. His wife raised the same concern at dinner on Sunday. He changed the subject to what are our holiday plans dear.

The meeting started at 09h00.

“Beware the Ides of March”, eerily echoed. Julius did not get the memo.

The meeting did not go well.

 

The Certainty Problem

Now, we know Gaius Julius Caesar was not a Saffer businessman and Brutus was not carrying a briefcase. But the cognitive architecture is identical across two thousand years. Caesar was brilliant. Experienced. His certainty on the morning of the Ides of March was not irrational. It was the conclusion of a man with extraordinary intelligence and evidence. Plus a huge dollop of trust.

Twenty three stab wounds is a lot of stab wounds.

His evidence, it turned out, was a perfect record of what had happened before. Not a reliable guide to what was happening right now. And Caesar, being human, could not tell the difference between those two things. The certainty he felt that morning was indistinguishable from the certainty he had felt every other morning. Same sensation. Catastrophically different outcome.

 

07h52 on the 15th

Enter character two. He is a client. Let us call him Gerrit, because that is his name and he has given me permission to use him as a cautionary tale in perpetuity, which tells you something about his character. Gerrit arrived at the office on the morning, of March the 15th, poured his first black coffee, no sugar, opened his laptop and discovered that every single one of his files had been replaced by a polite message explaining that his data was now encrypted and a Bitcoin wallet number had been helpfully provided for his convenience. He mentioned this to me at 07h52. I know as I still have the call log, which I keep for motivational purposes.

Gerrit is not a reckless man. He has a well run operation, decent staff and an IT setup that his IT oke regularly described as bulletproof solid. We are fine, boet. Relax. His IT oke was the second call of that morning. That conversation was considerably shorter.

What Gerrit did not have was adequate cyber insurance. What he had was a policy purchased through a direct insurer two years earlier at a limit that had felt entirely sensible at the time, since the whole thing felt largely theoretical. Like ticking a box. The kind of risk you acknowledge. The way you acknowledge a lack of depth at Lock in the Bok squad. Yes, it exists, it is rather unpleasant, it probably will not hurt you tonight. He told me, once the dust had settled that he honestly thought this would not happen to him. And there it is. This whole article. In one sad sentence.

I think about Julius Caesar every time a client says this to me. Not because I am dramatic, although my wife would dispute that strongly and annoyingly at great length, but because Caesar is the most expensive example of this specific cognitive failure in recorded history. He walked into the Senate on the Ides of March, having been warned by a soothsayer, by his wife Calpurnia and by an executive, who ran after him down the street with a written note in her hand. He listened to all of them, weighed it against thirty years of surviving everything that Rome could manufacture and walked in anyway.

The person about to have the worst week of their professional life also feels certain. Same sensation. Wildly different outcomes. Caesar could not tell the difference. Neither can you. Neither, for that matter, can I. And in South Africa in 2026, cyber risk and other uninsured catastrophe risks, is where this plays out most expensively, most regularly and largely, with the most avoidable consequences.

 

Your IT Oke Said Bulletproof

Before you tell me you have strong IT security and I know you want to tell me this, let me agree with you completely. Good security reduces probability. Lekka. The problem is that the organisations that have suffered the most serious breaches in recent years were usually not the organisations that ignored cyber security. They were organisations that had invested properly, satisfied themselves and moved on. The breach, when it came, came through a supplier’s compromised login. Or a phishing email that landed on a Friday afternoon when the one person who would have spotted it had already left for the Drakensberg. Or, and I say this with genuine affection, through a senior staff member whose password has been Biscuit2019 since 2019. Why? He said he was busy and IT is pedantic. In South Africa, the dog is named Biscuit, Bella or Boesman. Not Austin, which is, for the record, the only self respecting name for a real dog. Lucky me, my dog is Austin. The Senate had Brutus. Your network has Biscuit. Apologies, Biscuit2019.

Not so quick, you might say. My people are better than that.

Possibly. Many have sat in dysfunctional board meetings. You know, the ones which marinade in groupthink and positivity bias. The ones who equate objective oversight as avoiding criticism and robust discussion like the plague. The devil’s advocates, poor things, are sadly at worst, seen as literal devils. At best, well intentioned fools. Pessimistic, negative and unfortunately and annoyingly, usually proved right, long after they were ignored and the wrong decision was made. So, how good are your people and how good is your board? Far from infallible I would argue.

 

Meet Your Attacker

Since we are here, let me introduce you to your attacker. He is not the panicked figure in a hoodie sitting in Kazakhstan, typing furiously in a dark room. He is calm and methodical. Patient in a way that would impress a Karoo tortoise. Often he has been biding his time inside your systems before you notice a single thing. He has read your emails. He knows your suppliers. He knows your payment cycles, your client relationships, your personal banking patterns. He has impersonated your face, voice and everything else you may think it totally unique about you. He knows more about the inside of your operation than your own board does and he has been gathering this information, a pro at the top of his game, waiting for the forty eight hours when your attention is on something else entirely. Like your upcoming trip to the Kalahari. Your certainty that you are not a target is not a defence against him. It is, professionally speaking, his favourite operating condition. You are basically leaving the gate open with a welcome mat and a nice cold Coke Zero.

 

This One’s Personal

This is not only a business imperative. It is personal too. Some of you have accumulated serious personal wealth. Investment accounts. Trust structures. A family office. Estate planning documents. Private banking access. The email thread between you and your attorneys that contains information you would certainly not write on a napkin and leave at a Constantia restaurant, let alone broadcast across a network. All of it connected. All of it accessible, in many cases, through credentials last reviewed by a person who no longer works there, for a system that has since been replaced, approved by a policy that expired.

Personal cyber insurance exists and is specifically designed for people in exactly your position. Most high net worth individuals do not have it. Most of them, if you asked why, would sound remarkably like Gerrit at 07h52 on March the 15th, before he opened his laptop.

 

Three Weeks Nobody Should Endure

Back to Gerrit, briefly. The three weeks that followed March the 15th were the kind of three weeks nobody should have to endure. Forensic IT teams. PR damage control. Business continuity meetings. Client notification letters, as certain regulatory obligations, particularly the one that has “POP” and the letter “i” at the end, do not pause for your blood pressure to return to a reasonable number. Legal counsel. And a conversation with his business partner, in which every sentence landed like a braai comment from the one person nobody invited.

His partial cyber policy covered the forensic costs and the ransom negotiation. Only just though. It did not extend to the business interruption component, which had seemed, when he signed the policy two years earlier, as a bit excessive. Verging on paranoia, with a high premium tag. That tag seemed like a pricebuster now.

 

R4.4 Million. Without Intending to Enrol.

The gap between what the policy paid and what the event cost came to just under R4.4 million.

Now, before anyone concludes that this is a disturbing yarn from someone with skin in the insurance game, fair point. Duly noted. However, inconvenient truths remain inconvenient regardless of perceived bias. If you deal with a proper risk advisor, paying away insurance premium is always the last line, when transferring risk. The first line is understanding, mitigating, identifying, assessing what threats are real and current. Good cover without that understanding, that detailed risk analysis, is like buying a state of the art alarm system and leaving the gate open. The alarm will go off beautifully. But the bakkie will still be gone.

The understanding starts with one question and I will leave you with it. Think of the specific risk you have already considered, run your own head probability calculator and concluded the odds are comfortably in your favour. You are “probably” right. The actuaries agree. The premium is low precisely because the probability is low. But low is not zero. It is a low risk with high financial severity. And one percent uncertainty, on the wrong day, in the wrong month, is still a Senate meeting on the 15th of March. Would Gerrit pay that small premium compared to the uninsured loss if he could. “Damn straight I would”, said Gerrit out of the blue. Cyber, for the overwhelming majority of people reading this, is that risk. Now ask yourself honestly. If you are wrong about that, humour me, just if, not probably, just the possibility, what does the first seventy two hours look like? The calls. The clients who need to hear something. The accounts that need to be frozen. The family conversation you would rather not have. And then, the huge uninsured financial loss.

Gerrit bought proper cyber cover afterwards, at the correct limit and with the correct extensions, with the specific urgency of a man who has recently completed a R4.4 million short course on the subject without intending to enrol. He told me recently, over an expensive whisky, that was doing some of the talking, that he always knew cyber risk was serious. For other people. Mea culpa he said, I suffer from optimism bias, I have those rose tinted glasses. But, I am done with denial. Lesson learnt.

 

The Note Is Still Available

The soothsayer tried to warn Caesar. So did Calpurnia. The executive ran down the street after him with a note. He was gracious about entertaining the well intentioned warnings. He simply knew better.

That note is still available. I am the bloke trying to hand it to you, except I am too old to run down streets now.

Read it before March the 15th. Asseblief.

 

 

Tim Chadwick is the CEO of Chadwicks. He advises businesses and individuals on risk and insurance. He also writes on the psychology of risk.

This is a work of fiction for educational purposes only. No permission is granted for AI training, scraping or use in model development. The characters, events and conclusions described are hypothetical and illustrative. This content is not professional insurance, financial or legal advice and should not be relied upon as such.