This article was written by Tim Chadwick and an abridged version was published by News24 on 17 January 2026.

 

The Day The World Went Quiet

#cyberinsurance #riskmanagement

 

The Blinking Lights

Pieter van der Merwe, the IT guy at YeboYes, watched the router light blink.

Off. On. Off again. It had been doing this for eleven minutes, which was approximately ten minutes longer than his patience generally lasted.

“Is it still down?” Wilma Croft, the Ops Manager, adjusted her sky blue spectacles and called from her desk, her voice dripping with that particular tone people use when they already know the answer, but want company in their misery.

“It’s just load shedding,” Pieter announced with the confidence of someone who had not checked their insurance policy. “Router will bounce back now-now.”  Then Pieter, after reassessing the blinkies, muttered under his breath “Ag nee” which in this context meant yes it is down, no I cannot fix it and also I am reconsidering every life choice that brought me to this moment.

Wilma also did not look convinced. She had learned, through painful repetition, that Pieter’s technical optimism operated on the same principle as a teenager’s promise to clean their room: sincere in the moment, unsupported by reality and with zero empirical evidence.

Fifteen minutes became thirty. Thirty became an hour. The phones worked, which was interesting. The kettle worked, which was crucial. But the internet had decided to leave the room, taking with it their access to invoicing, banking, email, cloud spreadsheets, templates, processes and the singular joy of pretending to be productive while scrolling.

The bottom line is that the internet had died at 14:47. Not spectacularly. Not with a warning. It just… stopped. As if the entire digital world had decided to take a smoke break and forgotten to come back. WhatsApp groups went silent. Email froze mid sentence. The accounting system, which controlled everything from payroll to petty cash, became an expensive paperweight.

Pieter’s CEO, Simon Smit, appeared in the doorway with the expression of a man who had just discovered his braai had no charcoal. “So boet, what’s the story?”

“The story,” Pieter said slowly, “is that we are offline. The main line is dead. The backup line is dead. I have tried three different service providers and they are all giving me the same gobbledygook about ‘network issues’ and ‘investigating the matter’.”

“Can you not just… MacGyfer it, SA style? What about trying some IT cable ties?” said an agitated Simon.

 

When One Thing Breaks Everything Else

By lunchtime, three things had become patently clear.

First, it was not load shedding. Second, it was not just their office. Third, explaining to a client why you cannot process their urgent order as “the internet is down” sounds less professional than it should, given how often it happens.

The first call to their ISP produced the standard response: “We are aware of the issue and our engineers are working to resolve it.” This is customer service speak for “we have no idea, but please stop calling.”

The second call, made with a tad more aggression and less hope, revealed the truth. One of the main undersea cables serving SA was damaged by a cargo ship dragging its anchor. Not the small local fibre that runs under the pavement and gets severed every time someone plants a shrub. The big one. The one that connects Southern Africa to the rest of the world. The one you did not know existed until it stopped existing.

What is worse is that the USA was experiencing one of their most devastatingly coordinated cyber attacks ever, the perfect IT risk storm of momentous proportions.

Wilma did the math in her head. No cloud access meant no accounting software. No email meant no client communications. No payment gateway meant no collections. No collections meant no cash flow. No cash flow meant explaining to staff why salaries might not be paid this month.

But this pickle was way above her pay grade, a task for Simon no doubt.

 

Get Particular About Risk

Now, before we spiral into full claimageddon, it is worth understanding what kind of disaster this really is. Risk comes in two flavours and knowing which you are chewing on determines whether your insurance provider will take your call or send you straight to voicemail.

Particular risks are the everyday disasters. A pipe bursts in your building. Your server catches fire. A staff member accidentally deletes the wrong database while trying to impress someone on LinkedIn. These are localised, containable and, crucially, usually insurable. Not everyone suffers at once, so the insurer can spread the load and pay your claim without declaring bankruptcy.

I say usually insurable, as not all cyber insurance polices are created equal. For example, a staff member accidentally deleting something is often referred to as “a first party insured cyber event” or “non-malicious first party cyber loss” acts on cyber policies. Check that your policy is clear on this, as some cyber polices may not cover this. And if they do, they will usually say in the policy, that a requirement of cover is that you back up your data regularly and have off site copies.

Fundamental risks, on the other hand, are the ones that make underwriters reach for whiskey. These sweep across whole systems, entire economies, sometimes continents. Think recessions. Wars. A solar storm that fries half the satellites orbiting Earth. Think Covid 19 and Grid Failure. Or an undersea cable getting severed in a way that cripples internet access for millions of people simultaneously.

The problem with fundamental risks is scale. When everyone is hit at once, insurance cover generally grinds to a halt. The principle of pooling risk collapses when the pool itself has capsized. Which is why, if you read your cyber policy carefully, and you should, you will notice certain exclusions clustered around war and system wide failures that affect national infrastructure.

This is not insurers being difficult. They share the same reinsurers globally and those reinsurers have spent considerable time calculating what would happen if, say, the entire American data centre market went offline for a sustained period. The calculation involves a lot of zeros and ends with the words “catastrophic” and “fundamental”. Exclusions exist not to cut corners, but to prevent the entire insurance market from experiencing its own extinction event.

When the internet’s lights go out, the Latin term causa proxima non remota spectatur may spring to mind – for lawyers and insurance people only mind you. This is more commonly known in insurancespeak as the “Proximate Cause”, which is to say, the proximate or dominant cause, not the remote one, is examined when ascertaining if an event is insured or not. If a hacker breaks into your system and encrypts your data, that is proximately a cyber incident and something a well constructed cyber policy should respond to.

If a nationwide cyber operation brings down the entire power grid, which then takes out your systems along with everyone else’s, you are in fundamental risk territory. Your policy will most probably point you towards an “Infrastructure Failure” or an “Utility Interruption Failure” exclusion and wish you, as nicely as possible, the best of luck.

 

The Internet Is Fundamentally Scary

The internet, that invisible blanket we have pulled over everything, from banking, to dating, to ordering vetkoek at 22:00, did not arrive fully formed. It crept up slowly, starting in the 1960s as a handful of university computers sharing data. ARPANET, they called it. A defence project that, by accident, became the backbone of modern civilisation.

By the time protocols like TCP/IP stitched it all together, we had built something extraordinary: a global network with no single owner, governed by a patchwork of governments, companies and standards bodies who mostly agreed not to break it too badly. Redundancies were built in. Backup cables. Satellite links. Multiple routes for data to hopscotch across continents.

And yet… the threats are multiple.

Remember South Africa’s little scare in March 2024? Several undersea cables along the coast of Côte d’Ivoire were damaged (likely due to an undersea rockslide). For a sustained period, South Africans experienced the specific joy of loading a webpage and watching the little circle spin until it gave up. International services slowed to the pace of a government department on a Friday afternoon. Repairs took weeks. The lesson was clear. We rely on a handful of cables, landing at a handful of points, maintained by a handful of operators. Cut enough of them and you are back to pigeons and smoke signals.

But a full collapse? That would be something new. Something fundamentally debilitating.

Think the unthinkable, catastrophic scenarios like: a solar storm that fries transformers across a continent, an electromagnetic pulse from a conflict the world had hoped would stay theoretical or a coordinated dark net cyber operation targeting critical infrastructure during, say, a geopolitical tantrum or IoT devices turned into botnets for massive denial of service attacks. Add the odd junior IT technician who misconfigures a router and accidentally blacks out half a region (which happens more often than anyone cares to admit).

And, perish the thought, imagine these events happening simultaneously. Fundamentally scary.

 

America Keeps Everyone Awake

Here is another sobering fact.

North America holds roughly 40% of the world’s data centre capacity. The United States alone accounts for about 45% of global data centres and a similar share of IT power capacity. Most of the big cloud providers, the platforms you use daily, the AI clusters chewing through electricity like it is going out of fashion, all sit in the USA.

Which means that if something serious happens to North American infrastructure, particularly the power grid or key fibre routes, many global services stop working.

Internet risks are ever increasing. Potential cyberattacks on US critical infrastructure are clear and present. The power grid is under stress from rapid data centre growth. Climate disasters are becoming less theoretical and more frequent. A prolonged USA outage would not just affect Americans. It would ripple everywhere, as, rightly or wrongly, we have built a system in which much of the world’s computing power is concentrated in one geographic location.

I am not being pessimistic.

The facts that are pessimistic.

What Your Cyber Policy May and May Not Do

So, what will most comprehensive cyber insurance policies usually cover you ask.

First, the costs of investigating and responding to a breach. Forensic teams do not work for free and you will need them to figure out what happened, how bad it is and whether the attacker left a calling card.

Second, the cost of restoring your systems and data from an insured cyber event. This includes bringing in specialists, rebuilding servers and recovering from backups, assuming you have backups worth recovering (this is usually a cyber insurance policy requirement).

Third, business interruption losses during the covered cyber event. If a ransomware attack locks you out for forty days and your turnover reduces, your cyber policy should compensate you, subject to the t’s and c’s – think definitions, exclusions, limits and waiting periods.

Fourth, liability to third parties if the breach exposes their data or disrupts their operations. Think Legal fees. Settlements. Regulatory fines, possibly.

What your policy will almost certainly not cover are the big systemic fundamental risk events. Like war and terrorism. Like nationwide power grid failures or the complete collapse of major cloud providers without physical damage. These sit in the exclusions, often worded similarly across different insurers, as they all rely on the same reinsurance market and nobody wants to be the one holding the baby when fundamental risks arrive.

This is not a flaw in your policy. This is insurance reality.

The goal is not to find a policy with no exclusions. The goal is to understand exactly where your cover stops, so you can plan properly.

 

What You Need To Do

Okay then. Here are a few business survival tips to give yourself a fair chance of having peaceful weekends.

Tip 1. Draw the picture. Start at the customer and work backwards through every step that must function for you to deliver when offline. For each step, note which online digital tools are involved and which suppliers sit behind those tools. This is not glamorous work. It is the colonoscopy. Nobody wants it, but it is needed to see what is really going on. It usually involves a whiteboard, at least three smart people giving three different answers about how the payment system works and perhaps the uncomfortable discovery that nobody is entirely sure what happens between the customer clicking “submit” and the money arriving in your account. Admittedly, drawing boxes on a whiteboard may feel like Grade 3 art class, but it beats a public apology, plausible deniability excuses and awkward shareholder meetings when proper process mapping is skipped.

Tip 2. Design your systems with the assumption that the internet will fail. Not might fail. Will fail. Keep critical operations accessible on your internal network so you can function in island mode when the outside world goes dark. Ideally, use multiple ISPs, multiple Cloud storage systems and different connection types. For optimum redundancy, try to have fixed multiple fibre lines with exposure to various undersea cables, plus multiple fast cellular data access points, plus fast satellite if you can justify it (let’s hold thumbs Starlink or similar comes to SA soon).

And for larger businesses, look into creating your own in house intranet. Have on-premises offline digital storage of key information. I am about to say something that sounds like high treason coming from a paperless disciple, but here it is anyway: keep paper copies of key processes, supplier lists, templates, contracts, SLAs etc. Yes, paper. I cannot believe I just typed that, but we live in interesting times. And keep at least two to three copies of this critical information off premises. Different locations. Different buildings. Different people you can trust.

Clutch comms moment one. WhatsApp, which is the flavour of the month comm tool in SA, is not the reliable friend you may think it is. Unlike SMS, which is handled by local cell towers right here in SA, WhatsApp messages must ping-pong through Meta’s international servers, and if the internet is down, well… WhatsApp becomes a decorative app icon, and SMS, that forgotten tool in SA, becomes your best friend again.

Clutch comms moment two. Cellular data will not vanish, but it will feel properly bricked. Your cellphone will work, technically, but only for local South African content. That is okay if you are ordering a bunny chow from the oke down the road, less fine if you are trying to access your cloud accounting system hosted in Dublin.

Landlines deserve their own special mention. VoIP landlines, the ones that run over the internet, will fail. Old school copper landlines, the kind your Oupa had, should work just fine locally. International calls, however, will fail or drop, leaving you explaining to overseas clients why you keep disappearing like a New Year’s resolution in February.

The takeaway, diversify your digital communication tools the way you diversify your investment portfolio.

Tip 3. Secure proper cyber insurance, but do so through risk professionals and with your eyes wide open. Understand the exclusions. Push your Risk Advisor to explain precisely what constitutes a covered event versus a systemic fundamental disaster. Make sure the policy includes non-malicious events, business interruption from insured cyber events, third party cyber liability, restoration costs, to name but a few.

Tip 4. Clarify your force majeure (superior force) and vis major (greater force – usually a synonym for acts of god) contract clauses with your legal team. These are the contractual escape hatches for when extraordinary events make reasonable performance impossible. For example, make sure your agreements with clients, suppliers and vendors include solid provisions covering grid collapse, cable failures and major cloud/internet outages. This will not stop the disaster, but it may mitigate risk beyond your control. Push your suppliers to commit to reasonable redundancy, but accept they will also exclude systemic events in their terms, because they are operating under the same constraints you are. And remember, a vis major contract exclusion will not save you from negligent acts, poor design, foreseeable events and the like. Put another way, one cannot simply contract out of negligence by calling it a vis major.

Tip 5. Consider offline AI. Many businesses have developed a dependency on AI tools. All of which, of course, require internet access that is often as reliable as finding a pen that works in a bank. Offline AI platforms do exist. For example, LocalAI and others can be downloaded to a desktop for offline use. Similar tools can run on mobile devices. They are not as current or powerful as their cloud based cousins, but they can handle basic tasks when your connection is kaput. The tradeoff is hardware. These platforms need serious computing muscle. High RAM/VRAM is not a nice to have anymore, it is rapidly becoming essential. Download LocalAI to your five year old laptop and watch it wheeze, overheat, then shut down without warning, like an old bakkie on a Karoo back road. What used to be called a supercomputer is fast becoming standard digital equipment.

Tip 6. Give decision makers a comms script for the first hour. Who declares the incident? Who speaks to customers. Who contacts suppliers. Who handles social media. A clear update in the first hour buys time and reinforces credibility. Radio silence buys speculation and speculation is the mother of wild conspiracy theories, urgent board meetings and expensive consultants. Decide in advance, write it down and keep it somewhere people can find it when the universe decides to audit your optimism. In other words, not buried in a SharePoint folder that requires three passwords, 2 way factor authentication and divine intervention to access.

Tip 7. Test the ugly spinning wheel day. A business continuity plan that lives only on a shelf is as good as an empty fire extinguisher. Once or twice a year, deliberately break something. Figuratively speaking of course. Turn off a key system for an hour. No warning. See what happens. You will discover which processes work, which people stay calm and which ones freeze like a rabbit doing long division. Usually one person, often the quiet one nobody listens to in meetings, will calmly retrieve the plan and execute it with military precision, while everyone else is still searching for the emergency contact list. Give that person a raise and bubble wrap them for safekeeping.

Finally, keep in mind that you should always aim to treat insurance as the last line of defence or protection, and to approach risk mitigation, including contractual mitigation and risk control, as the first line.

 

Action Trumps Denial

This may be cold comfort, but I will say it nonetheless.

Everyone is in the same boat. If the internet fails, we all fail together. The difference between businesses is often not who found a secret insurance policy that covers everything (and no, this secret policy does not exist). The difference is usually who designed hybrid risk systems with real redundancy, who purchased proper cyber cover for disasters and who negotiated their contracts so they are not totally without protection should fundamental risks occur.

YeboYes’s router came back online – eventually. The undersea cable was repaired. The USA recovered. Life resumed.

But the business lessons hit home hard. The internet is a fragile, co-operative system held together by a mass of cables, agreements and quite frankly, hope.

And when it breaks, your cyber insurance policy may help you with some of it, your contracts may shield you from some of it and for the rest, you will have to survive with manual processes, offline backups and the satisfaction of having planned for the disaster before it found you.

Exhibit A: the internet. Convenient until it is not. Insurable up to a point. Fundamentally uninsured beyond that point.

Think strategically, think risk, ask uncomfortable questions and then: plan, action, test.

Rinse and repeat.