2020 has exposed our vulnerabilities in unexpected and worrying ways.
The ongoing Covid-19 crisis serves as a grim reminder that global pandemics are a real and recurring threat, while the recent cyberattacks on the New Zealand Stock Exchange (NZX) are a stark reminder that even supposedly secure organisations are anything but.
The effects of both will continue to be felt well after 2020 draws to a close, and insurance experts are warning that all businesses, big and small, need to take urgent steps to protect themselves from cyber-attacks.
IT CAN HAPPEN TO US
Dan Lowe, cyber specialist and senior underwriter at Vero Liability, says the impact of the cyber-attacks in the NZX will be twofold: a greater awareness of such attacks and a greater scrutiny on Distributed Denial of Service (DDoS) attacks.
“First, a local example increases awareness of attacks occurring here in New Zealand and highlights that if the NZX isn’t immune to a cyberattack then no business is,” says Lowe.
“Secondly, like any major insurable event it will likely see insurers ask more questions on other organisations that may face similar exposure to DDos attacks.
“Standard market cyber insurance proposals won’t ask many questions around DDos mitigations implemented by a business, therefore the NZX attack may see insurers requesting additional underwriting information.”
Insurance Council of New Zealand chief executive Tim Grafton says the widespread coverage of the attacks “hopefully” helped to raise awareness of the threat cyberattacks present to all New Zealanders and businesses.
While there are steps everyone can take to minimise the impact of cyberattacks such as using a password manager and checking privacy settings, says Grafton, there is a concern that an estimated 90 per cent of small and medium businesses have no cyber insurance protection.
“A risk of the NZX attack is that it may reinforce the perception that cyber only affects large organisations when the opposite is actually true,” he says.
“In fact, SMEs are some of the most exposed and given their size often lack the resources and time to consider their risk and insurance needs and put in place good IT security measures.”
The risk is a dangerous one, says Grafton.
“The cost of an attack could be crippling,” he says, “especially if they are dependent on online channels - that has only increased since Covid-19.”
John Moore, the financial lines manager and senior underwriter at Delta Insurance, says most Kiwi businesses are already aware of cyber risks like social engineering via phishing emails.
“But the NZX DDos attack and targeted ransomware attacks on Fisher & Paykel and Lion has really highlighted in the media that these attacks are a real exposure for New Zealand businesses,” he says.
“These attacks have definitely increased demand for cyber insurance quotes from New Zealand businesses.”
THE EMERGING MARKET
Cyber security insurance is an emerging area in the market, both globally and here in New Zealand. But why?
Globally, the Covid-19 lockdowns have accelerated the transformation of the way people communicate and how many businesses operate permanently, says the ICNZ.
“Digital platforms have come into their own supporting greater connectivity and more efficient and flexible working arrangements,” says Grafton.
But any change brings its own risks and a cyber risk looms larger than ever, he warns, with incidents rising sharply. He points out that for the first half of 2020 CERT NZ reported a 73 per cent increase in incident reports, with 3100 incidents equating to $7.8 million in financial losses.
But cyber insurance in New Zealand, relative to other parts of the world, is still in its infancy, says Vero Liability.
“It’s a growing portfolio but they the penetration rate remains low,” says Lowe.
“Many organisations still don’t believe they will be victims of an attack or are of the view that as they outsource their IT services to a third-party provider, they therefore don’t have cyber exposure.”
In overseas markets two big drivers of cyber insurance penetration have been regulatory change and contractual requirements, says Lowe.
Specifically, he says, regulatory change in respect to the introduction of data breach notification requirements has driven uptake.
“For instance, the General Data Protection Regulation (GDPR) in the European Union and the Data Breach Notification Scheme in Australia has increased cyber insurance demand,” says Lowe.
“The costs to notify affected parties in the event of a breach can be significant as can the fines for failure to comply with such legislation.
“Secondly, supply chain contracts are inserting requirements for cyber insurance to be purchased,” Lowe adds.
“Before a supplier or customer is prepared to share data, for which they are ultimately responsible, they want contract certainty that the engaging party has cyber insurance.
“As a result, I think that cyber insurance will see increased market penetration in New Zealand with the introduction of the Privacy Reform and supply contracts inserting cyber insurance requirements as common place.”
ACCESS ALL AREAS
So, what types of cyber security coverage can insurers offer?
Key elements to a cyber insurance policy cover business interruption, forensic investigation, data loss recovery, legal costs, and crisis management, with each responding to a unique part of the claim.
“Importantly insurers have cyber response teams that operate 24/7 and are ready to respond immediately in the event of an attack,” says Grafton.
“Once notified, insurers coordinate the appropriate response to the cyber incident, be it phishing, ransomware or data breach.”
An initial response may include forensic investigation of what information was stolen, how the attacker gained access to the system, and the extent of the damage, says Grafton, adding that policies will cover both damage to systems or if access is restricted as well as losses if the business is unable to operate.
One of the lesser-known responses provided by a cyber insurance policy is the provision of a public relations adviser, says Grafton
“For some companies, the reputational damage caused by a cyberattack can be more damaging than the financial loss,” he says, “and having access to expert public relations will help address reputational losses.”
The big development to watch will be when privacy reform comes into effect here in New Zealand on December 1, says Vero Liability.
“With it comes mandatory notification in the event of a breach of personal data that has the potential to cause harm,” says Lowe.
“This means in the event of a data breach involving personal information you need to notify both the Office of the Privacy Commissioner and all the affected parties,” he says.
“The costs to notify in the event of a privacy breach and potentially any ID replacement or credit monitoring costs can be covered under a cyber insurance offering, policy wording and optional extensions dependent.”
Lowe agrees with the ICNZ that one of the most valuable things obtained from cyber insurance is the panel of experts the insurer has in place to assist in investigating and responding to a cyber incident, which include IT forensics, legal and public relations firms.
“In the event of a breach insurers provide a 24/7 hotline which the insured can call to triage the breach and depending on the scale and nature of the breach engage these experts to assist in mitigating the impact,” says Lowe.
“With cyber breaches the ability to respond and recover quickly and effectively could be the difference for business survival.”
THE QUESTION OF COVID
So, has Covid-19 heightened the risk of cyber-attacks and impacted the cyber security insurance sector?
Yes, say the experts, with the new normal of working from home a big factor.
“The impact of Covid-19, of course, has been that staff home computers are now part of the firm's IT system, which makes it a lot more vulnerable,” says Dr Michael Naylor, a senior lecturer in finance and insurance with Massey University's School of Economics and Finance.
The answer, says Naylor, is for firms to make sure each staff member’s home computer is included into the firm’s security system.
“Firms may even have to look at ensuring all staff have work laptops and phones and don't use other computers and phones,” he says.
“It seems obvious, but firms often don't,” Naylor adds.
Firms should be buying so-called "black phones"– phones based on the early work Blackberry systems where all data and communication are encrypted –to separate out work from personal communication, but don’t, says Naylor.
‘“Advisers need to be very aware that they hold confidential client info and any release of these could destroy their firm's reputation.”
Lowe agrees that working from home has increased the risk of cyber-attacks in a post-pandemic world but says the underlying security gaps exploited through Covid-19 are not new.
“Attackers are still taking advantage of many of the same historical cybersecurity weaknesses,” says Lowe.
"As an example, most successful attacks we see still start from an organisation’s weakest cybersecurity link – their staff.
“This can include an employee clicking on a link in an email which releases malware, inadvertently handing over their login credentials providing network access to the attacker, or acting on a fraudulent instruction received from someone purporting to be their manager.”
Staff, therefore, remain the most exploited vulnerability but user awareness cybersecurity training is not as commonplace as it should be given that all staff form part of an organisation’s cybersecurity resilience, says Lowe.
An ever-increasing attack surface is not a new threat for organisations to deal with either, says Lowe.
“Reliance on technology solutions for organisations has been on the rapid rise for years and with continued digital transformation comes an ever-widening entry into an organisation for attackers,” he says.
“I’d argue Covid-19 hasn’t revealed any new threats, the threats remain the same: Credential harvesting; fraudulent impersonation; phishing scams; denial of service attacks; ransomware,” adds Lowe.
“Instead, the avenues in which attackers can deploy their existing tactics widened and many organisations became more vulnerable because of the pandemic.”
Laura Murray, the head of personal cyber at Delta Insurance, says “opportunistic cyber criminals” have used the pandemic to their advantage.
“Since the Covid-19 crisis took off, phishing scams have spiked by over 60% according to those monitoring the dark web,” says Murray.
This method of cyber-crime has increased for several reasons, she says.
“People are spending more time online in lockdown, they’re hungry for any information on Covid-19 and how to survive it, they are receiving a large volume of contact from banks and other businesses providing updates on their operating hours and Covid-19 responses, and people are away from their more protective work IT environment.
“As a result, individuals are more vulnerable to phishing and phishing attempts, especially those that purport to have valuable information, advice or warnings about the pandemic.”
The statistics paint a stark picture.
In 2019 there were almost 5000 cyber-security incidents in New Zealand, and these are only those that were reported to CERT NZ. The biggest proportion of the reports were phishing and credential-harvesting attacks, with a financial loss of almost $17 million.
For its part, the ICNZ says it has not collected any data that could say it is attributable to Covid-19.
“However, as we said, if businesses operate more from home environments, this may increase cyber risks for some,” says Grafton.
“And while we don’t have specific Covid-19 insights, the number of recent attacks we have seen that impacted Metservice, the Ruapehu ski field car park and a number of other organisations has hopefully reminded people that New Zealand is not immune to cyber-attacks. “
PREVENTION IS BETTER THAN A CURE
Cyber threats and resilient technologies are continually evolving, requiring constant vigilance and the ability to adapt system controls in a risk-based manner.
On the question of what businesses can do to protect against cyberattacks, the ICNZ says it is not just a matter of transferring risk to insurers, but rather approaching them and answering their questions to highlight vulnerabilities and point to resilient solutions.
“Businesses must talk with their broker or adviser to ensure they fully understand the risks that they face, otherwise there could be a whole host of risks and liabilities that they aren’t covered for,” says Grafton.
Vero Liability recommends implementing basic cyber security hygiene to protect businesses, particularly SMEs, against cyberattacks.
“Attackers will often take the path of least resistance and a large number of the attacks we see still arise from a lack of basic hygiene,” says Lowe.
That meant thing like not installing the latest security updates (patching) made available by the software or systems vendor; no off-site backups or backups that are not regularly tested for assurance and completeness; no multiple factor authentication enabled; not restricting access rights to a need-to-do business basis only; not removing access rights for temporary or terminated staff; and not implementing user awareness training to assist staff in detecting and reporting suspicious emails, links or attachments.
“I also urge businesses to seek independent cybersecurity advice which is specific to their business and cybersecurity needs,” says Lowe.
“The most critical digital business assets or sensitive information is different for every business and no business has an unlimited cybersecurity budget.”
While cyber insurance continues to grow, it is not the answer, says Lowe.
“It should only form part of an overall risk management solution and a cybersecurity specialist can provide value in undertaking a cybersecurity audit, understanding your specific risks, and highlighting cybersecurity gaps,” he says.
“Their findings can then be used by business owners to assist in the decision of where to invest their cybersecurity budget and what risks can be avoided, mitigated, accepted and transferred.”
In the end, cyber insurance is post-loss rather than pre-loss risk management, says Lowe.
“It doesn’t deal with detection and prevention, and only forms a part of your overall response and recovery risk management,” he says.
WHERE TO FROM HERE
Naylor says that while cyber insurance is a rapid growth area, insurers and reinsurers are being conservative by still pricing it quite high, as the potential costs are unknown and that in general, insurers are not pushing it for that reason.
“My data suggests that household computer issues are lessening, as modern virus software is becoming very efficient compared to a decade ago,” says Naylor.
“However, organised attacks against businesses seems to be increasing, and becoming very sophisticated,” he says, “and this is worrying insurers a lot.”
Some international insurers and reinsurers are starting to invest heavily in research and upskilling in this area, mainly with the aim of understanding the risk, says Naylor.
“There is, however, a huge market in offering advice, both beforehand on how to reduce risk, and after on how to cope with threats,” he says.
“This is a huge future potential area of revenue, but most New Zealand insurers are can't cope well with their own risks, let alone offer advice.”
Professional IQ College offers workshops, online courses, webinars and qualifications.
For upcoming events:
Where members can access industry Resources & Media Content