Are cyber attacks on the increase in New Zealand?

If you read the media, it points towards that.  From AIG’s perspective, our cyber claim count in New Zealand has been increasing each year, as it has in other regions where we operate.  Importantly, our claims data shows that the severity of attacks is also increasing, with many claims coming from ransomware attacks. 

Who are the perpetrators of these attacks?

Attribution of an attack is often difficult given the anonymity available across the internet. Indicators of compromise can be investigated but attackers can obfuscate their real identity by spoofing IP addresses or domains.  Given the cross-border nature of cyber-attacks, it is difficult for law enforcement to hunt down attackers if they are based outside local jurisdictions. 

What kind of vulnerability leads to cyber-attacks?

AIG has managed cyber claims around the world for more than 20 years. Regardless of location, we have observed common vulnerabilities when conducting root cause analysis. This currently includes: 

    •    Lack of MFA (Multi-Factor Authentication) and RDP ports exposed to the internet (Remote Desktop Protocol). MFA requires users to provide two or more verification factors to gain access to various systems, thus making it harder for attackers to gain entry.  RDP enables remote connection to corporate networks. Much of the world would have enabled employees to access company data work while working from home. Attackers can gain a foothold into company networks if the connection between the remote worker and the corporate network is not secure.

    •    Not keeping software up to date, in particular missing high-severity patches for software with known vulnerabilities. 

    •    Employees falling prey to phishing emails. This can result in delivery of a malware payload or obtaining critical information about the employee or business. This information can then be used by the attacker for “social engineering”, i.e. tricking or manipulating people to make payments or give up confidential information that could be used to gain access to a system. 

What role can brokers play in guiding their clients on cyber risks?

Cyber risk has become the top risk faced by most organisations. Brokers can play an important role in helping a business to understand the risk in the context of their own operations and quantify their potential exposure. The cyber insurance market has hardened considerably in the past 18 months, with insurers focusing even more on quality risk controls. It is pivotal that brokers share the experience learnt from claims to help businesses strengthen their cyber posture and present the positive risk features to secure favourable terms from insurers. 

How can companies/organisations improve/increase cyber resilience? 

Cyber resilience should take a top-down approach and cannot just be left to the IT department. Every single employee should know how they contribute to cyber safety and what is at risk. There will be a combination of technical security controls: MFA, patching etc, along with employee awareness training and testing. If an employee can spot a scam or suspect email it will greatly reduce the chances of attackers gaining entry into the network. 

What kind of response plan should companies have in case they are ever hit by a cyber attack? 

Companies should anticipate cyber-attacks and be prepared with a mindset of not if, but when.

Many companies have business continuity plans/incident response plans, but often they do not include a playbook for the wide range of scenarios posed by cyber events. They will often underestimate the cost and time it takes to recover software and data, especially when there are many servers/workstations across large geographies, or the software is bespoke.  Plans will be unique to any given operation but could include responding to the public disclosure of sensitive information like customer records or employee payroll all the way through to a complete destruction or disablement of critical systems and data.  

Given the vast digitalisation of many businesses, it is becoming ever more difficult to serve customers without access to systems, so it’s crucial that businesses are prepared to act quickly if they are taken down by an attack. 

Some of the things that can be considered in preparation for an incident:

    1.    A documented and well practiced incident response plan.

    2.    A backup regime in line with criticality of systems, including periodic backup and restore drills which involves restoring systems from backup media which are tested by business teams.

    3.    Senior management that is familiar and trained on dealing with cyber-attacks.

    4.    A pre-identified cyber response team comprising breach counsel and forensic and crisis communications partners to assist during cyber attack.

What insurance products can help and are there any new products being developed to provide coverage in this area? 

Cyber insurance is available to help with the first party expenses and third-party liability that can arise from a cyber event. 

For example, cyber incidents can impair business operations and cause a loss of profit which can be indemnified, along with the forensic accountant costs to calculate the loss. 

Ransomware is now a common attack vector, so companies are increasingly faced with the complexities of ransom demands that require support from their insurer to validate and end the threat. 

Additionally, as privacy legislation ramps up, the need to notify affected parties and regulators is more likely and usually requires legal assistance. In many jurisdictions, regulatory investigation, fines and penalties are possible, as are civil actions from third parties affected by the company who has suffered
the attack. 

A critical part of our coverage goes beyond covering these costs.  Policyholders have access to our panel of incident response experts that can assist organisations through an event, mitigating further losses and speeding up recovery times.  This includes legal counsel to advise on various legal considerations including notification obligations, as most attacks involve confidential or private information; incident response vendors to triage the attack, and to secure and recover critical systems and data; and crisis communications consultants to manage messaging to the public and other stakeholders.

In addition to sharing the learnings from our claims, AIG also offers policyholders access to other tools and resources to help educate businesses or mitigate their cyber risk such as an eLearning platform and phishing simulator, threat alerting, vulnerability scanning and more.

December 2021