Cover Story
CYBER ATTACKS AND THE INSURANCE RESPONSE by Andrew Horne, Minter Ellison Rudd Watts
N
ew Zealand’s stock exchange, NZX, suffered cyber-attacks on six consecutive working days earlier this year. The attacks left it unable to facilitate trading in shares, in its debt market, the Fonterra shareholders’ market and derivatives market, although participants remained able to conduct direct, negotiated trades. The NZX attack is typical of cyber-attacks against businesses which are becoming increasingly common. What do these attacks involve? The attacks were “distributed denial of service attacks” or DDoS. Cyber criminals carry out DDoS attacks by taking over processing capacity on thousands of private computers, usually without their owners’ knowledge, by infecting them with "malware" that causes them to operate as a “botnet” or network of “bots” which carry out the criminals’ instructions. The infected computers are known as “zombie” computers. The criminals instruct the zombie computers to send packets of data to flood targeted companies’ websites, servers and networks with volumes that they are unable to accommodate. The computers do not have to be personal devices; in 2016, around 190,000 internet-connected cameras were infected and used to conduct a large-scale DDoS attack that affected large parts of the internet on the eastern coast of the US. A DDoS attack is challenging to repel because the target does not wish to bar access to legitimate users, but it cannot know until the attack begins whether computers that are sending it data are zombies or legitimate users. The zombies’ IP addresses must be identified and their data blocked at the internet service provider level. How serious a problem is this? DDoS attacks are increasingly common. Recently, in New Zealand alone, cyber criminals attacked the websites of Westpac and TSB banks (although it is unclear whether the latter was a DDoS attack), MetService and the Mount Ruapehu skifield car parking website, and they have also attacked the media firms Stuff and Radio NZ. The Government Communications Security Bureau estimates that, since 2016, it has prevented $100 million in loss and damage from cyber-attacks, although this figure will include many forms of attack. It provides assistance to private companies, although it does not release names of those who have suffered attacks because it wishes to encourage them to report them when they occur. Crown cybersecurity agency Cert NZ recently issued an alert about DDoS attacks or threatened attacks by people identifying as Russian, who were targeting financial businesses in New Zealand. Cert NZ reported that, in 2019, they received 84 incident reports about DDoS attacks, including where criminals had emailed companies to threaten a DDoS attack unless they paid a ransom before a deadline. In some instances, the criminals carried out a demonstration attack against the company’s IP network to prove their capability and intent. 18
December 2020
What losses do victims suffer? Typically, criminals who carry out DDoS attacks request a ransom payment to prevent the attacks in the first place or to cease attacks and not carry out any more. The GCSB Minister, Andrew Little, identified that NZX received a ransom demand before its DDoS attacks, asking for a large payment in bitcoin. It is not known whether any New Zealand victims have paid ransoms, but companies overseas are reported to have done so. Cert NZ recommends against paying ransoms on the basis that this could result in the victim being targeted again, but it must be tempting for a company that is struggling to deal with an attack to pay up. In most cases, the greater loss is to businesses where a DDoS cyber attack prevents them from providing services to customers, so they lose income due to downtime. Victims may incur liability to customers if their inability to provide services, such as an inability to allow customers access to their data,
