Feature
CYBER ATTACKS HIT CLOSE TO HOME NZX hack a reminder that any business can fall victim. By Angela Cuming
2
020 has exposed our vulnerabilities in unexpected and worrying ways. The ongoing Covid-19 crisis serves as a grim reminder that global pandemics are a real and recurring threat, while the recent cyberattacks on the New Zealand Stock Exchange (NZX) are a stark reminder that even supposedly secure organisations are anything but. The effects of both will continue to be felt well after 2020 draws to a close, and insurance experts are warning that all businesses, big and small, need to take urgent steps to protect themselves from cyber-attacks. IT CAN HAPPEN TO US Dan Lowe, cyber specialist and senior underwriter at Vero Liability, says the impact of the cyber-attacks in the NZX will be twofold: a greater awareness of such attacks and a greater scrutiny on Distributed Denial of Service (DDoS) attacks. “First, a local example increases awareness of attacks occurring here in New Zealand and highlights that if the NZX isn’t immune to a cyberattack then no business is,” says Lowe. “Secondly, like any major insurable event it will likely see insurers ask more questions on other organisations that may face similar exposure to DDos attacks. “Standard market cyber insurance proposals won’t ask many questions around DDos mitigations implemented by a business, therefore the NZX attack may see insurers requesting additional underwriting information.” Insurance Council of New Zealand chief executive Tim Grafton says the widespread coverage of the attacks “hopefully” helped to raise awareness of the threat cyberattacks present to all New Zealanders and businesses. While there are steps everyone can take to minimise the impact of cyberattacks such as using a password manager and checking privacy settings, says Grafton, there is a concern that an estimated 90 per cent of small and medium businesses have no cyber insurance protection. “A risk of the NZX attack is that it may reinforce the perception that cyber only affects large organisations when the opposite is actually true,” he says. “In fact, SMEs are some of the most exposed and given their size often lack the resources and time to consider their risk and insurance needs and put in place good IT security measures.” The risk is a dangerous one, says Grafton. “The cost of an attack could be crippling,” he says, “especially if
6
December 2020
they are dependent on online channels - that has only increased since Covid-19.” John Moore, the financial lines manager and senior underwriter at Delta Insurance, says most Kiwi businesses are already aware of cyber risks like social engineering via phishing emails. “But the NZX DDos attack and targeted ransomware attacks on Fisher & Paykel and Lion has really highlighted in the media that these attacks are a real exposure for New Zealand businesses,” he says. “These attacks have definitely increased demand for cyber insurance quotes from New Zealand businesses.” THE EMERGING MARKET Cyber security insurance is an emerging area in the market, both globally and here in New Zealand. But why? Globally, the Covid-19 lockdowns have accelerated the transformation of the way people communicate and how many businesses operate permanently, says the ICNZ. “Digital platforms have come into their own supporting greater connectivity and more efficient and flexible working arrangements,” says Grafton. But any change brings its own risks and a cyber risk looms larger than ever, he warns, with incidents rising sharply. He points out that for the first half of 2020 CERT NZ reported a 73 per cent increase in incident reports, with 3100 incidents equating to $7.8 million in financial losses. But cyber insurance in New Zealand, relative to other parts of the world, is still in its infancy, says Vero Liability. “It’s a growing portfolio but they the penetration rate remains low,” says Lowe. “Many organisations still don’t believe they will be victims of an attack or are of the view that as they outsource their IT services to a third-party provider, they therefore don’t have cyber exposure.” In overseas markets two big drivers of cyber insurance penetration have been regulatory change and contractual requirements, says Lowe. Specifically, he says, regulatory change in respect to the introduction of data breach notification requirements has driven uptake. “For instance, the General Data Protection Regulation (GDPR) in the European Union and the Data Breach Notification Scheme in Australia has increased cyber insurance demand,” says Lowe. “The costs to notify affected parties in the event of a breach can be significant as can the fines for failure to comply with such legislation.
