This page contains an introduction to cyber risks and cyber risk insurance, and provides links to further information.
What are cyber risks?
Cyber risk is the risk of financial loss, disruption or damage to the reputation of an organisation from the breach of its computer and information technology systems.
Cyber security breaches against individuals and businesses are increasing in prevalence. According to the New Zealand Government cyber security initiative Connect Smart:
- 83 percent of New Zealanders have experienced a cyber breach.
- 60 percent of cyberattacks target small-medium enterprises.
- Cyberattacks cost New Zealand businesses $257 million in 2015.
- The retail and financial services sectors are most at risk of a data breach.
- Credit card details are worth up to USD$20 per card on the black market.
- Almost 1 million new pieces of malware were created every day in 2014.
The types and origins of cyber risks are numerous, varied, and complex, as are the consequences of suffering a cyber risk event. Cyber risks are most often posed by external hackers conducting cyberattacks on particular, targeted companies. Hackers commonly target credit card information, personally identifiable information, personal health information and businesses’ intellectual property.
Some common types of cyberattack include:
- Denial of service attacks, which prevent access to a system resource or the delaying of system operations and functions.
- Malware, which is a catch-all term for different types of malicious software. Common types of malware include ransomware, spyware and viruses.
- Phishing and whaling are increasingly sophisticated “drive-by” attempts by hackers to get people to divulge sensitive or confidential information like usernames and passwords, account information, and credit card details. Whaling aims for ‘bigger fish’, often by sending an email to staff that very convincingly appears to be from an executive or senior manager and asking for certain actions to be performed, like immediate payment of an account.
- Ransomware, which blocks access to a computer system (like a denial of service attack) until a ransom is paid
- Spyware, which uses an Internet connection to send personally identifiable information to a collecting device on the Internet
- Viruses, which replicate and modify the existing software on a system. Viruses rely on users of a computer system to activate them, and are often hidden in attachments to emails.
90 percent of cyber incidents begin with a human error in the organisation being attacked, which makes education about cyber risks and robust cyber risk management extremely important. Victims are also very often unaware that a cyber breach has occurred; it may be some years before a breach or its consequences are discovered. The average amount of time a breach goes unnoticed is around 9 months (240 days).
Insurance is just one aspect of the equation when it comes to good cyber risk management, and not all cyber risks are insurable. See below for a description of what to look out for when determining if something is insured or not insured under insurance policies available in the New Zealand market.
Many factors contribute to a significant increase in cyber risk, including:
- An increase in the volume of and data available on the Internet, which roughly doubles every two years.
- An increase in the use of computer technology and the internet in commerce, particularly an increased reliance on cloud computing, big data, Internet of Things, and data sharing through a business’ supply chain.
- An increase in the number and sophistication of cyberattacks, cyber attackers, and the increased threat of large scale cyber terrorism events.
- The malicious or inadvertent (but negligent) actions of employees with access to or an interface with an organisation’s computer systems.
- Many traditional business risks are limited by the location of the business (such as natural disasters like fire, flood, etc) The Internet is borderless: a hacker can attack a business with an Internet connection from anywhere, anytime. See for example this real-time map of global cyberattacks: map.norsecorp.com
- Many traditional business risks are posed by known or knowable entities (such as liabilities to clients for negligent provision of goods or services). Cyberattacks can come from a much broader range of malicious threats.
What could happen to a company that suffers a cyber incident?
Sensitive or confidential data belonging to companies or their customers, may be stolen, destroyed, or revealed to the public. Aside of the obvious loss in company property and the need to reinstate data and computer systems, there may also be a risk of financial costs associated with legal liabilities owed to third parties because of the cyber incident that has impacted you.
A company may face subsequent reputation damage, and share prices may decrease as consumers and investors lose confidence in that company. While this is a concerning potential source of financial loss, it is not insurable, meaning companies need to focus on other measures to appropriately manage that risk.
60 percent of small businesses go out of business within six months of a cyberattack, according to a survey conducted by the United States’ National Cyber Security Alliance (www.staysafeonline.org). This makes management of cyber risks and insurance to manage the financial consequences of certain risks extremely important.
There may be regulatory proceedings and statutory fines relating to a data breach. While New Zealand does not yet have a mandatory reporting regime for breaches of privacy or data breaches, some of the requirements overseas are onerous, and failures to report can result in hefty fines. The Minister of Justice has announced that new privacy legislation will be introduced before the end of 2016, and that legislation will have some provisions requiring mandatory reporting of breaches.
What is cyber risk insurance?
Insurance is a risk transfer mechanism for certain, defined events. It can also support risk reduction by promoting risk mitigation and prevention measures by insureds.
Cyber risk insurance is no different. Cyber insurance assists the insured with the financial costs associated with a cyber event. Some of those financial costs are outlined under “what could happen to me or my business” above and “what does cyber risk insurance cover?” below.
What does cyber risk insurance cover?
Not all cyber insurance is the same. The scope of cover offered by each insurer is outlined in full in their policy wording.
As with any type of insurance, we strongly recommend that one reads and understands the policy wording before buying insurance. If you have questions about the cover offered, you can seek advice from your broker or an independent legal adviser.
Cyber insurance can cover first and third party losses. First party losses are losses suffered by the insured. Third party losses are losses suffered by a third party because of the actions of the insured, and for which the insured is (or may become) legally liable to compensate the third party for.
Note that a cyber event may trigger a response from some other commercial insurance policies.
Some insurance policies also provide enhanced benefits such as a retained response team of IT, legal and public relations professionals, who are on standby to respond to an event as soon as it happens.
As above, always check the specific wording of an insurance policy to understand the level of cover afforded.
What is ICNZ doing about cyber risks?
Education about risk, how to manage risk, and how insurance can be used as a tool to help manage the financial consequences of risk are matters of strategic importance to the insurance industry. This approach is no different to emerging risks, including cyber risks. ICNZ also acknowledges the recent growth in cyber security issues, and so in late 2015 ICNZ’s Board agreed to establish a dedicated cyber risks standing committee. The committee has been tasked with developing thought leadership on cyber risks, promoting cyber risk literacy, and engaging with cyber risk issues as they arise.
What is the New Zealand government doing about cyber risks?
Government has established a cyber security initiative Connect Smart out of the Department of Prime Minister and Cabinet. In 2015, Connect Smart also produced a national cyber security strategy and action plan.
In May 2016 Government also announced that it would be establishing a computer emergency response team (CERT NZ) as a public-private sector collaboration out of the Ministry of Business, Innovation and Employment.
The CERT is intended to be a first port of call for businesses who have suffered (or suspect they have suffered) a cyber incident. The CERT will triage the incident and provide referrals to further services. The CERT will also be establishing a set of cyber hygiene standards for business, akin to the United Kingdom’s Cyber Essentials Scheme.
You can access more information about Connect Smart and the proposed CERT under “further links and contacts” below.
Further resources and relevant contacts
– New Zealand Government’s cyber security initiative www.connectsmart.govt.nz
– the Insurance Brokers Association of New Zealand. Most commercial insurance policies in New Zealand are intermediated: that is, sold through a broker or underwriting agent ibanz.co.nz
ICNZ members currently offering standalone cyber insurance policies include:
(please contact Scott Galloway, Lloyd’s general representative in New Zealand, on (04) 472 7582 or firstname.lastname@example.org
The Cyber Risk Insurance Forum has a very useful glossary of commonly-used terms for cyber risks and cyber risk insurance. Click here to access the glossary.