Cyber space, in all its glory, has lead to the emergence of cyber threats – hackers, viruses, privacy breaches, intellectual property theft, identity theft and the list goes on.
Sony at the end of last year admitted to suffering a major cyber security breach when hackers erased data from its systems, and stole and released to the public pre-release movies, people’s private information, and sensitive documents.
Blogger Keith Ng exposed a major security flaw in the Ministry of Social Development’s system in 2012. He revealed that thousands of Ministry files containing the personal details of at-risk children could be accessed by the public through 700 self-service kiosks at Work and Income offices.
The Employment Relations Authority last year ordered a senior oil and gas engineer to pay damages and penalties of nearly $80,000 to his former employer, TAG Oil, for breaching his contract by downloading thousands of files containing company secrets about oil finds, before starting a new job with a competitor.
TAG claimed the information James Watchorn took from its New Plymouth office was worth millions and affected the company’s share price. Watchorn side-stepped a two and a half year jail sentence in relation to the incident, after he successfully appealed criminal convictions for dishonestly and illegally taking the information.
How real are the risks?
These high-profile multi-million dollar breaches aside, research suggests small and medium-sized enterprises (SMEs) are most exposed to cyber risk.
A report released by Delta Insurance in conjunction with Auckland University last month, ‘Safeguarding Business from Cyber Threats’, details how SMEs don’t believe they’ll be targeted, so aren’t taking precautions to protect themselves.
Delta managing director, Ian Pollard, says “More often than not, cyber risks are not just international espionage but include malware, botnets, viruses and even simple human error that can leave them exposed and facing a massive data restoration bill and huge loss of revenues as a result of a business interruption”.
He says it’s common to see a virus sweep through the 10 or so computers of a small office firm. The loss of revenue and cost of recovering the data could cost around $50,000 – enough to set a small business back.
The Delta report says cyber crime is New Zealand’s third most prevalent crime and costs the country up to $150 million per year.
A report released by insurance broker and risk advisor Marsh, ‘New Zealand Survey of Risk 2014’ ranked cyber risk as the second largest emerging threat facing New Zealand businesses over the next two years.
It says, “All New Zealand businesses are reliant on technology in some way, shape or form. Not having access to these systems or having client databases attacked can be crippling”.
It is in response to these threats that a handful of insurers in New Zealand and a number around the world are promoting the “need” for businesses in the digital age to take out specific cyber insurance.
What does cyber insurance do that other types of insurance doesn’t?
Cyber insurance can include cover for third party liability, hacker theft, business interruption, costs to restore systems after a breach, breach consultation services, breach response services, public relations expenses, network extortion coverage and data forensic expenses.
Pollard says most New Zealand companies wrongly assume they are covered for cyber threats by other types of insurance.
The Delta report, and another Marsh report released last month, ‘UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk’, explain this in more detail.
They say property insurance only covers physical damage to property rather than electronic data that is not physical in nature.
Business interruption insurance traditionally doesn’t cover cyber attacks that don’t cause physical damage.
General liability has exclusions related to the unauthorised disclosure of personal information.
And professional indemnity cover may be restricted to liability claims from customers only, so claims related to the disclosure of employees’ data won’t be covered.
ICIB Insurance Brokers managing director, Garry Mooney, believes cyber insurance isn’t simply another product insurers are trying to make a quick buck on. He says it’s a product ICIB encourages its clients to include in their mix of insurance.
He says cyber insurance has become more affordable, with businesses able to buy it for $500 or $1000.
Marsh executive director of financial and professional services, Fred Boles, adds the industry’s going through a “soft” cycle at the moment. Premium prices are lower, making it easier for businesses to re-jig their insurance to include cyber insurance.
He says the company has sold its cyber insurance product to a couple of hundred clients since it was launched two years ago.
Pollard won’t comment on the number of businesses Delta has sold its cyber insurance product to, but he and Boles say a range of entities have bought their products including SMEs, government departments, utility companies, financial institutions, retailers, wholesalers, professional institutions, and the media sector.
While there are only a handful of insurers in New Zealand that offer cyber insurance at the moment, Mooney believes we’ll see it packaged up with other types of insurance in a year or two.
Could a major cyber breach cripple an insurer?
Mooney says the issue preventing some of the major players in the insurance industry offering cyber insurance is that they don’t have the expertise to manage the claims.
“I think the major companies will eventually have to include cyber insurance as a part of their portfolios, and I know they are looking at it, but they need to make sure their ducks are in a row before they launch into the market.
“The last thing we want is for someone to write a package and not know how to sort the claim out.”
A Fitch Ratings report released last month, ‘The Rise of Cyber Insurance Growth Opportunity Paired with Incalculable Threat’ highlights the huge exposure associated with selling cyber insurance.
In a nutshell – a cyber breach has the potential to cost a company billions, and make its insurer insolvent.
It says, “One single [cyber] attack has the potential to affect a number of victims, unlike a natural or man-made catastrophe, that is usually limited to a particular geographical area”.
For this reason, cyber insurance products available in New Zealand are capped below $40 million. Delta will only cover businesses for up to $25 million.
The Fitch report says, “Growing cyber threats could pose a credit risk to Fitch’s rated insurance companies entering this market.
“Cyber risks have features that make pricing very difficult using traditional actuarial methods. Modelling of cyber risk exposures is still in its early stages and detailed incident data and claims experience is not largely available today.”
How are businesses protected by the law when it comes to cyber breaches?
The Delta report says the Crimes Act “lacks the jurisdiction and resources to deal with cyber-crime events that have originated from overseas locations. Given that most cyber-related events affecting New Zealand businesses have foreign origins and perpetrators, the Crimes Act would be unable to provide redress in such events.”
Furthermore, New Zealand businesses trading overseas are subject to overseas privacy laws, which they will be penalised for breaching.
Throughout Europe and some parts of the US, businesses have to notify their clients if they suffer a data breach. A New Zealand business may therefore be fined if they don’t abide by these standards, which aren’t included in the Privacy Act 1993.
Both Pollard and Boles say the Privacy Act urgently needs to be updated, so its in line with international standards.
Boles says combating cyber risks requires a partnership between the public and private sectors. He says the Government has a role to play warning businesses of cyber threats, and businesses have a role to play putting systems in place to mitigate risks.
He says insurance is the ambulance at the bottom of the cliff, or the last piece of the jigsaw.