Cyber insurance a growing trend for NZ firms
More businesses are seeking out cyber insurance, but undertaking a risk assessment should be the first step. Tao Lin reports.
Cyber liability insurance is becoming more popular in New Zealand, but a leading cyber security expert warns organisations against jumping into buying insurance.
BDO national leader for cyber security Leon Fouche says because of the lack of reliable data, insurance companies are limited in their ability to develop robust risk modelling for the costs of cyberattacks, resulting in restrictive terms and exclusions in policies.
A number of considerations need to be taken into account, including the level of exposure to risk, what records are at risk (personal records, for example, are at a greater risk as they are more valuable on the black market), the nature of the business and the types of cyber attacks possible.
‘‘It’s more important to look at what’s not in the policy, than what is. It’s like any contract. You’re only going to get paid for what’s in the contract,’’ Fouche says.
Before choosing an insurance policy, organisations should do a comprehensive risk assessment, quantify those risks and then model the potential impact.
They should figure out who in the company is responsible for managing those risks, understand how effective current security systems are and work out what the appetite is to either pay an insurance premium, or accept the risk, Fouche says.
If a policy is selected, it is important for businesses to reassess their cyber risk regularly.
BDO has recognised the fastchanging trends and lack of data and is conducting a new cyber security survey.
It aims to identify current cyber security trends, issues and threats facing businesses in Australia and New Zealand.
Delta Insurance started offering cyber liability insurance in New Zealand more than two years ago and general manager Craig Kirk says New Zealand is up to two decades behind other parts of the world.
Kirk does not think the level of protection currently available in New Zealand is sophisticated enough, especially as no business is really immune from cyber crime these days.
‘‘New Zealand, in some ways, is more vulnerable than other countries. We’re seen as a soft target. The Kiwi mentality’s kind of, ‘She’ll be right’ and ‘Why would anyone be interested in what I’ve got, this is New Zealand’.’’
An internet security threat report from internet security products company Symantec showed New Zealand had the second-highest number of ransomware attacks in the southern hemisphere.
The report showed more than 100 ransomware attacks happened in New Zealand a day, which is a 160 per cent increase from 2014.
In Delta’s portfolio, 90 per cent of cyber liability claims are related to ransomware.
Kirk says the largest New Zealand breach he is aware of involved an ecommerce website and cost the company about $4 million.
Rene Swindley is a director for online business insurance provider Frankie and says the company has experienced more customer enquiries in the last three months than ever, but overall cyber insurance uptake is slow.
Swindley says cyber insurance will be a staple form of insurance, but nothing beats preventative measures, which can be as basic as getting staff to use proper passwords that are harder to crack.
‘‘[Proactive IT risk management] is better than any cyber insurance. If there’s a company that’s too relaxed about its approach to cyber security, we wouldn’t be providing cyber insurance for them.’’