BEEN HACKED? GOING TO BE HACKED? DON’T KNOW YOU’VE ALREADY BEEN HACKED?
There's a quote which goes like this: “There are only three kinds of companies in the world – those who have been hacked, those who are going to be hacked and those who don't know they've already been hacked.” Management asked the national manager liability at NZI, Ryan Clark what CEOs need to know about cyber security. New Zealand's corporate leaders are pretty well informed around cyber security issues, are there any areas where you think there are gaps in CEOs' knowledge? CEOs can sometimes rely too much on the advice of their IT department. While IT’s input is required, as a CEO you should also confer with other parts of the company, for example legal to build a holistic picture of the company’s cyber security. It sounds astonishing that more than half NZ companies have had an attack of some kind and others believe it’s likely to be even higher. Has that been your experience at NZI?
The New Zealand Government undertook a study earlier this year which found that 56 percent of Kiwi businesses have been affected by some form of cyber crime. In the six months since we launched our product we have assisted six clients towards a successful resolution of a cyber attack. Over this time we have also been made aware of a large number of uninsured cyber attacks that have taken place as well. Internationally and locally have there been instances where companies have been sued or prosecuted for their liability in their clients' personal information getting out through a cyber attack? New Zealand legislation does not currently require mandatory notification from companies or make them answerable to their customers if there is a breach of personal data being held. However, there are a vast number of international examples (Target, Sony, Home Depot, TalkTalk to name a few) where companies have been both sued and prosecuted for loss of their customers’ personal information. These fines can be large, e.g. EU directive can levy up to four percent of global revenue as a fine. Do you think this is likely in the near future in New Zealand? We understand that the Privacy Commissioner is currently reviewing the Privacy Act, and will likely introduce Mandatory Notification and harsher fines and penalties as part of the review. This will bring New Zealand in line with Australia, the United Kingdom, Europe and the United States. Just how liable are companies for ensuring personal information is well protected?
In New Zealand, not much. Companies can voluntarily notify their customers that their data has been stolen or lost but there is no legal requirement to do so. The Privacy Commissioner has little authority to impose any fines or penalties (around $5,000 is maximum at present). If the customer is not content with that they can escalate the matter to the Human Rights Review Tribunal, which has the power to impose fines for breach of privacy up to $30,000. What do you believe are the best steps CEOs can take to ensure their company is as well secured as possible? Education is the first step. CEO’s should not feel under pressure to know everything about cyber security. They should learn from experienced staff within the company or seek independent assistance to gain a good understanding.
Don’t believe that your company is immune to a cyber attack.
There's a quote which goes like this: “There are only three kinds of companies in the world – those who have been hacked, those who are going to be hacked and those who don't know they've already been hacked.”
Know how to respond quickly and efficiently to a cyber event. Business continuity plans are essential and should include cyber events. A company will regularly undertake fire drills; so why not a cyber drill?
Be mindful of BYOD. This is a great step forward in employee freedom, but comes at a price for security. Have good programmes in place to ensure that BYOD hardware is encrypted and secure.
Realising that not all information can be perfectly secure. Pinpoint critical information and systems, and ensure these areas are given the greatest attention for security.
Above all, create a culture of cyber security. From the post room to the C-Suite. To ensure these principles become part and parcel of everyday operations, it is essential that the CEO is actively involved, setting the tone, enacting an effective governance model and ensuring the right policies are created and adhered to, no matter how unpopular they are among employees. This cannot happen without actively engaged senior leadership. By following these basic security principles, security can become an enabler rather than an inhibitor, as many have traditionally seen it. Organisations will then be able to reap the benefits of the use of the latest interactive technologies in a secure manner to keep employees productive, shield themselves from harm and protect corporate reputations. How can insurance help? Like any insurance, cyber liability should be a backup rather than the answer. Good risk management and the points raised above should be paramount to a company’s cyber security strategy. Cyber liability policies are there to assist companies when things go wrong. The ability to call upon a panel who are experts in their field is the key benefit of having one of our cyber policies. Not every company is New Zealand will be able to afford to engage with the likes of PwC, Deloitte, DAC Beachcroft and Porter Novelli, but by purchasing a policy as a customer you will instantly have access to the heavyweights if/when the need arises. This ensures that the company is able to get back on its feet as quickly as possible and with the minimum impact to its income and its reputation. Can you point to any experiences your clients have had? As a ransomware example, an engineering firm noticed they were unable to access their files; shortly thereafter an alert is received informing that 55GB (32,547) of files have been encrypted by a cryptolocker virus and payment of a ransom is required to remove encryption. The firm contacted our dedicated cyber 0800 number and advisory services worked with the firm’s IT service provider enabling file restoration and normal business activities to resume. Costs of the ransomware attack are nearing $20,000. Our experts (PwC & Deloitte) advise us that paying the ransom puts the insured at risk of being targeted by subsequent ransomware attacks, as they become known “payers” and this information is leaked on the black-market (darkweb). Despite the forensic cost of the remedy far outweighing the value of the ransom, we see this as an investment in the future cyber security of our clients, and to minimise the likelihood of them falling victim to another attack. If there is one message you would like to get out to NZ's corporate leaders around cyber security, what would it be? Build a culture and framework around cyber resilience. There will come a time when your company is impacted by a cyber event, so the ability to bounce back from that event and get back up and running quickly and with minimal impact to your bank balance and reputation will put you in the best position to survive and endure a cyber breach or attack.