Businesses under attack but few have cyber insurance
New Zealand businesses reported more than 500 cyber attacks or breaches in the three months to June, costing more than $1.5 million, but less than 10 percent of businesses have insurance cover.
In a hearing to Parliament’s Justice Select Committee on the Privacy Bill, Insurance Council chief executive Tim Grafton said a register of data breaches, using aggregated, anonymised data, would help businesses and insurers get a better grasp on the scale and issues.
Currently, the availability of cyber insurance and the pricing of this type of cover was hamstrung by a lack of data about the severity and frequency of attacks and breaches, Grafton said.
Meanwhile, the attacks and breaches were being under-reported, and some businesses did not know they had been breached.
“The increasing pace of digitalisation brings with it increased accumulation of cyber risks. Almost all risks to individuals and society are capable of being managed through the transfer of some or all risks to insurers. Cyber insurance is therefore available globally to enable such risks to be transferred,” the council said in its written submission to the select committee.
CERT NZ – the Government agency that deals with cyber security issues – received 736 reports on cyber breaches or attacks during the second quarter - up 45 percent on the previous quarter.
Of those reported attacks, 507 were from organisations – 69 percent of all incident reports, and a 143 percent increase on the previous quarter.
CERT NZ operations manager Declan Ingram said it was impossible to know how many cyber security breaches went unreported in New Zealand.
However, most cyber security issues could be mitigated by businesses taking basic measures to improve their resilience, he said.
The Insurance Council said breaches were “grossly under-reported” in New Zealand, and a register, as well as mandatory reporting – as is the case in Australia – would help businesses and insurers better understand the problem.
CERT NZ released a quarterly report, similar to that released by the Office of the Australian Information Commissioner, as part of its notifiable data breaches scheme.
However, the Insurance Council’s legal counsel, Jane Brown, said a lack of awareness of schemes like CERT, no mandatory reporting of breach data, and embarrassment, meant breaches were under-reported.
Grafton admitted he had a vested interest in more businesses getting cyber insurance cover, but said it also helped New Zealand become more secure.
“Businesses are just totally under attack a lot of the time. Many would have no idea whether they’ve been infiltrated and have a dormant virus lying within the business ready to activate at some future time.”
Better reporting and more access to data would help enable informed underwriting and pricing of cover. When businesses applied for cover, they would also be asked about what steps they were taking currently to mitigate risk, making them think about their resilience and likely dropping the cost of cover.
Cyber insurance is one of the fastest-growing sectors of the the insurance sector. Insurer Chubb recorded there were 17 insurers selling cyber cover in 2007, generating $350 million in premiums a year. That number has risen to 65 insurers selling US$3.5 billion of insurance a year, according to The Financial Times.
And insurers are gearing up for massive payouts. Bloomberg reported last year the next ‘wannacry’ attack (the North Korean cyber attack that crippled several hospitals in the UK) could cost insurers US$2.5 billion.
Last month, Newsroom reported District Health Boards were paying tens to hundreds of thousands of dollars to insure themselves against cyber attacks, although the Ministry of Health did not have cover.
Some DHBs are fending off as many as six cyber attacks a second.
Liam Pomfret, head of cyber and professional indemnity at AIG New Zealand said some larger, international companies were covering themselves for “hundreds of millions”.
In Australia, the private health services sector was most affected by cyber attacks and breaches, followed by the finance sector, according to the Office of the Australian Information Commissioner’s quarterly report.
In New Zealand, the CERT report found financial and insurance services were most at risk, with 350 (69 percent) of the reported attacks last quarter. The technology sector followed at 7 percent.
There was also an increased number of phishing reports from New Zealand banks and financial services organisations contributing to the increase in reports for the financial and insurance sector.
Grafton said cyber insurance covered costs not covered by material damage or business interruption insurance. Generally, cyber insurance covered legal advice, technical advice, and brand protection.
Some policies also covered things like forensics, system repair, and business interruption.
Research undertaken by the National Cybersecurity Alliance in the United States found that as many as 60 percent of small to medium sized businesses fold in the six months following a cyber attack.
Financial penalties for breaching client privacy can be severe. The European Union’s GDPR, which came into force this year can fine firms 4 percent of global revenue or €20 million, whichever is greater.
Newsroom is powered by the generosity of readers like you, who support our mission to produce fearless, independent and provocative journalism.