Over the last two years New Zealand (NZ) insurers have seen a significant increase in the number of notifications and claims for cyber attacks.
In this article we identify what cyber risks Kiwi businesses are currently facing, how businesses can manage this risk, and what cyber insurance can do to assist.
Criminal and state-sponsored cyber attacks
The source of our country’s main cyber risks are criminal and state sponsored, with phishing and credential harvesting the most reported incident category according to the Government’s Computer Emergency Response Team (CERT NZ).
CERT NZ says these types of attacks contribute over 50% of all reported incidents to the organisation. Given the dominance of small and medium enterprises (SMEs) in the NZ landscape, there is a high volume of low-level cyber incidents.
Most losses are suffered by organisations and individuals through scams, phishing, and credential harvesting, each of which are perpetrated for financial gain. These include social engineering (such as “romance scams”) as well as sophisticated email intrusions resulting in misdirection of funds—especially for property settlements.
Overseas scams and attack targets
For businesses in the corporate space, NZ follows global trends with ransomware being at the forefront of loss causes. These attacks are from varied sources but largely originate offshore.
In light of present geo-political factors (including Asia-Pacific trade route and military tensions, and the Russia–Ukraine war), state-sponsored cyber activity regularly affects NZ’s nationally significant organisations.
This includes distributed denial-of-service (DDoS) attacks—where an attacker sends a vast amount of traffic to a server, stopping people from accessing a digital service—on NZ’s stock exchange, several banks, power companies, state-owned enterprises, and telecommunications companies.
DDoS attacks have sharply increased over the last five years, with criminal gangs utilising DDoS, or the threat of them, to extort ransoms that are usually payable in cryptocurrency.
Cyber attacks look more like us and play with our emotions
New Zealand follows the global trend of greater frequency and severity of attacks.
The intricacy of phishing attempts has increased, with NZ individuals and businesses being targeted by schemes that are more “localised,” including phishing emails written in te reo Māori. There are also convincing campaigns impersonating banks, charities, IT firms, and government agencies.
In the past few years, CERT NZ received reports of email phishing attempts designed to prompt a strong emotional response, including fake relief efforts for Ukraine.
Due to pandemic restrictions, many businesses were not equipped or adequately secure when forced into remote working. This provided a significant opportunity to exploit deficiencies and weakness, and has played a significant role in the increased number of cyber attacks over the last two years.
Protecting your business
With all of these types of attacks, a robust IT system is crucial. However, we are seeing most cyber incidents exploiting individuals in a business. It is therefore crucial to have processes in place and regular training to identify when a breach has occurred, and know how to respond to that breach.
CERT NZ have recently issued a helpful incident management guide. The key recommendations by CERT NZ centre around risk assessment and ensuring that business have an incident plan in the event of cyber attack.
The role that insurance can play, in order to mitigate the practical and economic risk of a cyber-attack, is essential in this current environment.
Cyber insurance in NZ generally provides cover for network security breaches, privacy breach and confidentiality breaches. The cover will often pay for the cost of first response professionals to investigate and retore the IT network, along with loss of income and the payment of fines and penalties from privacy breaches.
Looking forward, we see changes likely to the insurance cover available for extortions or ransoms. The traditional approach is to exclude cover for terrorism. However, with the growing increase in state sponsored cyber terrorism, we would expect the definition of a cyber attack to change what is included. State sponsored cyber-attacks are likely to be included within the exclusions of cover moving forward.
The uptake of cyber cover in NZ is still well behind Australia. This is perhaps not surprising given our mandatory privacy reporting obligations have only been in place since the inception of the Privacy Act in 2020. Subject to changes in underwriting criteria for some businesses, we expect that there will be a growing uptake of cyber cover over the next year.
New baseline set for cyber insurance
Over the past 24 months, the local cyber insurance market has undertaken a significant adjustment. A new baseline has been set with regards to premium, deductible levels, coverage availability, capacity, and underwriting rigor.
There are now certain baseline criteria to obtain cyber cover, which include:
- The use of Anti Malware software;
- Backing up data regularly;
- the use of Multi-Factor Authentication and VPN (when working remotely);
- Ensuring that software updates are actioned regularly; and
- Updating default credentials.
While obtaining the necessary underwriting criteria to obtain cover can be challenging due to the unique requirements of each insurer, there is still good cover, and capacity for cover in the NZ market. Some businesses may need to make some changes to how they operate, in order to obtain cyber insurance cover, and businesses may see an increase in the premium they pay for cover.
Cyber insurance risks
Ensuring you understand your cyber risk, and planning for a cyber-attack is now essential for NZ businesses. It is not a matter of if, but when a cyber attack will occur. Not only will this planning assist in the prevention of an attack, but it will also demonstrate to insurers that you are a risk they are prepared to underwrite.
If you have any questions about your requirements, managing your obligations, or a breach please contact an expert in our Data Protection and Privacy or Insurance teams.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.