STRATEGY – Do we need hacking insurance?

28 March 2017

In the drive to make our businesses more sustainable, purposeful and positive, many of us overlook cyber security. Until we get hacked. Could insurance work as a last line of defence for your business?

In a recent Directors’ Risk Survey NZ bosses put cyber-attack as the biggest single threat to New Zealand businesses. According to global business advisor Grant Thornton more than one in four businesses in New Zealand has faced a cyber-attack in the last year. The hackers destroy business infrastructure. They blackmail businesses by locking up vital information. They steal financial information and intellectual property. According to a survey by security software firm Symantec financial losses as a result of cyber-attacks averaged $19,000 for smaller New Zealand businesses.

You can limit your business’ exposure to this threat. The basics are these:

  • Robust passwords that change regularly
  • Keeping all software, especially security software, updated
  • Not downloading programmes from untrusted sources
  • Not plugging in unknown and unchecked devices to your network

Make sure your people are aware of the risks. A recent IBM study found that human error was responsible for 95% of hacking incidents. In other words, somebody did something stupid, or something against the IT guidelines most serious businesses have.

It’s easy enough to do. Your kid wants help with a school project he has on a memory stick. He sticks it in your work laptop to show you, unaware it has had malware installed on it from a free gaming site. In today’s hyper connected world, the possibilities for a hack to worm its way in are endless.

This can be big business. US retailer Target was breached in 2013. It is estimated to have cost the firm US$105 million after it had claimed its insurance and tax back from the situation. It triggered a fall in the company’s share price and the loss of senior staff.

In the US, the EU and many other jurisdictions firms are legally obliged to notify the authorities and the public of serious security breaches. In the US this can include setting up call centres to deal with customer complaints. It can also mean dealing with credit rating agencies to ensure customers’ credit ratings are not compromised.

This is not compulsory in New Zealand, yet.

Guidelines from the Privacy Commissioner strongly encourage notification. There are plans to reform the Privacy Act sometime this year, which may well make notification and other responses compulsory. The cost of those will most likely fall on the companies breached.

One response to this is cyber insurance. It’s been around in the US since the early dotcom boom of the late ‘90s. It’s been here for a few years. Interest in it is ramping up along with awareness of the threats.

We talked to Andrew Beven from SBN foundation partner NZI.

“You can open the paper any day of the week and read about hacking attacks,” he explains. “It’s not just big corporates, it’s tradies, one man bands, law firms, there are no prime targets.”

Some reports state that revenue from cybercrime is now greater than the worldwide illicit drugs market. Easy-to-use ransomware packages capable of locking up a company’s computer system can now be bought online as a kit. They cost less than $100.

This has led to a massive proliferation in online extortion. There are huge teams of hackers working in large criminal enterprises all over the world. They can be linked to other criminal gangs like the mafia, or even nation states. In response the best cyber insurance covers businesses for the costs they might incur if they are attacked. It also covers any damage a breach causes to partner companies, clients, customers and other third parties.

“For us the most important part of the insurance is the panel of experts that sits behind it,” says Andrew. “Our customers get access to them via a hotline that is available at all times. We have computer forensic teams from Deloitte and PwC. Their job is to minimise the impact of the cyber-attack. They can get into the computer if they need to and flush out the malware from the system. The aim is to get you back up and running and operational as quickly as possible.”

Insurance packages can also cover legal costs associated with any privacy breach or leak of credit card details. Your insurance can pay a public relations company to minimise reputational damage. You can even claim on some forms of insurance to pay the ransom to get the bad guys to unlock your computers.

Andrew says that out of the 10 claims NZI has dealt with in the last year, eight were ransom demands. But NZI has not yet had to pay the criminals. Technical teams have been able to unlock things without having to pay up.

“That’s definitely the preferred option,” he says. “Our experts have heard that if you do pay a ransom you will potentially go on a list of payers to be shared and targeted again. What’s $1,000 the first time might be $5,000 the next and so on. It costs us more as insurer to get in there and fix them than pay the ransom, as they are normally low numbers. But it’s better to fix it without paying the ransom as an investment in their future protection. By doing that we are ensuring they are not made more vulnerable to future attacks.”

NZI is particularly targeting SMEs and middle market players for insurance. But to get insured you first have to get the basics right. Otherwise it’s like trying to claim insurance for a car you abandon on the street at night with the doors open and the engine running.

Do you have a firewall and anti-virus security in place? Is it updated regularly (at least monthly)? If not most insurers will walk away.

Do all the forms of portable media you use include encryption? This means all laptops, tablets, smartphones, memory sticks, DVDs and CDs. They should be protected by encryption, so a password is required to access the information. This prevents the information being misused if the device is lost or stolen. If you don’t have this sorted out, your insurance could cover less and cost more.

This is worth taking seriously. Years ago, I worked for the UK office of a large international NGO. One time a computer breach left about 70 of us twiddling our thumbs for two days. An overseas visitor had plugged in a portable memory stick to one of the computers in the office. He didn’t know it had malware on it. The virus infected and shut down the entire system.

Do you have a business continuity plan in place that includes cyber-security?

This should include regularly backing your computers up. This can be online or to another hard drive or disk. The key thing is that this is done regularly enough so you don’t lose too much information in the event of a breakdown. And the system should be regularly tested to ensure it is actually working. Don’t wait until you are trying to restore your business to discover that the back-up is bust.

Like most things in business, it is a case of minimising the risk, and then insuring the rest.

NZI has a cyber insurance estimate tool, so you can get an idea of how much cyber insurance will cost your business. Visit nzicyber.co.nz/get-an-estimate.

You don’t need to be hacked to reveal too much

Just this week it was found that personal information from tens of thousands of customers of the Saks Fifth Avenue Department store in the US has been publicly available in plain text online. This wasn’t a hack, it was just a clumsy way to set up the website. Keep an eye on your data, it’s what modern businesses run on.