A 2013 attack cost US retail chain Target US$162 million. The hackers stole data from as many as 40 million credit and debit cards. Photo / Bloomberg
Cyber attacks becoming new normal, writes Tim McCready
Cyber risk rated as insurers' top concern over the next two or three years in a survey released last year by PwC and CSFI. That was up from 13th place in 2013, and 11th in 2011.
Among New Zealand insurers, natural catastrophes remain the biggest risk, but cyber risk -- at fourth place -- rated as a major concern.
The amount of data about clients that insurers keep on their systems -- including credit card information, medical details and underwriting information -- makes them prime targets for cyber-attack. For that reason, there is a high level of anxiety among insurers towards cyber risk, particularly software failure and data security breaches.
One Australian respondent acknowledged the level of the cyber risk. "We repel more than 20 serious attacks every day. Half of those we suspect are state-sponsored attacks."
As cyber attacks grow in number, scale and exposure, they are becoming a new normal for companies right across the spectrum. With that comes an increase in the number of cyber insurance policies issued globally. PwC estimates annual gross written premiums will increase from US$2.5 billion ($3.7 billion) today to US$7.5 billion by 2020.
The nature of cyber attacks means the geographical isolation that protects New Zealand's biodiversity is no barrier to cyber-related crime. Although the uptake of cyber insurance in New Zealand is rising, it is still low by global standards.
Watch: Herald Talks: Adrian van Hest on cyber security
PwC's Global State of Information Security Survey showed that only 37 per cent of New Zealand respondents have cyber insurance, compared with 59 per cent globally, 56 per cent in Australia, and 70 per cent in China. Of those New Zealand organisations with cyber insurance, 25 per cent made a claim in the past year -- compared with 50 per cent globally.
It is estimated cyber crime has cost our economy $257 million in the past year, although any figure is likely to be conservative as businesses are often reluctant to disclose a cyber breach, and it is notoriously difficult to assess the true cost of an attack.
In the United States, the Target retail chain reported costs of US$162 million, after insurance payments, from a 2013 attack in which hackers stole data from as many as 40 million credit and debit cards.
We repel more than 20 serious attacks every day. Half of those we suspect are state-sponsored attacks.
To provide protection, insurers need to be confident their clients have appropriate internal defence systems to mitigate the risk of attack. Yet SMEs have traditionally been poorly equipped and lacking the resources and awareness to put the necessary security measures in place to protect their IT infrastructure.
Tim Grafton, chief executive of the Insurance Council of New Zealand, says "the problem in New Zealand is that the vast majority of businesses are SMEs that lack sufficient risk management processes within their governance structures to identify the need for cyber cover. Having said that, brokers are playing and can play more of a role in offering cyber as an add-on to the suite of offerings."
The Government is trying to address the lack of awareness and strength of cyber security through the Connect Smart partnership, a public-private collaboration launched in 2014, and its new Cyber Security Strategy.
The cost to a business from a cyber-attack can vary enormously depending on the industry and type of data breach. Costs may include a degradation of network performance, theft of physical devices, disruption of business, defacing a company website, forensic investigations, credit monitoring, legal fees, and even penalties for breaches of privacy as a result of not having sufficient protection in place.
Other less tangible costs including reputation and brand damage and the loss of privacy, intellectual property or classified data mean that how to establish the cost of a cyber-attack is still largely unknown.
This uncertainty and the immaturity of insurance offerings mean insurers hold major concerns about underwriting risk for cyber security, and could be exposing themselves to massive losses.
Insurers lack the data required to understand how likely an attack is, or what it will cost when it happens. Attacks are quickly becoming more advanced, and risks increase as companies rely on cloud services to keep their data backed up.
Stroz Friedberg, a global leader in investigations, intelligence and risk management, has predicted that constantly evolving cyber threats, immature risk models, and an underdeveloped reinsurance market will cause premiums to increase over the next year. This is particularly relevant for companies operating in sectors considered high risk, including retailers, healthcare and finance.
This has been seen recently in the US, where an increase in the number of cyber attacks on companies has begun prompting insurers to hike premiums, raise deductibles and cap the amount of coverage available. This is forcing some high-risk firms to scramble for insurance cover.
In the context of cyber security, that will differ from insured to insured, but the exponential rise in connectivity and devices linked to the internet of Things does raise the overall risk profile.
AIG NZ financial lines manager Katie Young says, "We live and work in a time of constant innovation and increased connectivity, with a resulting increase in the complexity of networks and supply chains.
"At AIG, we've seen a growing awareness by businesses in respect of cyber exposures and this has increased demand for our cyber insurance policy. While we've been covering cyber risks for more than a decade globally, it is still a relatively new market for insurers overall.
"As claims data develops, adjustments to premiums and coverage could follow."
Grafton notes that a key point about insurance markets is that "premiums generally rise as the underwriting risk increases".
"In the context of cyber security, that will differ from insured to insured, but the exponential rise in connectivity and devices linked to the internet of Things does raise the overall risk profile.
"Insurers, though, can cap their exposure through the use of limiting the sum insured, deductibles, exclusions etc."
With something so unpredictable as cyber security, the only certainty is that a proactive approach to protecting against cyber attacks is essential. After all, cyber insurance will only help recoup the costs incurred after an attack. Preventing a security breach -- and recovering from one after it occurs -- rests squarely on the shoulders of the business.
• US$2.5b Global cyber insurance premiums today
• US$7.5b Predicted cyber insurance premiums by the end of the decade