CERT NZ reported at the end of 2022 that the number of reported unauthorised access incidents had risen by just under 30% in the third quarter of that year, having been relatively stable for the previous four reporting quarters. Forbes magazine recently reported a prediction by Cybersecurity Ventures that the global cost of cybercrime will reach USD8 trillion in 2023 and will grow to USD10.5 trillion by 2025.
The scale of the risk to insurers was brought home in November last year, when Australia’s largest health insurer, Medibank, reported that it had suffered a large data breach in October that involved personal medical information of around 9.7 million customers, although it was reported that the data did not link customers’ names with medical details. This cyber breach caused its share price to fall significantly and resulted in a class action lawsuit on behalf of affected customers, which Medibank has said it will defend.
Insurance companies, along with banks, investment funds and other financial institutions, are particularly attractive targets because of the rich rewards on offer to cyber criminals. Because of this, the financial sector ranks second only to health organisations for damaging data breaches. The head of ANZ Bank’s institutional bank, Mark Whelan, said recently that he saw cyber attacks as the single biggest issue or threat facing banking today.
At the time, ANZ Bank was receiving 8 to 10 million attacks each month. With cyber-crimes increasing in number, sophistication and severity, it is increasingly important for businesses to protect themselves as much as possible. Self-evidently, this involves putting appropriate IT systems and procedures in place to ensure that systems are secured to the greatest extent practicable and, crucially, ensuring that staff are appropriately trained.
Our associate firm in Australia, MinterEllison, recently issued its annual cyber risk report, in which it noted that the practice of testing data breach response plans at least once a year has increased from 34% to 55% of respondents. The increase is welcome, but it is not enough.
Increasingly, adequate protection will also involve taking out appropriate cyber insurance to protect against business losses and liabilities to third parties from cyber events. Cyber insurance, however, poses increasingly complex challenges for insurers, brokers and insureds. Insurers, who value predictability to inform them as to which risks to insure and to set premiums, are aiming at a moving target with cyber crime as they strive to assess risks accurately and set premiums appropriately. At the same time, insurers can afford to be selective, as demand for cyber cover increases while insurer capacity and appetite for cyber risk reduces.
Key risks and strategies to respond
MinterEllisonRuddWatts hosted a cyber risk breakfast at which leading professionals from the insurance (AIG), insurance broking (Aon) and IT security (Datacom) industries offered their thoughts and shared their experiences of the developing risks and the place of cyber insurance. We added our thoughts about the legal risks presented by cyber events and the appropriate legal responses.
The key take-outs from that event included the following:
- New Zealand is a soft target – our small size and geographical isolation lulls us into a false sense of security. This is wrong, as cyber crime may be committed from anywhere, so it does not matter where a victim is located geographically.
- Ransomware claims increased 150% from 2018-2020 (although there are indications that the number is beginning to plateau) and comprised one in every five claims. They are increasingly sophisticated, with bad actors now taking the time to identify the most crucial data to enable them to target their attacks for maximum damage and effect. Losses include ransom costs, event management costs such as IT costs, network interruption losses, regulatory actions and customer claims.
- There are two key ways to address cyber risk – mitigation and insurance.
- Good IT ‘hygiene’, doing the basics (such as prompt installation of patches) well and quick responses to cyber events are critical. Remote working increases risk.
- Many organisations run legacy systems with inadequate security. Insurers are asking increasingly detailed questions of insureds and will decline to offer cyber cover to insureds with inadequate security. Cyber insurance cover is becoming a mark of quality for organisations as insurers will only cover firms that have good security technology and practices.
- Losses from cyber crimes include the victim’s own loss and damage (operations are halted, money may be stolen), liability to customers and third parties (whose data may be released or misused), and regulatory action and fines. Victims should make no admissions, take prompt steps to recover systems, involve insurers at the outset and take appropriate advice. More recently, it appears that cyber criminals are viewing data breaches as the most attractive and rewarding form of attack upon insurers. Insurers hold sensitive and confidential information about their customers, so they may be tempted to pay large ransoms to prevent stolen customer information from being disclosed, although Medibank reported that it would not pay a ransom. Payment diversion scams, which often begin with data breaches that inform criminals about transactions that may be diverted, will also put insurers at risk, such as where large claim payments are to be made.
Threats have been increasing, although their number and severity may be plateauing
There has been no let-up in the onslaught of cyber-crime. In June 2022, Forbes magazine reported that a research company had found that there had been an increase of 50% per week in cyber-crime attempts on corporate networks globally in 2021 from 2020. The FBI’s Internet Crime Complaint Center issued a public service announcement in May 2022, reporting a 65% recorded increase in identified global losses between July 2019 and December 2021. As outlined previously, CERT NZ is also receiving increasing numbers of reports.
The New Zealand Government’s Budget for 2022 reflected an increasing concern about cyber-crime. It provided approximately NZD50 million in additional funding over four years for the GCSB to combat cyberattacks and engage in counter terrorism activity, aiming to protect information services from the increasing frequency and severity of cyberattacks.
Cyber insurance is increasingly challenging to obtain
Insurers are responding to the rising risks and costs of cyber events with increasingly detailed assessments of insureds’ IT systems, while in some cases also reducing cover limits and increasing premiums. One major New Zealand insurer has dealt with the additional complexity required by the assessments by introducing a ‘smart’ cyber questionnaire in which an insured’s answers to the initial questions trigger different or additional questions, depending upon the responses. Other New Zealand insurers have reduced limits significantly or have withdrawn cover altogether. Large firms, such as those with revenue over NZD100 million, are facing particular scrutiny, as they present an increased perceived risk as more attractive targets to criminals.
The complexity of insurers’ questionnaires and their importance means that IT departments must be well prepared and resourced to answer them. This should be done well in advance of the cyber insurance renewal date, as the time commitment is significant and answers often need to be drawn from different sources. IT departments may realise as they work through the questions that the answers they would give will not satisfy insurers, so it may be necessary to take remedial steps urgently so that a more satisfactory response can be given.
An additional challenge is that insurers are conducting their own security reports and scans of an insured’s systems. Whereas previously, insurers might have accepted insureds’ responses uncritically, many now test and challenge them. Insurers will often share reports with the insured, and sometimes insureds and their brokers will need to challenge aspects of an insurer’s report that may not tell the full story.
A key lesson for brokers and insureds is that ‘wrong’ answers to questions asked by insurers may have significant effects upon their willingness to offer or renew cyber cover. It is crucial that insureds provide a full explanation of any responses that might not tell the full story. For instance, insurers expect to see multi-factor authentication as a core requirement for access to an insured’s system. This means that any circumstances in which multi-factor authentication may not be used, such as where there are other security systems in effect, will need to be explained.
Brokers and insureds need to prepare for their renewals with a full appreciation of the time and work that is likely to be required to present a compelling proposition to a cyber insurer. Insureds will also need to be prepared to consider reductions in cover or moving to different insurers as capacity and limits change.
Insurers, for their part, will need to continue monitoring claims closely and adapting quickly as cyber criminals change their approaches and the threat landscape develops. Cyber insurers will increasingly need to provide a proactive, advisory service to assist brokers and insureds to understand what their requirements will be and enable insureds to satisfy their expectations, rather than confining their role to a reactive response.
Insurers’ reliability and consistency is increasingly valued
The cyber insurance market has been relatively volatile until recently. Some cyber market leaders in New Zealand in 2020 had reduced capacity in 2021, while others offered new capacity to help meet the resulting demand. Brokers reported that many customers were obliged to place cover with new insurers. This further added to the burden faced by insureds’ IT departments as they were asked to respond to multiple insurer questionnaires.
We expect that insureds will increasingly value stability and consistency in their cyber insurers and may prioritise those characteristics over price and cover limits.
Cyber insurance continues to offer real value
While cyber insurance is increasingly challenging to obtain, brokers report that it continues to benefit insureds. They report that, perhaps because of the care taken when it is arranged, it features a relatively high claim acceptance rate compared with other types of insurance, so notwithstanding the cost and time investment required, it is worthwhile and provides a real benefit.
Cyber insurance also remains one of the few insurance products that assists insureds to prevent claims. Insurance assessments are often valuable tools to identify security weaknesses and remedy them, as insurers often have up to date knowledge of the latest risks. Cyber insurance discussions can therefore benefit insureds by assisting them to improve their systems and remove vulnerabilities. There is also the additional benefit that cyber insurance provides a badge of quality, as it demonstrates that an insurer has assessed the insured as a good risk. For professional services firms in particular, whose own customers are increasingly demanding reassurance as to their cyber defences, this is likely to be increasingly important.
Cyber insurance provides a badge of quality, as it demonstrates that an insurer has assessed the insured as a good risk.
