Cyber attacks and the insurance response

New Zealand’s stock exchange, NZX, recently suffered cyber-attacks on six consecutive working days.  The attacks left it unable to facilitate trading in shares, in its debt market, the Fonterra shareholders’ market and derivatives market, although participants remained able to conduct direct, negotiated trades. The NZX attack is typical of cyber-attacks against businesses which are becoming increasingly common.

What do these attacks involve?

The attacks were “distributed denial of service attacks” or DDoS.  Cyber criminals carry out DDoS attacks by taking over processing capacity on thousands of private computers, usually without their owners’ knowledge, by infecting them with ‘malware’ that causes them to operate as a “botnet” or network of “bots” which carry out the criminals’ instructions. The infected computers are known as “zombie” computers.  The criminals instruct the zombie computers to send packets of data to flood targeted companies’ websites, servers and networks with volumes that they are unable to accommodate.  The computers do not have to be personal devices; in 2016, around 190,000 internet-connected cameras were infected and used to conduct a large-scale DDoS attack that affected large parts of the internet on the eastern coast of the US.

A DDoS attack is challenging to repel because the target does not wish to bar access to legitimate users, but it cannot know until the attack begins whether computers that are sending it data are zombies or legitimate users.  The zombies’ IP addresses must be identified and their data blocked at the internet service provider level.

How serious a problem is this?

DDoS attacks are increasingly common.  Recently, in New Zealand alone, cyber criminals attacked the websites of Westpac and TSB banks (although it is unclear whether the latter was a DDoS attack), MetService and the Mount Ruapehu skifield car parking website, and they have also attacked the media firms Stuff and Radio NZ.

The Government Communications Security Bureau estimates that, since 2016, it has prevented $100 million in loss and damage from cyber-attacks, although this figure will include many forms of attack.  It provides assistance to private companies, although it does not release names of those who have suffered attacks because it wishes to encourage them to report them when they occur.

Crown cybersecurity agency Cert NZ recently issued an alert about DDoS attacks or threatened attacks by people identifying as Russian, who were targeting financial businesses in New Zealand.  Cert NZ reported that, in 2019, they received 84 incident reports about DDoS attacks, including where criminals had emailed companies to threaten a DDoS attack unless they paid a ransom before a deadline. In some instances, the criminals carried out a demonstration attack against the company’s IP network to prove their capability and intent.

What losses do victims suffer?

Typically, criminals who carry out DDoS attacks request a ransom payment to prevent the attacks in the first place or to cease attacks and not carry out any more.  The GCSB Minister, Andrew Little, identified that NZX received a ransom demand before its DDoS attacks, asking for a large payment in bitcoin.  It is not known whether any New Zealand victims have paid ransoms, but companies overseas are reported to have done so.  Cert NZ recommends against paying ransoms on the basis that this could result in the victim being targeted again, but it must be tempting for a company that is struggling to deal with an attack to pay up.

In most cases, the greater loss is to businesses where a DDoS cyber attack prevents them from providing services to customers, so they lose income due to downtime.  Victims may incur liability to customers if their inability to provide services, such as an inability to allow customers access to their data, causes their customers to suffer loss.  Victims also typically incur significant consultants’ costs in closing down the attack and reinstating their systems, and also in bolstering their defences against future attacks.  There are also intangible losses such as damage to reputation.

Losses may be very substantial for companies that are highly dependent upon internet business.  A DDoS attack in 2017 against Dyn, a service that directs web traffic, impacted Twitter, Airbnb, Netflix, Spotify and a number of other major websites as well as many smaller businesses, and resulted in estimated losses of US $110,000,000.  The Reserve Bank of New Zealand has estimated that cyber-attacks against the banking and insurance industries could reduce their profits by about 2-3% p.a., which while small as a percentage, is nevertheless a very substantial amount.

Because of this, governments are taking the threat seriously.  The Australian Government has promised to spend A$1.66bn over 10 years to strengthen cyber defences.  In the UK, Pool Re, which is a Government and private insurer response to the challenges of insuring for the large potential liabilities resulting from terrorism risk, expanded its cover in 2018 to cover material damage and business interruption from cyber terrorist attacks, reflecting the large potential for loss.

How do insurance policies respond to these losses?

Business Interruption policies will not normally cover losses caused by cyber crime, whether from DDoS attacks or otherwise.  There are two reasons for this:

  • Many Business Interruption policies expressly exclude cover for losses resulting from cyber events; and
  • Business Interruption policies normally respond only to loss of revenue that results from damage to property that is insured under a material damage policy, with limited extensions for causes such as acts of public authorities. While it could be argued that DDoS attacks cause damage to networks and other IT equipment, the equipment is often not owned or insured by the business that suffers the loss and it may not be damaged.

Most businesses are therefore turning to specialist Cyber policies to protect them from at least some of the types of loss that may be expected to result from DDoS attacks.  This cover may include the following:

  • Cover for the consultancy and equipment costs of remedying the breach, such as the cost of replacing lost data and equipment or other services
  • Cover for liabilities incurred to customers and third parties
  • Cover for legal and consultancy costs
  • Cover for extortion costs
  • Cover for PR and communications costs to protect reputation, which may include liaising with affected customers and third parties
  • Regulatory fines and penalties

Some exclusions may apply:

  • Some policies are limited to attacks that are directed against an insured business specifically, whether against its own systems or its provider’s. The insured must be targeted rather than being a random victim.  Other policies are broader
  • Some policies do not cover the insured business’ own lost revenue or profits although they may offer this as an optional extension. Where it is offered, it may be worth taking out for a business that is likely to suffer a loss in revenue from a DDoS attack

This is a developing area of insurance and Cyber policies are frequently being updated and revised to reflect new issues and new risks.  Some questions to consider when considering Cyber insurance are the following:

  • Will your Cyber policy cover Business Interruption loss?
  • Will your Cyber policy respond to a denial of service attack that is aimed at a third party’s network or services but nevertheless interrupts your business?
  • Are you covered for fines or penalties?

All businesses should undertake a risk assessment to understand their vulnerabilities in the event of a DDoS attack and what losses they may suffer.  This will assist them to consider their Cyber insurance with their broker.

Who can help