Cyber threats

An increasing risk requiring a multi-faceted legal response

Cyber-attacks on businesses and other organisations are on the rise as is the damage they cause. Cyber-crime is now thought to have surpassed all other types of crime combined. It is no longer unusual to read of a major cyber-attack that has caused significant disruption, often to a ‘household name’ firm or organisation.

In the past year alone, the Reserve Bank of New Zealand, the Waikato District Health Board, users of Microsoft Exchange, Air New Zealand via its passenger processing system provider SITA, NZ Post, Inland Revenue, MetService, Kiwibank and ANZ have all been the targets of cyber-attacks, resulting in varying degrees of disruption and damage.

Perhaps the most significant of these was the attack in May 2021 upon the Waikato DHB, which threw the public health system in the Waikato region into disarray. This left the DHB unable to manage and carry out routine medical procedures, resulting in cancellations of many patient procedures.The DHB eventually resorted to manual record-keeping and workarounds, including transferring a number of patients to other regions along with their clinicians. A month later, while some services and systems had been restored, many had not and there was still a long way to go.

The most significant development has been the increasing prevalence of ‘ransomware’ – software that infects a system and encrypts files which cannot be accessed until a ransom is paid for a decryption key. In most cases, ransomware gains access to systems through ‘phishing’ emails in which staff click on a link to a fraudulent website. Cyber criminals increasingly take time to review data after gaining access, to identify the most valuable or sensitive data and the most critical systems, before making a targeted attack. When this approach is taken, ransom and extortion claims are typically much higher.

Typically, businesses are unable to operate properly for between 7 and 10 days following a cyber breach, although as the DHB has shown, the effects may last much longer.

These incidents illustrate the risks that New Zealand organisations face from cyber criminals and the disruption and damage their actions may cause. The nature of cyber-attacks mean that national borders are meaningless. New Zealand organisations are as likely to be targeted as those in larger countries.

A technical perspective

Cyber-crime is low-risk for offenders because they operate remotely and remain anonymous. Cyber criminals usually either steal users’ or their customers’ data or deny users access to data or systems. In either case, they usually demand ransoms and threaten to release or delete confidential data if they are not paid. Information about the amounts paid to cyber criminals is difficult to find because most organisations do not publicise their ransom payments, and their insurers are also reluctant to share information – but the crimes would not be committed if they were not profitable.

Some technical experts warn that New Zealand is a soft target for cyber criminals, because we have become accustomed to thinking of ourselves as outside the main areas of commerce and criminal activity because of our geographical isolation. This means nothing in a cyber-connected world, in which New Zealand is as exposed as anywhere else to cyber criminals. Our naivety makes us an easier target than countries that are more accustomed to defending their organisations from fraud and crime.

Organisations are now more exposed than ever because of the changing ways in which we work. Remote working is increasingly common, which means systems are more frequently accessed remotely through personal connections that are more difficult to monitor and secure. Organisations increasingly allow customers into their business processes through shared portals, online logins and other means which create further points of entry.

Experts advise that getting the technical basis right is important. Up to date software patches, identity verification, email security, multi-factor authentication and device security are all important. CERT NZ’s top 11 suggestions for cyber security are a good place to start.

Staff are weak links and must be trained and tested often so that they do not fall victim to ‘phishing’ or ‘trojan’ attacks. A managed EDR (Endpoint Detection and Response) solution to protect devices is also critical, as this is a key risk of unauthorised access to a network.

Organisations can take steps to protect themselves from legal risks during and immediately following a cyber-attack. These include:

  • Take prompt steps with appropriate IT assistance to mitigate any loss.
  • Make no admissions about the adequacy or otherwise of cyber security arrangements or any other matter. Expressions of regret that an incident has occurred may be appropriate but take legal advice first.
  • Consider taking PR advice. Your insurer may pay for this as well.
  • Before an attack, make sure that you have sufficient visibility of your technical environment and have tools such as EDR already deployed so that you are ready to respond.
  • Involve insurers at the outset. They will often have a pre-approved panel of IT specialists and lawyers who can help. Take their advice early. You can make things worse by trying to deal with the issue yourself.

The legal impact of cyber-attacks

A cyber-attack or cyber security breach will inevitably require a legal response as well as an IT response. The following legal claims and issues often arise:

  • The target organisation suffers its own losses – money is stolen through payment diversion schemes or data is stolen or locked up so that it cannot be accessed, and normal operations are affected. This causes financial loss to the target.
  • The target organisation incurs liability to customers or other third parties such as those whose personal information is released. Customers’ money may be lost, or their data locked up or released to the public.
  • Regulatory action by the Privacy Commissioner, the Financial Markets Authority or other regulators may result in defence costs, fines and penalties. The new Privacy Act allows for class actions to be brought against a company in the event of a privacy breach. As discussed on page 15, the Privacy Commissioner issued a privacy compliance notice to RBNZ as a result of its recent cyber-attack.
  • These losses could potentially lead to actions by shareholders against directors if they have not put effective cyber security in place.

The role of insurance

Cyber-attacks usually result in insurance claims. These can be complex, because they touch upon multiple aspects of insurance cover. Insurable losses may include the following:

  • Extortion and the cost of paying ransoms.
  • Event management costs – IT forensics and legal counsel are required to respond to technical and legal issues.
  • Potential customer claims.
  • Network interruption losses – business interruption loss of profit.
  • Security and privacy – regulatory actions, defence costs and fines.

These losses may result in claims under the following types of insurance policy:

  • Professional indemnity policies. These may provide cover for claims by customers and others who suffer loss as a result of negligence that fails to prevent a cyber-crime.
  • Increasingly, however, professional indemnity policies exclude cyber losses.
  • Cyber policies. These primarily provide cover for losses to the insured’s own business and costs incurred in responding to the event, but they also usually provide some third party liability cover.
  • Statutory liability policies. These may provide cover for fines, penalties and defence costs.
  • Crime policies. These may provide cover for losses caused by cyber-crime.
  • D&O insurance is potentially relevant if there is a possibility of claims against directors for failing to take the necessary protective steps.
  • Business interruption policies do not normally provide useful cover, because the necessary element of physical damage is not present.

Cyber-attacks are increasingly expensive for the insurance industry, so insurers are asking detailed questions of insureds and they will not generally offer cyber risk insurance to organisations that do not have adequate cyber security systems. Even if insurers are prepared to offer cover, the price will depend on the security environment.

Insurers are looking particularly carefully at the following factors:

  • Types of businesses and exposure to cyber-crime – whether they are likely to be a target. At-risk organisations hold customer data, have access to other parties’ systems or data as part of the service they provide or are information conduits for service providers.
  • Similarities in deficiencies and controls of prospective insureds’ businesses to those of victims, to gauge when prospective insureds may be vulnerable.
  • Capacity to insure in certain areas.

Organisations are now more exposed than ever because of the changing ways in which we work.

One advantage of cyber insurance is that it helps organisations to identify weaknesses in their systems and it encourages them to increase investment in security to reduce premiums. From a business perspective, the fact that an organisation has obtained cyber insurance may become a mark of quality of its existing security measures which may be a selling point for customers.

What should organisations’ boards and managers do?

We recommend that boards and managers consider the following to guard against increased cyber risk:

  • Be aware of their organisation’s key information assets and the risks to those assets. A cyber risk dashboard should identify key risks to the organisation and what is done to mitigate them.
  • Identify acceptable and unacceptable risks and plan resourcing accordingly.
  • Demonstrate leadership, provide support and ensure that sufficient resources are made available to maintain and develop the necessary IT protections and provide sufficient ongoing training and testing to create a culture of cyber security.
  • Ensure that reporting is non-technical and understandable, with necessary context such as trends, progress, a risk matrix and financial metrics
    Consider a progress dashboard, which may include criteria such as patching and vulnerability scanning, phishing simulation click failures by staff and cyber security training compliance. Consider asking questions about key risk mitigation strategies, which include patching (in particular how long it takes for patches to be applied), multi-factor authentication, backup strategy including protection of backups from ransomware and ease of access, and scanning for vulnerabilities.
  • Ensure that a robust plan is in place to deal with incidents if they arise. Test the plan regularly.
  • Consider all risks and ensure that adequate insurance is in place.

Directors and executives should also be alive to the prospect of representative (or “class”) action proceedings. The risks discussed in this article commonly arise in businesses with large customer bases, many of whom could suffer loss as a result of a breach of duty or compliance failure. With the courts rapidly developing their own means of dealing with group litigation, and the Law Commission due to present recommendations about their management this year, we can only see the risk of these types of actions increasing in New Zealand. One standout feature is that any statutory regime ought to facilitate easier access to the court system by a greater number of prospective plaintiffs. This, in turn, ought to feed into directors’ and executives’ quantification and weighting when allocating resources to risk mitigation and elimination. In the past, risks like those discussed in this article might have been perceived as unlikely to result in material claims. With increased regulator oversight, and the likelihood of a more accessible route to combined claims, these risks deserve a greater focus.

Read MinterEllisonRuddWatts' Litigation Forecast

Who can help