Cyber threats, insurance and the legal response
Cyber-attacks on businesses and other organisations are both increasingly common and increasingly damaging. It is no longer a surprise to read a news or business website and learn of a cyber-attack that has caused significant disruption and loss.
In May of this year, the public health system in Waikato was thrown into disarray by a large-scale cyber-attack upon the Waikato District Health Board which left it unable to manage and carry out routine medical procedures. The DHB was compelled to cancel many patient procedures and had to resort to manual record-keeping and workarounds. A number of patients were transferred to Tauranga or Wellington along with their Waikato clinicians. By mid-June, while some services and systems had been restored, many had not and the DHB reported that there was still a long way to go.
This incident illustrates the risks that New Zealand organisations face from cyber criminals and the disruption and damage their actions may cause. The very nature of cyber-attacks mean that national borders are meaningless; New Zealand organisations are as likely to be targeted as those in larger countries.
In June this year, we hosted a Cyber Risk breakfast jointly with global brokerage firm Aon, with the title: “The changing risk landscape: corporate resilience for the rise of technology”. Four organisations provided different perspectives on cyber risk and the place of cyber insurance:
- Datacom provided a perspective from an IT security provider.
- AIG provided a perspective from a cyber insurer.
- Aon provided a customer’s risk perspective.
- MinterEllisonRuddWatts discussed the legal risks raised by cyber events and how to respond.
In this article we summarise these perspectives.
Cyber-attacks – a technical perspective
Cyber crime is low-risk profiteering because of offenders’ ability to maintain anonymity. It is thought to have surpassed all other types of crime combined. Cyber criminals usually take or lock up commercial or customer information and issue ransoms with the threat of deleting the information or releasing it to media and other global platforms if not paid.
Some key points:
- New Zealand is a soft target for cyber criminals because we think too locally. Although we tend to view ourselves as tucked away at the bottom of the world with clear borders, which has benefited us in our response to a real-world virus in COVID-19, cyber criminals exist in a borderless universe and New Zealand is as exposed as anywhere. Our naivety makes us an easy target.
- Most cyber crime is committed for profit – and it is very profitable and relatively low risk.
- Good hygiene is important. Up to date software patches, identity verification and device security are all key. CERT NZ’s top 11 suggestions for cyber security are a good place to start.
- Do the basics well first. Email security and multi-factor authentication are critical. Train and test your staff often. Deploy a managed EDR (endpoint detection and response) solution to protect your devices, as this is the most likely way into your network.
- When an attack happens, timeliness of response is critical. If you do not have sufficient visibility of your environment, that will hamper your response, as will not having tools like EDR already deployed. In any event, get professional help as early as possible. You can make things worse!
An insurer’s observations of trends
AIG, which has offered cyber solutions for two decades, observed the following key trends in cyber-attacks and their effects:
- A significant increase in insurance claims due to the increasing prevalence of ransomware – a form of software that infects a cyber system and encrypts files, which cannot be accessed until a ransom is paid in exchange for a decryption key. Ransomware typically infiltrates systems through phishing emails with attachments containing the ransomware. A study by AIG found that ransomware and extortion claims under cyber insurance policies increased by 150% between 2018 and 2020, by which time they accounted for one in every five claims.
- Cyber criminals often now take their time and conduct data reviews prior to encryption to make their attacks more effective. They work through networks and identify the best, most valuable data and critical systems, right to the top of the IT architecture. Attacks that are more targeted are more harmful. When this approach is taken, ransom and extortion claims are typically for amounts twice as high as less-targeted attacks: hackers demand a higher price for the most valuable data.
- Typically, businesses are unable to operate properly for between seven and 10 days following a cyber breach.
Losses caused by cyber-attacks usually impact multiple aspects of insurance cover:
- Extortion and the cost of ransoms.
- Event management costs – IT forensics and legal counsel are required to respond to technical and legal issues.
- Network interruption losses – traditional business interruption losses of profit.
- Security and privacy – regulatory actions, defence costs and fines, potential customer claims.
Cyber-attacks are increasingly expensive for the insurance industry. To ensure that the risk profile does not continue to rise, insurers are now looking carefully at the following factors:
- Understanding the similarities in deficiencies and controls of victims’ businesses to gauge when other insureds may be vulnerable.
- Tailoring cyber insurance cover to how well or poorly cyber risk is managed by an organisation.
Addressing cyber risk requires a two-pronged approach
Aon report that from an insured’s perspective, there are two key ways to address cyber risk: increased cyber security and risk transfer through cyber insurance. Both are necessary for risk mitigation.
All organisations are now more exposed than ever because of the changing ways in which we work. Remote working is widely accepted and commonly employed, which results in the ‘perimeter’ of organisations disappearing or changing. Often, organisations include customers in their business processes through shared portals, online logins and other means which create further points of entry to data.
Many organisations, particularly SMEs, did not “bake” security into their systems early on in the process and now have minimally protected legacy systems running core processes with multiple updates and services added in ways that create gaps in existing security.
The key “at-risk” organisations are those who hold customer data, have access to other parties’ systems or data as part of the service they provide or are information conduits for service providers.
Insurers are asking increasingly detailed questions of insureds and they will not generally offer cyber risk insurance to organisations that do not have adequate cyber security systems. Even if insurers are prepared to offer cover, the price will depend on the security environment. One advantage of cyber insurance is that it helps organisations to identify weaknesses in their systems and it encourages them to increase investment in security to reduce premiums. From a business perspective, the fact that an organisation has obtained cyber insurance may become a mark of quality of its existing security measures which may be a selling point for customers.
Cyber insurance is therefore an overall value proposition – it minimises the risk and allows organisations to operate and interact more effectively.
The legal impact of cyber-attacks
MinterEllisonRuddWatts commented that a cyber-attack or security breach will inevitably require a legal response as well as an IT response.
The following legal claims and issues often arise:
- The target organisation suffers its own losses – money is stolen through payment diversion schemes or data is stolen or locked up so that it cannot be accessed and normal operations are affected. This causes financial loss to the organisation. These losses can potentially lead to actions by shareholders against directors if they have not put effective cyber security in place.
- The target organisation incurs liability to customers or other third parties such as those whose personal information is released. Customers’ money may be lost or their data locked up or released to the public.
- Regulatory action, such as by the Privacy Commissioner or the Financial Markets Authority, can result in defence costs, fines and penalties.
Organisations can take steps to protect themselves from legal risks during and immediately following a cyber-attack. These include:
- Make no admissions about the adequacy or otherwise of cyber security arrangements or any other matter. Expressions of regret that an incident has occurred may be appropriate but take professional advice first.
- Take prompt steps to respond with appropriate IT assistance to mitigate any loss.
- Involve insurers at the outset.
- Take advice. Many cyber insurance policies will identify IT experts and a panel of specialist lawyers who will assist.
Co-authored by Hannah Jaques.