NBR Senior Writer Nathan Smith talks to CEO Craig Kirk and Cyber Specialist Fred Boles about the first personal cyber-attack policy in New Zealand:
While corporate cyber insurance has existed in various forms for about 20 years, policies for individuals are relatively new. But interests and attitudes toward cyber insurance have changed as people realise they can’t escape the risks of online exploitation.
According to Gartner, the policy sector overall for corporates has been growing at 8% a year and is destined to be worth $US248 billion ($385b) by 2026.
But Delta chief executive Craig Kirk spotted a gap in the market for insurance to cover the cyber risks individuals were facing.
“The list is growing all the time: identity theft, theft of financial assets, attacks on smart devices at home like baby-phone cameras and smart TVs, viruses, ransomware, unauthorised online transactions and theft of priceless family items like digital photographs.
“The financial damage can be substantial but [a cyber attack] can also bring massive emotional stress and disruption,” he said.
Companies are already getting the message. PwC estimated only about 30% of companies have cyber insurance or cyber liability insurance coverage. According to a recent report by rating agency AM Best, direct premiums written in the US for both standalone and packaged cyber policies grew about 12% in 2018 to $US2b from $US1.8b, which is more than double what was written in 2015.
Although Delta’s personal policy is not an indemnity cover, it will include events in which a person’s online identity is compromised, network intrusions that lead to ransomware attacks, data loss and even unauthorised online transactions. But the main boost will be saving people time.
Kirk said it takes victims more than five hours on average to sort out a breach, and about a third of breaches take more than a week to sort.
Given the sheer volume of cyber attacks each day, he is conscious that offering an insurance policy for people could quickly spiral out of control if thousands of policyholders start claiming for losses.
However, according to breach data from the government’s Cyber Emergency Response Team (CERT NZ), the average personal claim works out to be about $2000, which is manageable.
“We are being conservative because the last thing we want is to blow ourselves up. The claim limit at the moment is $15,000 spread across the various risks. That’s quite a bit of money even in this space but we think it’s enough for the time being. As the data comes in we’ll reassess,” Kirk said.
He said the new personal cyber insurance has no excess and won’t be offered directly to individuals yet. Instead, it will be offered through partner channels such as banks, brokers and telcos.
Delta cyber-risk specialist Fred Boles said many Kiwis have little or no protection and 30% of them aren’t aware their personal information is available online and is vulnerable.
“About two-thirds of consumers believe they will be subject to cyber attacks in the next year. Most people are vaguely aware of how they might be attacked via the internet and almost 90% want to do something about it.
“But they essentially have no idea of their actual exposure, so they often struggle with what to do – they don’t know where to start,” Boles said.
The costs to an individual from a cyber attack fall into two categories.
He said a partnership with UK-based DynaRisk will help people monitor whether their information – such as email addresses, credit cards and phone numbers – has been breached and if any of it is available on the “dark web” (the parts of the internet not indexed by a search engine such as Google).
While a person’s exposure online has no bearing to whether they qualify for insurance coverage, both Kirk and Boles said improving awareness, weak passwords, privacy settings and personal online safety is beneficial to both Delta and its policyholders.
Boles added that as more employees work from home and use their own devices at work, this raises the risk of a device acting as a Trojan horse, bringing harm into a business. So improving a person’s online safety directly boosts a company’s security too.
“In time this personal insurance will probably become part of a standard offering,” Kirk said.