Three cyber experts from both sides of the Tasman share their views on the ANZIIF Journal on the state of play with cyber security and its future impact on business.
Ian Pollard, Managing Director – Delta Insurance
“Our geographical isolation has perhaps made us complacent in the face of relentless and invasive global cyber activity. With a cyber attack only the click of a button away, our status as an island nation at the bottom of the world provides us with no defence or security.
In fact, it could be argued that our relatively lax approach to cybersecurity, compared with other developed nations, has contributed to New Zealand being recognised as one of the ‘Cyber Five’ countries that are nine times more vulnerable to cyber attacks than any other Asian economies.
With the intensity and number of cyber incidents increasing daily, coupled with the constant growth in our digital footprints, there is now a growing recognition of the enormity of the existing and emerging threats that face us. The government is taking action, with mandatory reporting and privacy legislation reform on the horizon, along with the introduction of a cyber taskforce and public-private sector strategies in place.
However, it is up to each individual business in New Zealand to make sure it has the appropriate risk management strategies in place to minimise the impact of an inevitable cyber attack.
At Delta, we have partnered with the most comprehensive team of specialist cyber experts in New Zealand across all aspects of the cybersecurity risk spectrum. We’re passionate about helping our customers to adopt robust cyber risk strategies that reduce their risk and ensure they are comprehensively covered before, during and after any cyber incident.
Currently, we estimate the cyber insurance market in New Zealand to be NZ$10 million in premium. With more thought leadership, education and understanding from the market, it is likely to climb to at least NZ$50 million by 2020, with the potential to be more than NZ$250 million in premiums by 2025.”
Max Broodryk, Product Leader – Cyber Risk at XL Catin
Cyber risk is about more than information technology. It’s something that concerns an entire business. My advice to brokers and clients is to get across how commercial and personal data is stored and how securely. Can this data be segregated, anonymised or encrypted? Does it even need to be collected at all? What would you do if the data was stolen or lost? Do you have a data incident breach plan? And what would be the impact of business interruption if your systems went down? Do you, for instance, have a business continuity plan and can you quickly source new hardware, reinstall the software and restore the data?
Cyber insurers can provide a number of benefits for clients. Beyond risk transfer, insurers can provide access to specialised service providers such as crisis managers, forensic investigators, lawyers that specialise in data issues, public relations experts, loss adjusters and identify theft experts.
No company will have all of these skills in-house, or be able to contract them at reasonable rates on short notice. Similarly, our claims teams around the world deal with cyber claims every day and are a valuable resource in a crisis situation. Like all insurance, cyber insurance converts what might be an infrequent but potentially large cost into a more frequent predictable cost that can be budgeted for.
The external threat and regulatory environments are changing constantly, so insurance provides a hedge against this uncertainty. Insurance is becoming a mandatory contractual requirement for many projects and tenders and we can provide you with proof of insurance and claims settlement in more than 200 countries globally.”
Fergus Brooks, National Practice Leader – Cyber Risk at AON
“In 2017, Australian enterprises voluntarily reported 114 data breach incidents. In the first two weeks of the mandatory data breach notification regime coming into effect in February, there were 17 reports of breaches made to the Office of the Australian Information Commissioner (OAIC).
Business in Australia has already shifted its thinking on cybersecurity and understands it is a question of when rather than if it will experience a breach or attack. In spite of that, many organisations are still relying on conventional insurance cover such as property/business interruption, crime, professional indemnity, directors and officers and kidnap and ransom to provide some form of cyber coverage. It’s a risky approach, especially in light of recent signals from both Lloyd’s of London and insurance ratings agencies about what they describe as ‘silent’ or ‘residual’ cyber coverage from those sorts of more general policies.
For Australian enterprises, filling out a form and letting the OAIC know there has been a breach is just one of many challenges they need to tackle regarding security. Notification of affected individuals is also a factor.
That’s just for Australian compliance. Companies that have European interests must also gear up for the European Union’s General Data Protection Regulation (GDPR), which came into force in May. The key to potential risk mitigation here is to have a tested cyber incident response plan.”