Published on the 19/09/2018 | Written by Heather Wright
Insurance moves from tangible to intangible assets, but who's buying?...
It used to be that tangible items such as buildings, stock and vehicles were the key assets for a company. Today, for many Kiwi companies it’s all about the IP and data.
So it’s no surprise that cyber is an increasing risk exposure for many Kiwi companies – or that a big business has sprung up around insuring it.
What’s perhaps a little more surprising is the range of companies taking up cyber insurance.
Auckland-based Delta Insurance, which has been offering cyber insurance for nearly five years and has just launched an intellectual property insurance offering as well, says it has ‘thousands’ of customers in New Zealand and it expects those numbers to double in the coming year.
“The costs involved with mandatory notification and data protection can be quite expensive.”
Alongside the financial institutions, tech companies and retailers on Delta’s client list are customers ranging from a panel beater concerned about a data breach involving his high net worth customers, to a sausage manufacturing business concerned about the costs of potential downtime if their internet connected manufacturing system is hacked. Even some government agencies are now cyber insured, says Craig Kirk, Delta Insurance general manager.
Cert NZ figures released today show 700 cybersecurity incidents were reported between April 1 and 30 June, with phishing reports up from 196 to 455, quarter on quarter.
Delta are by no means the only company insuring against cyber crime in New Zealand. NZI, AIG, Crombie Lockwood and a range of other companies are working in the growth market.
Last week German reinsurance company Munich Re told attendees at a reinsurance conference that cyber risks are one of the biggest threats to the networked economy, saying it estimated the market for insurance against cyber threats to double by 2020 to more than US$8 billion.
The insurance covers losses from cyber attacks including recovering lost or destroyed data and liabilities arising from data protection laws.
“There are legislative changes pending here in New Zealand,” Kirk says referring to a bill before parliament which would see reforms to the privacy act to pull us in line with overseas changes such as Australia’s moves earlier this year which included mandatory notification of breaches.
“That is almost certainly going to come into NZ, bringing us inline with Australia, the EU and most of the states of the US. And once that happens then it will become a much bigger issue in NZ. Notification costs, making contact with customers and everything involved with mandatory notification and data protection, can be quite expensive.”
For now however, the bulk of claims Delta is seeing are coming from ransomware attacks, which accounts for about 80 percent of claims, though Kirk admits payouts for ransomware aren’t generally that large.
“The largest claim we had is around $40,000 for ransomware,” he notes, with most payouts primarily for the cost of IT experts to restore systems.
“We take a different approach to some insurers in that we work very closely with cybersecurity vendors and consultants firstly with a pre-loss assessment – kicking the tyres to make sure controls are up to scratch – and then if something like a ransomware attack happens, we have cybersecurity specialists who can come in early and try to resolve it quickly.”
‘Resolving it’ can mean paying the ransom, even though that’s something Delta doesn’t recommend.
“We prefer the ransom isn’t paid, because it’s not the best way – there’s no certainty you’ll get your data back and you kind of go into a suckers list and they may come back and have another go. But if our cybersecurity experts say there’s no other option we can do that, and it is insurable.”
While ransomware constitutes the majority of claims for Delta, Kirk says targeted hacking attacks have also resulted in a number of claims.
He cites the example of a new Kiwi tech startup, who experienced a very targeted attack to steal their IP.
“New Zealand startups spend a lot of money on R&D, we are known as innovative country and there are a lot of good success stories coming out of NZ particularly in the tech space,” Kirk says. Last stats I heard was NZ as a nation is spending in excess of $1.6 billion a year on R&D.
“And the thing is, companies overseas, rather than spending millions and millions of dollars developing IP themselves, potentially can steal it from someone else by hacking means. And there have definitely been some cases of that as well,” Kirk says.
Phishing and whaling claims are also increasing.
A recent KPMG test New Zealand businesses cybersecurity revealed one in 10 Kiwis could fall for a phishing attack.
The test involved 35 organisations (who had all agreed to participate in the test) with more than 8,300 staff between them. Emails were sent to staff indicating the company had signed up to a password quality checking website and asked them to go to a website to check the quality of their passwords.
In a result KPMG says was ‘unfortunately not surprising’ 12.1 percent – or more than 1000 – of people receiving the email clicked on the web link, and 8.4 percent (702) entered their password into the site. The first person entered their password less than one minute after the phishing emails were sent. Unsurprisingly, Kirk believes all companies need cyber insurance. The reality, however is a little different with a report earlier this year showing just six percent of New Zealand SMEs having cyber insurance, and Kirk believing less than 20 percent of overall Kiwi companies have the insurance. “We’re still in the early stage of the business becoming mainstream,” he says.
As the shift to a digital world continues, insurance too will continue to shift to include intangibles, with cyber insurance likely to become just another tick box on the company risk management strategy. Next up for Delta: cyber insurance for the home market.