Cyber attacks becoming new normal, writes Tim McCready

Cyber risk rated as insurers’ top concern over the next two or three years in a survey released last year by PwC and CSFI. That was up from 13th place in 2013, and 11th in 2011.

Among New Zealand insurers, natural catastrophes remain the biggest risk, but cyber risk — at fourth place — rated as a major concern.

The amount of data about clients that insurers keep on their systems — including credit card information, medical details and underwriting information — makes them prime targets for cyber-attack. For that reason, there is a high level of anxiety among insurers towards cyber risk, particularly software failure and data security breaches.

One Australian respondent acknowledged the level of the cyber risk. “We repel more than 20 serious attacks every day. Half of those we suspect are state-sponsored attacks.”

As cyber attacks grow in number, scale and exposure, they are becoming a new normal for companies right across the spectrum. With that comes an increase in the number of cyber insurance policies issued globally. PwC estimates annual gross written premiums will increase from US$2.5 billion ($3.7 billion) today to US$7.5 billion by 2020.

The nature of cyber attacks means the geographical isolation that protects New Zealand’s biodiversity is no barrier to cyber-related crime. Although the uptake of cyber insurance in New Zealand is rising, it is still low by global standards.

PwC’s Global State of Information Security Survey showed that only 37 per cent of New Zealand respondents have cyber insurance, compared with 59 per cent globally, 56 per cent in Australia, and 70 per cent in China. Of those New Zealand organisations with cyber insurance, 25 per cent made a claim in the past year — compared with 50 per cent globally.

It is estimated cyber crime has cost our economy $257 million in the past year, although any figure is likely to be conservative as businesses are often reluctant to disclose a cyber breach, and it is notoriously difficult to assess the true cost of an attack.

In the United States, the Target retail chain reported costs of US$162 million, after insurance payments, from a 2013 attack in which hackers stole data from as many as 40 million credit and debit cards.

To provide protection, insurers need to be confident their clients have appropriate internal defence systems to mitigate the risk of attack. Yet SMEs have traditionally been poorly equipped and lacking the resources and awareness to put the necessary security measures in place to protect their IT infrastructure.

Tim Grafton, chief executive of the Insurance Council of New Zealand, says “the problem in New Zealand is that the vast majority of businesses are SMEs that lack sufficient risk management processes within their governance structures to identify the need for cyber cover. Having said that, brokers are playing and can play more of a role in offering cyber as an add-on to the suite of offerings.”

The Government is trying to address the lack of awareness and strength of cyber security through the Connect Smart partnership, a public-private collaboration launched in 2014, and its new Cyber Security Strategy.

The cost to a business from a cyber-attack can vary enormously depending on the industry and type of data breach. Costs may include a degradation of network performance, theft of physical devices, disruption of business, defacing a company website, forensic investigations, credit monitoring, legal fees, and even penalties for breaches of privacy as a result of not having sufficient protection in place.

Other less tangible costs including reputation and brand damage and the loss of privacy, intellectual property or classified data mean that how to establish the cost of a cyber-attack is still largely unknown.

This uncertainty and the immaturity of insurance offerings mean insurers hold major concerns about underwriting risk for cyber security, and could be exposing themselves to massive losses.

Insurers lack the data required to understand how likely an attack is, or what it will cost when it happens. Attacks are quickly becoming more advanced, and risks increase as companies rely on cloud services to keep their data backed up.

Stroz Friedberg, a global leader in investigations, intelligence and risk management, has predicted that constantly evolving cyber threats, immature risk models, and an underdeveloped reinsurance market will cause premiums to increase over the next year. This is particularly relevant for companies operating in sectors considered high risk, including retailers, healthcare and finance.

This has been seen recently in the US, where an increase in the number of cyber attacks on companies has begun prompting insurers to hike premiums, raise deductibles and cap the amount of coverage available. This is forcing some high-risk firms to scramble for insurance cover.

AIG NZ financial lines manager Katie Young says, “We live and work in a time of constant innovation and increased connectivity, with a resulting increase in the complexity of networks and supply chains.

“At AIG, we’ve seen a growing awareness by businesses in respect of cyber exposures and this has increased demand for our cyber insurance policy. While we’ve been covering cyber risks for more than a decade globally, it is still a relatively new market for insurers overall.

“As claims data develops, adjustments to premiums and coverage could follow.”

Grafton notes that a key point about insurance markets is that “premiums generally rise as the underwriting risk increases”.

“In the context of cyber security, that will differ from insured to insured, but the exponential rise in connectivity and devices linked to the internet of Things does raise the overall risk profile.

“Insurers, though, can cap their exposure through the use of limiting the sum insured, deductibles, exclusions etc.”

With something so unpredictable as cyber security, the only certainty is that a proactive approach to protecting against cyber attacks is essential. After all, cyber insurance will only help recoup the costs incurred after an attack. Preventing a security breach — and recovering from one after it occurs — rests squarely on the shoulders of the business.

• US$2.5b
Global cyber insurance premiums today

• US$7.5b
Predicted cyber insurance premiums by the end of the decade

Cyber risk creates a real opportunity for New Zealand, Kordia chief executive Scott Bartlett tells Tim McCready

New Zealand businesses are starting to show a real mindset shift when it comes to cyber security, agrees Kordia’s chief executive Scott Bartlett.

“It’s in the papers a lot more, there is a real narrative going on in the business community around business obligations, endless surveys where CEOs say it is a top five issue — a real groundswell happening.”

But Bartlett admits that while this increased awareness is something to take notice of, it is just the beginning.

The next question companies must ask themselves is what they can do to make themselves safe. Businesses need to create a strategy — and then monitor it.

Bartlett sees organisations at different stages in addressing cyber security. “We have seen a lot of public sector departments and agencies jump on that maturity curve sooner than some others. And there are some standout examples among the business community.”

The challenge is that the issue, opportunity, and the subject of cyber security is universal — those instigating attacks don’t discriminate. “The reality is that you will get hacked, and you may not know that you have been,” says Bartlett.

“That is the attitude you must go into this with.”

Over the next year, Bartlett sees external threats increasing.

“We are going to see far more automation of attacks, and the tools are only getting better. Over the course of the next couple of years we are going to see the impact of these attacks worsen.”

One of the major challenges for businesses is legacy code that has been iteratively added to over the past 10 years.

“Find an organisation where all the web systems are new — they don’t exist,” Bartlett says.

“You are probably still vulnerable to things that came two years ago.” For external threats, raising the hygiene factor is critical. But they will always exist regardless of what a company does. Internal threats, on the other hand, depend on culture.

“There is a tendency to think of cyber security as a technical problem. But you can have all the policies, procedures, and firewalls in place you want, but if your people don’t understand the risk that comes with picking up a USB stick and throwing it into a computer, or doing commercially sensitive work on public hotel Wi-Fi, then the bad guys will get around your systems.”

Kordia’s mission is to be New Zealand’s leading business-critical technology company — “you can’t be in the business-critical game without cyber security.” In line with this, Kordia announced the expansion of its cyber security offering with the acquisition of Aura Information Security for $10.02 million in November last year.

Before the acquisition, Kordia already provided security products to customers, but Bartlett describes bringing Aura into the portfolio as Kordia’s “secret sauce”.

Fifty per cent of their business is in telecommunications, and roughly half of that in New Zealand is now security services.

Aura has about 300 customers, most of which are New Zealand’s largest organisations, including government departments, banks, and large insurers. They are also increasingly working with medium sized businesses.

Bartlett stresses that the biggest requirement in cyber security is to do a terrific job for customers — “if you drop the ball once, you are done”.

It is that requirement that makes Kordia acutely conscious of responsibly managing the growth of its cyber security consulting services. Although growth can be alluring, Bartlett insists that serving existing customers first is the priority.

“While we have experienced CIOs and technical folk in New Zealand, cyber security is specialist.

New Zealand’s pitch to attract people here isn’t bad, but Bartlett admits that the world is competing for the same talent. We need to have a combination of “grow our own” as well as attracting the best, he says.

For Kordia, this means making sure their cyber security team of 30 spends more than a fifth of their time on R&D — research that interests them. It’s a huge investment for Kordia, but things are changing rapidly — “if you’re not doing research, you’re falling behind.”

As opposed to Aura’s consultancy services, Kordia’s security product is very scalable.

RedShield provides defence for websites and web applications, and is currently shielding most of the Government and large businesses. It has the potential to go truly global, beyond current deployment in Australia and the UK.

It is obvious that Bartlett has a real passion for the opportunity cyber security can offer both Kordia and New Zealand.

“Exporting IP is fantastic and it is definitely part of the plan,” he says. “Products like RedShield will be key for New Zealand’s economic future — weightless and scalable. With fair wind and a lot of smart people it could become a big opportunity for New Zealand.”

Bartlett notes that the Government plays a leading role in informing and educating. The establishment of a CERT — a computer emergency response team — provides businesses a first port of call for advice, and allows knowledge sharing from the global community and within New Zealand.

This will ultimately help to lift awareness.

But the Government can’t do it alone.

Bartlett has been surprised at how much desire there has been across the spectrum to make the country safer, and how willing people are to contribute to it.

“We are a small country, and should be able to become a cyber security paradise,” he says. “If we can make New Zealand a cyber safe country — the world’s first — that would give New Zealand an enormous competitive advantage.”