New Zealand Law Society - Cyber Insurance, an increasing necessity

Cyber Insurance, an increasing necessity

New Zealand is in the early stages of cyber insurance, and the claims are just getting started, according to Senior Broker Anna Parker. A former lawyer, now working for Frank Risk Management, she is acutely aware of the potentially devastating consequences for law firms of cyber attacks.

In this article, Anna runs through why cyber insurance is becoming an increasing necessity for any organisation wanting to manage risks.

This article is over 3 years old. More recent information on this subject may exist.

Why is cyber insurance so important
Cyber events are a crisis like no other, they cause a lot of stress, worry and can cripple a business. That coordinated crisis response in the first 48 hours after a cyber event is make or break.

In my experience, law firms have been extremely grateful and relieved to know they have the cover in place once they have experienced any cyber attack.

The benefits of a cyber insurance policy are that cover extends to both first and third party losses, including the expenses a law firm may incur arising out of unauthorised use or where unauthorised access is gained to physical and electronic data or software within an organisation's computer network. 

Cyber insurance policies can also cover liability, costs and expenses arising from network outages, spreading a virus or malicious code, computer theft, or extortion.


What does cyber insurance cover? 
Each cyber insurance policy is slightly different, but here is a list (not exhaustive) of some of the most common aspects that cyber insurance covers: 

  • Incident response teams 24/7 (experts including forensic IT specialists, PR, lawyers) who would respond to an attack on your system
  • Cost of urgent legal support from experienced cyber insurance panel lawyers
  • Ransom or extortion costs
  • Data restoration
  • Defence costs
  • Cover for loss of profits
  • Third-party liabilities


The current cyber insurance market  - New Zealand is no longer safe 
Cyber risks and breaches continue to be at the forefront of risk management plans and continue to appear as the top items of any risk survey. New Zealand is increasingly becoming a target for cybercriminals. With other developed economies becoming attuned to the threats and taking their cybersecurity defences more seriously, hackers at all levels are now looking at other countries to exploit, putting NZ firmly on their radar.

Cyber attacks are on the rise, and so are the financial losses that can follow in their wake. Data from IBM has shown that it takes on average 197 days to identify and 69 days to contain a breach. More and more law firms are falling victim to cyber incidents, and the reputational damage and potential financial devastation caused by data loss or a breach are increasing.

The long-awaited Privacy Act took effect on 1 December 2020, and with it, the mandatory notification processes for privacy breaches. Meaning law firms are being compelled to investigate cyber and data incidents and notify the affected parties.

2020 saw a dramatic escalation in cyber events, continuing into the first quarter of 2021. Insurers have responded with more caution and conservatism in the cyber market, reducing capacity and by applying rate and premium increases. Not as dramatic as the increases in professional indemnity insurance, but nevertheless, the cyber insurance increases have been noticeable.


What are cybercriminals doing
Until recent years, most threats came from phishing attacks (stealing data of value, like financial information). Then came ransomware (where victims are shut out of their systems unless they agree to pay a ransom to their attackers). Cyberattacks now have evolved into more targeted and sophisticated affairs. More often than not, they involve social engineering to target employees in influential positions like a CFO and pose as them asking for funds to be transferred or targeting their contact lists to expand attacks. The COVID 19 pandemic has driven remote working, which in turn has increased the cyber vulnerabilities.

CERT NZ, a government agency that supports those affected by cybersecurity incidents, noted an almost 65% increase in cyber incident reports. It received 7,809 reports in 2020, up from 4,740 reports in 2019.  This is only scratching the surface on the actual number of incidents –  no one knows the true scale of how many cyber-attacks and how much money is being lost each year because of how many breaches still go unreported. It is believed that fewer than 10 per cent of businesses in New Zealand have cyber insurance.


Some common claim examples:
Top three cyberattacks - phishing, credential harvesting, scams and fraud and unauthorised access. 

  • Hackers stealing sensitive data and threatening to publish it online if ransoms are not paid.
  • Clicking on a link or a download provides the gateway for a data breach or ransomware (reputational damage and data loss).
  • Social Engineering fraud - the impersonation of a senior employee by a third party, that influences another employee to transfer funds to an unauthorised account.
  • Taking advantage of vulnerabilities in a vendor's security system as a way of getting into a target's network.
  • Invoice manipulation, where a hacker intercepts an email with an invoice attached, changes the settlement bank account number on the invoice and then releases the email.  The unsuspecting buyer pays to the hacker's bank account (which is often a hijacked account of an unsuspecting member of the public).  


Tricky cyber insurance points to watch out for
The cyber landscape is moving quickly, and there is no doubt that cyber breaches can be overwhelming for many law firms. Cyber insurance is an everchanging and evolving market, with each insurer in NZ taking a slightly different approach.

Law firms, unfortunately, are a natural target for extortion and are facing increased ransomware attacks. A common misconception is that it isn't just about the value of data to the hackers, but rather it is the value of the data to those law firms: what you would pay to get that data back. Some insurers allow for ransoms to be paid. Some don't - the theory being that those companies who pay ransoms invariably end up on a list of "people who pay" on the dark web, thus increasing the chances of further attacks.

Silent cyber exclusions - insurers have incurred losses from cyber-related claims on policies never intended to cover cyber risk. As a result, insurers are adding silent cyber exclusions onto most policies.


Is it cyber insurance or crime insurance law firms need
Cybercriminals are entrepreneurial, and the types of attacks are becoming ever more sophisticated. Gone are the days of your Russian Prince asking for money to be transferred into a specific account via a poorly worded email.  Cybercriminals now have the confidence to pick up the phone and change bank account details when you are trying to transfer funds. They are always on the hunt to find new ways to circumvent security measures.

The majority of cyber insurance policies refer to network security and data privacy risks, whereas theft of monies or fraudulent transfer of funds is generally dealt with by crime insurance which is a separate insurance policy. 

Cyber loss is complicated, and policies that say they provide cyber insurance may not have the scope of cover needed, especially when it comes to cybercrime. Each policy varies. Most cyber insurers offer an option to include social engineering as an extension to a cyber insurance policy. If they don't, they will offer a separate crime insurance policy to deal with the theft of monies or a fraudulent transfer of funds.

Many claims fall within policy endorsements included in the cyber insurance policy.  For example, hacker theft, cybercrime, and social engineering. These can be limited to $100,000 or $250,000 rather than the full policy limit. It is essential to understand the policy sub-limits and to ensure they are adequate. Taking it at face value could lead to costly disappointment!

Finally, the voluntary action of someone in a law firm - be it a staff member in the finance team etc. to transfer funds where your system has not been compromised, may not be covered by a crime policy either.  


What does this mean for you
Now more than ever, we live in a digital landscape. Cyber exposures constantly and quickly evolve, and data risk management continues to be a learning experience.  Consider putting in place sufficient insurance to cover the associated costs of a cyber incident.

Law firms need to turn to skilled insurance professionals who are innovative with finding solutions for clients capacity in the market and utilising their relationships with insurers to ensure clients have the best outcome. Engaging early with a qualified, experienced broker is the key.