The value in any insurance policy is best demonstrated at claim time. And the claims resolved by specialist Delta Insurance from its cyber lines show that every New Zealand organisation really should consider mitigating the risk of a hack or malware as serious consequences can flow from even minor disruptions to your business. That’s not all – the company says the process of purchasing insurance will in itself improve your security posture.
Released late in 2021, the National Cyber Security Centre threat report detailed 404 incidents impacting nationally significant organisations in the 2020/21 financial year, a 15 percent increase on the previous year. While these high-profile cyberattacks affecting organisations including the NZX, banks, and Waikato Hospital generate headlines, Delta Insurance Underwriting Manager Adrian Sweeney says there are hundreds, or even thousands, of other breaches affecting everyday Kiwi companies. “The primary motivation for most attacks is financial – they want money, usually in the form of Bitcoin or other cryptocurrencies.”
Some examples of organisations for which Delta has recently handled claims include a car dealership, a food manufacturer, and an environmental consultant. “New Zealand is a nation of small and medium businesses. But being small and medium in no way prevents you from being a target. Every organisation is in the crosshairs, and the methods used by hackers are increasingly sophisticated, including automated systems and often a highly professional approach. This is a business for the hackers.”
It’s no surprise, then, that the most common attacks feature ransomware which either locks up or threatens to steal and distribute sensitive data assets or applications, with an extortionate request for cryptocurrency – because these currencies are nominally anonymous. “It’s at this point that people targeted like this realise how important their data is. They also realise they have little choice but to pay the ransom,” says Sweeney.
Even that has its complications. Converting dollars into cryptocurrency can be challenging, as is the process of transferring it to the hacker’s online crypto wallet. Then there’s the open question of if the hacker will in fact provide a working decryption tool unlocking your data.
“The bottom line here, and always, is ‘prevention is so much better than cure’,” stresses Sweeney. “But if prevention isn’t possible, cybersecurity insurance certainly is.”
He adds that for insured parties, payment of the ransom is the absolute last option and is always discouraged. “We provide technical support to recover or restore the data to avoid the need to pay the ransom at all. This often costs more than the ransom but is worth doing because payment to a criminal is likely to breach international sanctions. And it encourages the next heist,”
On to the claims
Delta offers comprehensive cybersecurity insurance providing support for business interruption (covering loss of profits if IT systems are attacked), Third Party Liability, Hacker Theft Cover if funds are stolen, Network Extortion, Triage & Breach Consultation by appointing IT specialist or law firms as appropriate, Costs to Restore, Data Forensic
Services analysing root-causes, and even Public Relations expenses helping manage your reputation in the wake of a breach. It also offers Notification Services and Credit Monitoring, preventing damage from identity theft, and provides advice on mandatory breach reporting under the Privacy Act 2020.
Three claims recently handled by Delta demonstrate how cybersecurity insurance saved the day.
1. Industry Body – Data breach
A professional industry body suffered a data breach compromising member credit card information. With the claim lodged, a Delta-appointed forensic team sprang into action, investigating and resolving the breach, while lawyers assisted with notifying the Privacy Commissioner and communications with affected members. Delta contributed to the costs of improving the insured’s system, helping prevent future attacks. The total cost of remediation was over $100,000.
2. Cosmetics company – DDoS attack
A cosmetics company suffered a distributed denial of service attack (DDoS) attack, shutting down its website down and preventing the company from trading. It is believed the attack originated from an animal welfare group retaliating to animal testing allegations. The insurer assigned an incident manager and appointed an IT specialist for issue resolution. The insurance policy covered:
3. Food Manufacturer – malicious employee
A senior employee dismissed by a food manufacturer maliciously deleted a significant quantify of sensitive of data from their company laptop. The cybersecurity insurance policy provided for the appointment of a forensic investigator who examined the hard drive, with experts later carrying out a successful data recovery exercise.
Why getting insured means an improved cybersecurity posture
Smart managed security services providers are doing something interesting in relation to their cybersecurity offerings: tailoring their ‘baseline’ services to the policy documents of cybersecurity insurers. “This is telling, because these MSPs recognise the risk management approach taken by insurers,” says Sweeney. “And indeed, we won’t take on customers who do not have sound cybersecurity technologies, processes, practices, and measures. It would be too risky – and cyberattacks are a fast way to lose a lot of money, not only for those with inadequate protection, but also for an insurer taking on an excessive risk.”
The process of acquiring cyber security insurance is therefore somewhat rigorous, with the insurer examining your environment and assessing your threat surface. “This will very quickly let you know where you stand,” says Sweeney. “Basically, if an insurer is prepared to offer cover, it means your security posture is sound. If not – well, you have work to do, and likely something of a roadmap showing the path ahead.”
Delta Insurance is a specialist underwriter of niche products https://deltainsurance.co.nz/.