Cyber-attacks on businesses and other organisations are rising, as is the damage they cause. Cybercrime is now thought to have surpassed all other types of crime combined. In the past year alone, the Reserve Bank, the Waikato DHB, Air New Zealand’s SITA provider, NZ Post, Inland Revenue, MetService, Kiwibank and ANZ have all been the targets of cyber-attacks.

The most significant recent development has been the rise of ‘ransomware’ – software that infects a system and encrypts files which cannot be accessed until a ransom is paid for a decryption key. In most cases, ransomware gains access to systems through ‘phishing’ emails in which staff click on a fraudulent link.

A technical perspective

Cybercrime is low risk for offenders because they operate remotely and remain anonymous. They usually steal data or deny access to it. They often demand ransoms and threaten to delete or release confidential data. Information about ransoms is difficult to find because most victims do not publicise them, although some insurers quietly admit they will pay ransoms where necessary.

Experts warn that New Zealand is a soft target because we think of ourselves as outside the world’s main areas of commerce and criminal activity. This means nothing in a cyber-connected world and our naivety makes us an easier target. The changing ways in which we work present new risks. Remote working results in increased access to systems through personal connections that are more difficult to monitor and secure. Organisations increasingly allow customers into their systems via shared portals and online logins. Experts advise that up-to-date software patches, identity verification, email security, multi-factor authentication and device security are all important. CERT NZ’s top 11 suggestions for cybersecurity are a good place to start.

Staff are weak links and must be trained and tested often so they do not fall victim to phishing or ‘trojan’ attacks. A managed EDR (endpoint detection and response) solution to protect devices is also critical, as this is a key risk of access to a network.

The legal impact

A cyber-attack or security breach will inevitably require a legal response. The following legal issues often arise:

• The victim suffers loss – money is stolen through payment diversion schemes or data is stolen or locked up so it cannot be accessed, and operations are affected.
• The victim incurs liability to customers or other third parties such as those whose confidential information is lost or released or whose money is transferred away.
• Regulatory action by the Privacy Commissioner, the Financial Markets Authority or other regulators may result in defence costs, fines and penalties.
• Organisations can take steps to protect themselves from legal risks. These include:
• Before an attack, ensure you have sufficient visibility of your technical environment and have tools such as EDR already deployed.
• Involve insurers. They will often have a pre-approved panel of IT specialists and lawyers who can help.
• Take prompt steps with appropriate IT assistance to mitigate loss.
• Make no admissions about the adequacy or otherwise of cybersecurity or any other matter.

The role of insurance

Cyber-attacks usually result in insurance claims. These can be complex. Insurable losses may include the following:

• the cost of paying ransoms;
• costs of IT forensics and legal counsel;
• customer claims;
• network interruption losses – business interruption and loss of profit; and
• security and privacy – regulatory actions, defence costs and fines.
• These losses may result in claims under the following insurance policies:
• Professional indemnity policies: for claims by those who suffer loss as a result of negligence that fails to prevent cybercrime. Increasingly, professional indemnity insurers exclude cyber losses.
• Cyber policies primarily cover losses to the insured’s own business and costs incurred in responding to the event, but they also usually cover some third-party liability.
• Statutory liability policies may provide cover for fines, penalties and defence costs.
• Crime policies may provide cover for losses caused by cybercrime.

Cyber-attacks are increasingly expensive for the insurance industry so insurers are asking more detailed questions of insureds and are becoming more selective.

What should managers do?

• Be aware of key information assets and the risks to them.
• Identify acceptable and unacceptable risks and plan resourcing accordingly.
• Ensure sufficient resources are available to maintain and develop the necessary IT protections and provide ongoing training and testing.
• Ensure reporting is non-technical and understandable. Ask questions about key risk mitigation strategies such as prompt patching, multi-factor authentication, back-ups and scanning.
• Ensure a robust plan is in place to deal with incidents if they arise and test it regularly.
• Ensure adequate insurance is in place.

Andrew Horne is a partner at MinterEllisonRuddWatts