With so much media coverage of large-scale data breaches, companies are increasingly turning to insurance providers to offset a portion of the risk associated with cyber security incidents.

Many insurance companies now offer this product for firms of all sizes looking to add coverage to their standard business policies.

A 2014 report released by insurance broker Marsh, ‘New Zealand Survey of Risk’ ranked cyber risk as the second largest emerging threat facing New Zealand businesses over the next two years.

What are the risks?

As with any insurance product, it’s important to consider specific issues associated with a belt and braces approach to risk management.

For example, any company wanting to insure company vehicles may take a holistic approach to reducing their premiums and asking brokers the right questions up front:

  • What does the policy cover?
  • What are the exclusions and small print regarding responsibilities?
  • If I installed GPS trackers in my vehicles to prove mileage and speeds driven would this reduce costs?
  • If I supply evidence of staff driver training will this impact on the cost of staff vehicle cover?

IT can often be a difficult area to get your head round and insuring for cyber risk threats including data breaches, theft of devices and system failures might prove intimidating at first, especially if you’re not familiar with information security jargon.

Some things to consider could include:

  • What are my responsibilities as a business owner and company director when it comes to privacy and information security?
  • What moral hazards (the costs to my customers) and reputational risks does doing business online and outsourcing my technology open me up to?
  • Would insurance cover the cost of remediating the harm done to my customers such as identity theft issues or credit monitoring fees?
  • With so many breaches making the news, how much is it going to cost to cover the kind of risks I’m likely to encounter?
  • What do I have to do to be compliant and to ensure a policy would pay out if my business were hit by hackers?
  • Is my business capable of meeting PCI standards for handling credit cards and payment data or any other requirements applicable to my industry?
  • Has the insurer paid out already or are there legal grey areas for this coverage in NZ?
  • Just how much cyber risk coverage do I need? NetSafe recorded 520 security incidents in 2014 with the average incident costing $10,700 but this figure often doesn’t include incidental and clean up costs associated with a breach, ransomware attack or website defacement.
  • What happens if I underinsure my business? Quantifying the costs associated with a cyber risk policy might be difficult to do and require a lot of work to identify hardware and software expenses, staff or supplier time, etc.
  • Would a policy cover all kinds of cyber risk such as DDoS attack, defacement or reputational harm as well as hardware loss or infection?

There’s no doubt that insurance shouldn’t be the only line of defence your company employs to secure critical business information.

Directors need to be aware of their duty of care around data – despite NZ currently having no mandatory breach reporting regime – and this should flow onto creating a culture within every business of defending against cyber security threats.

Based on NetSafe incident data, malware and viruses remain a constant and ongoing issue for companies of every size so ensuring that business systems are kept patched and up to date with tested and working back up processes in place is the number one priority.

All endpoints – the software programmes and hardware that staff use, including mobile devices whilst out on the road – need to be protected from infection, theft or loss to reduce the risk that anything later found by a third party could be used to harvest data (if unencrypted or not protected by a strong password) or potentially allow access into your company network or business systems that include your website or document management system or corporate email.

Business email compromise (BEC) and the sending of spear phishing or whaling type messages to staff handling payments also remains one of the most common threats in NZ which can result in funds being sent overseas.

Training staff to recognise and know where to report fraudulent emails within the business is key. Building a secure culture at work also helps your employees to stay vigilant at home against common computer security threats.

More information and advice