New Zealand companies are failing to realise the need to insure against cyber attacks, despite a growing number of incidents, according to a top commercial insurance expert.
Kiwi SMEs have been slow to include cyber insurance in their business protection plans, but are also more likely to be at risk due to a lack of IT support and the increasing frequency of attacks, says Apex Insurance Special Risks Team Account Director, Jonathon Gillham.
“Only around one in every 300 (0.3%) businesses in New Zealand are estimated to have cyber insurance,” says Gillham. “The majority of those that do have protection are large companies or companies that operate in the software industry who are very aware of the dangers.”
However, there is a real risk for any company that holds an electronic database with client information or operates an email system. “A database could be hacked and private information can be accessed such as credit card details of all the customers,” explains Gillham.
“In terms of emails, a virus could be spread from a company’s email system, and that company could be liable for the damage that does to others’ systems.”
While large companies usually have IT services on hand to ensure virus protection software is up-to-date and cyber security is as tight as possible, SMEs often don’t spend money on cyber defences or have specialist support on call which puts them at greater risk.
There are two main types of cyber insurance available in New Zealand: the first for business interruption, which will cover lost revenue for the days when a company is unable to trade, and the cost of IT specialists needed to fix problems caused if a cyber attack occurs.
The second is liability cover, which protects a company in the event that a hacker obtains personal data such as credit card information, and the company then has to cover clients’ costs for replacements.
“Obviously some businesses have much more to lose in this regard than others. For example, if a patent attorney was to be hacked, the losses for intellectual property stolen could be in the millions.”
While cyber insurance is fairly new in New Zealand, there have already been some substantial claims made. “There have been a handful of claims in the hundreds of thousands of dollars range,” Gillham says. “It’s not on the scale of the US, where there have been some claims in the tens of millions of dollars, but it is happening.”
“People assume we aren’t a prime target here, but one local digital advertising company we are aware of is attacked once a week by hackers they have traced to Korea,” he explains. “All they can do is keep upgrading their security to try and stop them getting in.”
The amount of insurance cover Kiwi companies need depends on their level of risk, Gillham says. “For a panelbeater operating a private database and email, the minimum amount of $250,000 cover is probably adequate.”
“However, for a company that operates entirely on a cloud system and that has revenue of $100million or more, that cover is going to have to be substantially higher. We know of a handful of companies who buy a cyber insurance policy with a $10million limit.”
Three major providers underwrite cyber insurance in New Zealand - Delta Insurance, AIG and Dual - and Gillham says it’s becoming more common for it to be included as part of a management liability package for businesses.
“It may take the cost of one of these packages from $1000 to $1200 a year for a small company, but that’s not much in the scheme of how much one of these incidents could end up costing.”