What you need to know about cyber insurance
More than 80 per cent of New Zealanders have experienced a cyber security breach online. Yet, only 6 per cent of small to medium Kiwi businesses have cyber insurance.
Cyber insurance is designed to provide cover in the event of a cyber security incident, such as a data breach or malware attack. There are two key components to any good policy: cyber security insurance and cyber liability insurance. Cyber security insurance ensures your business survives the event and cyber liability insurance provides cover for third parties impacted by the insured event.
What is Cyber Security Insurance?
Cyber security insurance provides first-party cover if your business falls victim to a cyber attack. It covers the damages done to you and your business in the form of:
Incident management
This will help to cover the initial cost of an incident, and can include:
- Incident response management.
- Notification management.
- Crisis communications and public relations consultation.
- IT forensics and services.
- Legal consultation.
- Digital systems replacement and/or recovery.
Direct financial loss
Policies should also help cover the direct financial loss you experience as a result of the cyber incident. This can include:
- Loss of income and/or profit from: business interruption, reputational damage, data loss or corruption and misuse of private/confidential information.
- Legal and regulatory investigation defence costs.
- Court or regulatory fines.
- Cyber extortion.
- Public relation costs.
- Media liability costs, such as: intellectual property theft, the unauthorised distribution of media and misuse of media (e.g. defamation, slander, breach of privacy)
What is cyber liability insurance?
Cyber liability insurance applies third-party insurance to cover the damages to external individuals and businesses as a result of a cyber security breach. This could be at the time of the incident or years down the track.
Cyber liability policies frequently include:
- Intellectual property theft.
- Privacy breaches.
- Media content damages, such as: distribution of private material, slander, defamation, the unauthorised distribution of media (e.g. piracy) and misuse of media (e.g. defamation, slander, breach of privacy).
Do cyber insurance policies include cyber security and cyber liability cover?
Good policies generally include both.
What types of business need cyber insurance?
Globally, 60 per cent of businesses cease trading within six months of a cyber attack. While most large New Zealand companies have cyber insurance and security measures in place, the majority of our small to medium enterprises (SMEs) don’t.
A recent Spark Lab survey discovered that almost 70 per cent of New Zealand SMEs have no crisis management plan for cyber attack, and 40 per cent have no virus protection installed on their company computers and devices. It might come as no surprise then to learn that almost a quarter of all New Zealand SMEs experience some form of cyber incident in 2017—that’s over 110,000 businesses.
In a nutshell, New Zealand SMEs are at greater risk than most.
Cyber crime does not discriminate. However, damage costs can. In particular, if you operate in the health, finance, professional services, pharmaceutical or technology sectors, the cost of a cyber incident is significantly higher.
That’s not to say large organisations are immune. In 2018 alone, Inland Revenue, Vector and Z Energy all experienced cyber security incidents. There are reports of the Bay of Plenty’s District Health Board fighting off 864,000 potential cyber attacks per day and the New Zealand Ministry of Health up to 1.7 million attacks a week.
Read more: Cautionary tales: the cost of cyber crime in New Zealand
What doesn't cyber insurance cover?
Cyber insurance is not a get out of jail free card that exonerates a business from ensuring and maintaining a high level of overall security. Below we outline three key exclusions to be aware of:
Poor security measures
While cyber insurance may protect a business from the greater cost of a cyber attack, businesses should still take their online security seriously. In fact, an increasing number of insurers are refusing to cover a business if they don’t have solid security measures in place.
Negligence
Many cyber attacks rely on weaknesses in commonly used software and networks to carry out an attack. Therefore, failing to install the necessary system updates could cause a cyber insurance claim to be rejected.
Reputation and brand damage
Cyber insurance can’t protect from reputational damage. It can, however, help cover the public relations costs a company might require. If you really want to protect your reputation, ensure you have appropriate cyber security measures in place first and foremost.
For a more comprehensive list of exclusions, click here.
Read more: What does a good cyber insurance policy look like?
Are there different types or levels of cover?
Businesses with a larger digital footprint are certainly more exposed than others. Despite this, every business that has any kind of connected device—from a work phone to a server to an EFTPOS machine—are at risk of being attacked.
Different levels offered in New Zealand
Important! Some industries require companies to meet security compliance measures. For example, any retail store that accepts credit cards must be PCI compliant so that customer credit card details are secure. Failing to meet your compliance measures in your industry could see your claim rejected.
How much does cyber insurance cost?
The cost of your cyber insurance cover will vary depending on the amount and level of cover you need.
Regardless of which insurer you choose to use, make sure you aren’t underinsured. When selecting your cover, it is vital to consider the potential damages a cyber incident could cause. How much can you afford to pay in a worst-case scenario? Will the amount you’ve chosen cover the damages—or would you go out of business?
If you work in the health, finance, professional services, pharmaceutical or technology industries, be aware that you may need a higher limit to ensure you’re adequately covered.
Doesn’t my professional indemnity / general liability / material damage policies include cyber coverage?
Cyber cover is usually excluded from all of the above. Here’s why:
- Tangible and digital property are considered different: most material damage policies only cover physical property, not cyber events.
- Material damage only covers data loss from physical causes: for example, if an office fire destroys your server, material damage will cover this, but not if that same data is destroyed in a malware attack.
- Cyber insurance includes crisis management and recovery: general liability and professional indemnity policies will not help a business manage a cyber incident. They won’t cover third-party damage costs that may result from it either, such as legal defence, settlements and fines.
In a nutshell, only cyber insurance covers cyber attacks. General liability, professional indemnity and material damage policies do not.
What happens when I make a claim?
Should you come under attack, it is imperative that you call your broker immediately. they will notify your insurer directly and aim to get an IT specialist to you ASAP. Don’t pay any ransom, as the criminals have likely already damaged your data and won’t be able to restore your system anyway.
All claim handling will follow a similar structure outlined below.
- Contain the crisis: includes notification, triage and forensic investigations to identify the problem and how to fix it, and restoration of systems to prevent another attack, legal support, loss assessment to uncover the extent of the damage.
- Manage the incident: forensic investigations to identify the breach and its cause, data restoration, PR management, communications with affected third-parties, assess business interruption losses.
- Resolve the incident: review security and make improvements, monitor credit, resolve third-party claims, determine and settle business losses.