ICNZ urges SMEs to revisit cyber risks

ICNZ urges SMEs to revisit cyber risks | Insurance Business

ICNZ urges SMEs to revisit cyber risks

The Insurance Council of New Zealand (ICNZ) is urging small-medium businesses to take another look at their cybersecurity, saying that managing these risks is the key to staying successful in a modern digital world.

According to ICNZ, the number of incidents reported to CERT has increased significantly over the last quarter – up 143% since Q1 2018. This is still only estimated to be a fraction of the actual number, as many cyber incidents go unnoticed or unreported, and this only accounts for the incidents that CERT is aware of.

ICNZ chief executive Tim Grafton says cyber insurance for small businesses has become more vital than ever before, especially given the ever-evolving nature of cyber attacks.

“All businesses ought to be identifying the full extent of their cyber risks, and relatively few SMEs are doing that at the moment,” Grafton told Insurance Business.

“When an SME thinks about cyber insurance, it will start them on the path of assessing just what risks they do have. Insurers can ask questions that go to the heart of what sort of information a company has on its databases, where its IT suppliers are and whether there’s a high sensitivity to security risks. It can assess whether they have large databases of private individual information, sensitive financial information, or anything similar, and then gauge where the gaps in security are and how big of a risk they’ll be underwriting. That’s a very useful exercise for the company itself, because they can then start to take some steps to mitigate those risks.”

Grafton says that once a company has insurance, there are three to four categories of assistance that the policy can then provide. In the event of an attack, it can draw on forensic investigators who will assist in identifying the damage done and how to rectify it. There will be legal advice on hand as well as crisis and reputational management, and it will also provide cover for all the costs incurred whether they be data recovery costs, loss of income, or costs of claims brought by third parties.

“Cyber insurance provides support before, during and after an event,” Grafton stated. “It has been around for about 20 years and is offered by some of the largest insurers in the world. We recognise that the types of attacks is rapidly changing all the time, but that’s not to say that the insurers aren’t following these things very closely.”

“One thing that would be very useful for underwriters is having access to aggregated data with regards to the types of intrusions that have occurred, and the levels of loss associated with that,” he continued.  

“Insurance is highly dependent upon good information to provide the ability to accurately price the underwriting risk. We have decades of information on flood damage and earthquakes, but with cyberattacks, we don’t have that long breadth of historic data available. The types of intrusions change from year to year, so access to aggregated data would be a helpful part of the government’s cyber strategy refresh, as it will help better inform insurance underwriting.”