What New Zealand businesses need to know when taking out cyber insurance

After reaching record-high figures at the end of 2021, the number of cybersecurity incidents targeting New Zealand businesses continues to dwindle, the latest quarterly report from the government’s Computer Emergency Response Team (CERT NZ) has revealed.

The number of attacks reported to the agency decreased further by 14% to 2,001 between April and June compared to 2,333 in the first three months of the year, which saw a 41% drop from 3,977 in the previous quarter. Despite the sharp decline, CERT NZ reminded businesses not to let their guard down when it comes to cyber care.

Read more: Cyber safety now a valuable life skill

“On the surface, it might look like nothing much has changed, with incident numbers remaining steady and only a small increase in direct financial loss,” said director Rob Pope. “But it’s been another busy quarter across the threat landscape, and every incident reported has had an impact on people and businesses.”

Although the volume of cyberattacks went down, these incidents have resulted in higher financial losses, costing New Zealand companies a total of $3.9 million – a 5% rise from $3.7 million between January and March. Figures also show that about a fifth (19%) of all incidents have resulted in monetary losses.

What are the top cyber threats facing NZ businesses?

Phishing and credential harvesting remained the most common incident category, according to CERT NZ’s second-quarter report. This was followed by scams and fraud, unauthorised access, and malware.

From April to June, the agency has also observed a spike in scam calls where attackers pretended to be a bank employee, tricking recipients into sharing their financial information. If successful, this type of cybercrime allows hackers to access a victim’s bank account or their personal devices remotely.

“Attackers are constantly evolving techniques to try and catch people out,” according to the report. “In these specific scam calls, they use ‘phone spoofing’ software, which changes out the scammer’s actual phone number and instead shows a phone number of the scammer’s choosing – like a bank’s phone number – on the recipient’s caller ID.

“CERT NZ is aware of New Zealanders losing large sums of money to these types of scams, with some recipients experiencing these incidents more than once – this happens when scammers call back, pretending to be from the bank and offering help to recover from the previous scam.”

Here’s a breakdown of the top cybersecurity incident categories based on CERT NZ’s latest data landscape report:

1. Phishing and credential harvesting

Phishing and credential harvesting accounted for more than half, or 56%, of all incidents CERT NZ has responded to, making it the most reported category from April to June. The number, however, was a 19% drop from the previous quarter.

Read more: Phishing most frequently reported cyber scam – CERT NZ

2. Scams and fraud

Scams and fraud took up over a quarter, or 26%, of all cybersecurity incidents reported to the agency in the first quarter of the year. The majority of these incidents involved buying and selling goods. Dating and romance scams was the next biggest category, with the number of incidents steadily increasing in the past four quarters.

3. Unauthorised access

Incidents of unauthorised access increased marginally (1%) in Q2 2022. CERT NZ received 230 reports of such breaches, which occurs when an attacker gains access to an account, service, or device through vulnerabilities in software, or weak or stolen credentials.

4. Malware

After topping the list of the most reported incidents in the final quarter of last year, malware cases slid an astonishing 95% in the first three months of 2022 and a further 23% in the second quarter. The agency attributes the massive decline to the conclusion of the Flubot campaign, which wreaked havoc on businesses in the second half of 2021.

Read more: New Zealand sees surge in cyber fraud cases

What does cyber insurance cover?

With the rapid pace of digital transformation giving rise to unique and evolving cybersecurity challenges, the Insurance Council of New Zealand (ICNZ) is urging businesses to consider taking out a cyber insurance policy. The council reminds companies, however, that this type of coverage cannot replace due diligence and good cyber hygiene as the top line of defence against cyber threats.

Cyber insurance policies in New Zealand typically provide two types of protection, namely first-party and third-party coverage. Here’s what these different types of coverages pay out for.

• First-party coverage: This type of coverage pays out for the financial losses the business incurs due to a cyber incident, including the cost of responding to a data breach, restoring and recovering lost or damaged data, lost income resulting from business interruption, ransomware attack payments, and risk assessment of future cyberattacks. Most policies also cover the cost of informing customers about the incident and providing clients with anti-fraud services.
• Third-party coverage: This provides financial protection against lawsuits filed by third parties, including customers, employees, and vendors, for damages caused by a cyberattack on the business. Policies typically cover court and settlement fees, and regulatory fines.

“Some insurance policies also provide enhanced benefits such as a retained response team of IT, legal and public relations professionals, who are on standby to respond to an event as soon as it happens,” INCZ added.

The council pointed out, however, that “not all cyber insurance is the same.”

“The scope of cover offered by each insurer will be outlined in full in their policy wording,” it said. “As with any type of insurance, we strongly recommend you read and understand the policy wording before buying. If you have questions about the cover offered, you can seek advice from your broker or an independent legal adviser.”

Read more: Cyber continues to be most volatile insurance line in NZ – Crombie Lockwood

How much does cyber insurance cost?

According to the comparison website Finder, a company with an annual turnover of $1 million and has taken out $500,000 worth of cyber liability coverage can expect to pay about $2,000 in premiums annually.

The cost of a cyber insurance policy, however, is dictated by a range of factors, including:

• Size of the business: The number of staff a company employs has a major impact on cyber insurance premiums as this also affects the company’s risk exposure.
• Industry: Some sectors are more prone to cyberattacks than others. Apart from this, insurers factor in cases where the associated costs generated are sizable, such as those in the financial sector. Businesses belonging to these industries often pay higher rates.
• Amount and sensitivity of data: The number of clients a company has, the data that is collected from these customers, and the sensitivity of the information collected are all factors that influence the risk levels of the business, which have an effect on premiums.
• Revenue: Insurance providers typically perceive businesses that generate higher revenue to be at a greater risk of being targeted by cybercriminals. Because of this, these companies often pay more for cyber coverage.
• Cybersecurity measures in place: Cyber insurers often reward businesses that dedicate significant resources and efforts toward preventing cybercrime with lower premiums.
• Coverage type: To ensure that they have the right cyber protection, it is critical for businesses to assess the specific risks they wish to insure. The level of coverage a company needs can vary depending on its range of exposures.

Read more: How New Zealand businesses can safeguard against cyber threats

How can Kiwi businesses protect against cyberattacks?

To help prevent businesses from falling victim to cyberattacks, CERT NZ has published a guide, which highlighted how companies can protect their data, network, customer information, and reputation. Here are the 11 practical steps firms can take to keep themselves safe from cyber threats, according to the agency.

1. Install software updates. Keeping your devices and software up to date is one of the most effective things you can do to keep your system safe.
2. Implement two-factor authentication (2FA) to protect both your systems and your customers’ accounts.
3. Backup your data, so if your data is compromised in any way you have a backup or a copy available to restore it.
4. Set up logs to detect unusual activity and verify any strange business requests you get by phone if you’re unsure of them.
5. Create a plan for when things go wrong. If something goes wrong, you know what steps to take to keep your business running.
6. Update your default credentials that provide administrator-level access to a product, such as your website or new hardware or software.
7. Choose the right cloud services for your business, ensuring that the product or provider you choose can provide the services and protection you need.
8. Collecting only necessary data from customers helps to reduce your risk level and how valuable you are to an attacker.
9. Secure your devices with anti-malware software on any device that accesses your business data or systems.
10. Secure your network with the right firewalls to help control where connections go and limit access to the internet-facing parts of your network only to those who need it.
11. Manually check financial details before approving transactions. If you receive an unexpected request via email, call the person or company you’re dealing with to reduce getting caught up in online fraud or invoice scams.