New Zealand businesses in the dark on cyber risks: report

Three-quarters of respondents in New Zealand show little confidence that business preparedness is sufficient to keep data secure and confidential in the event of a breach, suggests the Insurance Council of New Zealand (ICNZ).

Results of research released Thursday by ICNZ indicate that 76% of respondents believe New Zealand businesses are not well-prepared to manage computer hacking and keep data secure and confidential.

“It is estimated that cyber-related crimes has cost New Zealand businesses over NZ$625 million in 2011 and experts are warning that businesses are woefully underprepared for the increasing threat of cyber attacks,” ICNZ chief executive Tim Grafton says in a council statement.

Adding to the lack of confidence is an increase in cyber incidents in 2014 – for example, PwC reported in Managing cyber risks in an interconnected world last September that the total number of security incidents detected by the 9,700 security, IT and business executive respondents climbed to 42.8 million, an increase of 48% over 2013 – as well as the low take-up of available insurance.

Cyber insurance protection is available for Internet and network exposures to cover issues such as liability, intellectual property infringement, malicious code and viruses, business interruption, unauthorized access, theft, website defacement and cyber extortion, Grafton points out, but adds that take-up is low.

Of concern is that recent reports show 60% of all cyber attacks are aimed at small and medium-sized enterprises (SMEs), he points out. ICNZ data shows that “29% of businesses in New Zealand don’t have insurance at all, and a very high percentage will not have cyber insurance cover,” he reports.

Grafton further cites results out of the United Kingdom last week. The Marsh Ltd. figures show that 61.1% of respondents report their companies have made no loss estimate for the financial impact of a cyber attack, he says. In addition, only 16.6% of U.K. respondents say that cyber is one of the top five risks on their companies risk register, Grafton adds.

“Our guess is that the New Zealand equivalent statistics of this report would be even lower and many businesses in New Zealand won’t have a complete understanding of their cyber risk exposure and how they can minimize that,” he points out.

Marsh U.K. reported last week that large and medium-sized firms must do more to assess cyber threats. Many firms are failing to adequately assess their customers and trading partners for cyber risk, and are more vulnerable to cyber attacks themselves as a result, the company at the time in a press release.

Among other findings, 69.4% of respondents do not assess the suppliers and/or customers they trade with for cyber risk; 51.4% of respondents stated their particular organization has not been asked to demonstrate a competent standard of their IT security practices to their bank and/or customers; and while 52.8% of firms surveyed have or are seeking to buy cyber insurance in the next 12 months, only 11% currently have policies in place.

“Cyber risk management should be at the heart of the strategic decision-making process,” Stephen Wares, Marsh’s cyber risk practice leader for Europe, the Middle East and Africa, noted in a company statement last week. “Only with board-level support can companies take the big strides needed to advance their knowledge and perform the financial modelling required, to judge the value of the risk transfer options available on the market,” Wares cautioned.