Home > Insight > 05 December 2017
05 December 2017
by Patrick Learmonth

The Risks and What You Can Do

Quite how many businesses suffer cyber security breaches each year is unknown – there are headline reports in the press but the suspicion must be that the number reported is only a small portion of the number of breaches which occur.

Cyber security breaches are underreported largely because of the reputational risk and embarrassment which businesses may suffer in the market. Public liability and insurance considerations may often mean that businesses simply cannot publicly report breaches.

There is also no mandatory data security breach reporting required in New Zealand under any legislation such as the Privacy Act – although changes in this area are being discussed and developed.

So to a large degree we have to accept that the risks are real and that the security breaches happen. Unfortunately this can make knowing what to do to protect businesses a poorly informed choice but the risks are fairly easy to understand.

Cyber security breaches occur through a combination of human error, inadequacies of information technology systems and security and third-party system attacks – by use of a variety of means loosely described as hacking including malware, ransomware, data mining, penetration testing and various other viruses. Businesses use various security measures including firewalls and security software but security breaches still happen but the adequacies of these systems and protections suggests that the quality of staff training may be a large contributing factor. A recent Colmar Brunton survey results show that most New Zealand businesses do not provide adequate training or advice to staff about cyber security. (https://www.lawsociety.org.nz/news-and-communications/lastest-news/cybercrime)

Many attacks result from an email from existing client and customers which appear genuine but are not. There are still stories of the unbelievable offer emails being responded to and these types of attacks these have become more sophisticated and difficult to detect.

So what happens to a business that has been subject to a cyber security breach?

  • Company and client data may be polluted, destroyed, stolen and/or made publicly available;
  • There will be financial costs associated with client liabilities resulting from the data security breach;
  • The business itself will lose valuable property and incur costs in recapturing data, sanitising data files hardware systems repairs and security systems and staff training updates
  • Business will suffer adverse and embarrassing publicity causing a loss of client confidence and business goodwill.
  • Ownership management and staff confidence and reputation will suffer.
  • The business will likely suffer financial loss.

Businesses will be at risk of client and customer claims for loss resulting from a cyber breach – data may be corrupted, lost or stolen and used for malicious purposes including blackmail and to cause public embarrassment. Privacy Act liability may arise from simply not having properly secured personal information held by a business as to clients, staff and customers

So what can businesses do to protect themselves against cyber security breaches resulting losses?

  • Clearly staff education about system security and suspicious emails is hugely important and also as to the implications of a security breach;
  • Adequate and regularly updated cyber security systems are a must;
  • A response and risk management plan to deal with any security breach including shutdown procedures, identification of breach and damaged caused, a publicity campaign et cetera; and
  • Have adequate and regularly reviewed insurance cover.

Cyber security insurance is available widely on the market. Very often these policies are sold as part of some wider crime insurance package available to businesses covering staff and third party fraud and other exposures including client/ customer claims for data loss or corruption, business downtime and systems review and repair costs. However it would be fair to say that cyber risk insurance policies are still developing and not well understood in the market. As available technology evolves and the types of breaches become more apparent (and probably more complex) cyber insurance will develop and be better understood.

But as with any insurance this is something of an ambulance at the bottom of the cliff. Adequate business and disaster planning and staff training is essential to prevent and minimise the problems associated with cyber security breaches.