August 7, 2016
As incidences of cyber crime increase, cyber liability insurance policies are becoming more popular in New Zealand.
But a leading cyber security expert warns organisations against jumping straight into buying cyber insurance.
BDO national leader for cyber security Leon Fouche says because of the lack of reliable data about trends, insurance companies are limited in their ability to develop robust risk modelling for the costs of cyber-attacks, resulting in restrictive terms and exclusions in policies.
A number of considerations need to be taken into account, including the level of exposure to risk, what records are at risk (personal records, for example, are at a greater risk as they are more valuable on the black market), the nature of the business and the types of cyber attacks possible.
“It’s more important to look at what’s not in the policy, than what is. It’s like any contract. You’re only going to get paid for what’s in the contract,” Fouche says.
Before choosing an insurance policy, organisations should do a comprehensive risk assessment, quantify those risks and then model the potential impact.
They should figure out who in the company is responsible for managing those risks, understand how effective current security systems are and work out what the appetite is to either pay an insurance premium, or accept the risk, Fouche says.
If a policy is selected, it is important for businesses to reassess their cyber risk regularly to make the policy stacks up.
BDO has recognised the changing cyber security landscape and lack of data and is conducting a new industry cyber security survey.