A clear pathway to Cyber Risk

Less than 10% of New Zealand companies buy cyber insurance; yet cyber risk is in the top three risks identified in any risk survey[1].

Why is there such a huge disconnect?

While everyone talks about cyber risk and the elderly being scammed, not many businesses fully understand their cyber exposure:

  • Cyber events are continually evolving. There are new threats every day.

  • There is increased exposure due to the Internet of Things (IoT) and Industrial Control Systems (ICS). 

  • All businesses are potential targets — from opportunistic individual scammers and complex and sophisticated organised criminal gangs.

  • Traditional insurance doesn’t offer proactive protection for cyber risk; from dealing with the risks to the resulting financial implications.

  • It’s not just business systems under threat, but firms’ reliance on the supply chain, which may include the Cloud.

  • The fallout from business interruption due to computer unavailability, or a privacy breach damaging a firm’s reputation and resulting in client losses, could devastate a business.

For many business owners, if cyber cover is not contractually required by third parties or funders, it may be viewed as non-essential.

Cyber exposure tends to become a priority only after an attack has occurred.

For those who do consider cyber risks, all too often we hear:

1.  Cyber insurance is too expensive.
2.  It’s an IT issue and our IT team has it under control.
3.  My computer has anti-virus loaded.
4.  All my data is stored in the Cloud.
5.  I’ve got back-ups.
6.  I’m low risk – why would I be a target?
7.  I don’t hold much private data.
8.  New Zealand companies aren’t under threat – no one cares about our information.

For the record: cyber insurance is not expensive given the extent of cover provided. 

No amount of IT security or anti-viruses will stop a targeted phishing attack or simple human error, and employees remain one of the most common causes of security breaches. The “Cloud” is also a target and back-ups can be deleted during a forensic clean-up. In fact, many hackers deliberately target back-ups for maximum ransom leverage.

Sadly, New Zealand companies are arguably more of a target as there is a perception that our cyber security is not what it should be.[2]

If your company has employees, holds customer information, and sell goods and services, you will hold private information and may be subject to New Zealand and international legislation to ensure protection of that information.

The truth is, the digital transformation of the global economy has dramatically changed the way we conduct business. Increasingly, companies rely on technology to run critical day-to-day business operations and this reliance can create a painfully disproportionate risk if something goes wrong. With great opportunity comes great risk.

So where to from here?

Most importantly, upskilling is vital. And so is asking the right questions. Boards have a moral and legal obligation to ensure good business practice when it comes to managing cyber risk. Questions need to be asked of senior management regarding risk management, readiness, governance and response. Assess the risks to your organisation and create policies and procedures to manage a cyber-attack, both before and after the event.

Consider cyber specific insurance as the final piece of the jigsaw. While policies and procedures will lessen the risk, nothing will completely prevent an attack. Insurance will help manage the financial and business consequences. With 24/7 access to an incident response team as part of your cyber cover (including IT, legal and forensic experts), the effect on your business will be managed and mitigated.

When it comes to cyber, there is no crystal ball. Every industry, every company, will be affected differently, and your business needs are unique.

How Aon can help

Aon is a leader in cyber risk consulting and insurance solutions. We offer a range of risk management solutions to help you understand and manage the cyber risks unique to your organisation.


Michael Twyman │ Aon New Zealand, Professional Risks │ michael.twyman@aon.com
Vanessa Cathie │ Aon New Zealand, Professional Risks │ vanessa.cathie@aon.com
Check out aon.co.nz/cyberrisk for more information.

[1] “Businesses under attack but few have cyber insurance” www.newsroom.co.nz 5 October 2018.

[2] “Kiwi businesses mistakenly believe NZ is safer from cyber-crime” nzherald.co.nz 8 November 2018.

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.