The 10 cyber trends New Zealand businesses must consider in 2019

The ever evolving cyber risk landscape has led to an increasing awareness at senior management and board level of cyber exposures, and the need for it to be treated not only as a technology exposure but an overall enterprise risk.

The ever evolving cyber risk landscape has led to an increasing awareness of cyber exposures at senior management and board levels, and the need for it to be treated not only as a technology exposure but an overall enterprise risk.

The 2019 Global Risks Report confirmed that technological instabilities remain an elevated concern for businesses across the globe. Utilising data collated from 1,000 multi-stakeholder members who responded to the World Economic Forum ‘Global Risks Perceptions Survey’, this year’s Global Risks Report showed that “massive data fraud and theft” was ranked the number four global risk by likelihood over a 10-year horizon, with “cyber-attacks” at number five.

With this in mind, we’re pleased to be able to share with you our list of Top 10 cyber considerations and predictions for New Zealand businesses in 2019.

1. Creating a Strong Cyber Security Culture

A strong cyber security culture should not only focus on employee training to build awareness of common forms of threats (phishing emails, social engineering scams) but should also empower individuals to understand their responsibility and the critical role they play in protecting their company’s cyber risk management framework.

2. Cyber Coverage under Traditional Insurance Policies

There is growing attention from insurers regarding the provision of unintended ‘silent cyber’ coverage within non-cyber insurance policies. We are at a point in time where these policy wordings are being closely reviewed with a view to adding affirmative / non-affirmative language that clarifies instances where cover will / won’t be provided for a cyber event.

3. Increased Regulatory Requirements

In mid-March 2019, the Privacy Bill moved through New Zealand Parliaments’ Justice Select Committee, recommending that the Bill be passed. The purpose of the Bill is to promote and protect individual privacy by repealing and replacing the Privacy Act 1993.

Expected changes include mandatory reporting of privacy breaches, new offences and penalties, and issuance of compliance notices from the Privacy Commissioner. This local regulatory framework will align New Zealand with the rest of the developed world with regard to data protection.

4. Contractual Requirements to Purchase Cyber Insurance

There has been notable growth in the caution displayed by companies on how their business partners and suppliers handle sensitive and confidential information. Organisations, especially government associated entities are seeking to include a requirement for a contractor or supplier to hold cyber risk and data breach related insurance in their contracts.

5. Cyber and Business Interruption

All types of organisations, even if they do not hold large volumes of sensitive or valuable data, need to consider and account for potential risks associated with a cyber event rendering operating systems ineffective or inaccessible.

6. Blockchain

Within the insurance industry, insurers have traditionally been reluctant to provide coverage to this newer risk class. As the use of Blockchain and digital asset currencies grow, and governments establish protocols for regulating their use, we anticipate the insurance market will rapidly evolve to provide alternate risk transfer solutions to the corporate world.

7. IoT Devices Increase the Risk of Security Incidents

The vulnerabilities that exist in IoT devices are substantial, and there is certainly heightened awareness that cyber criminals will continue to target IoT devices as a gateway to larger computer networks. Despite these exposures, organisations can successfully position themselves to take advantage of powerful new technologies made available to IoT devices. This can be achieved by proactively identifying the potential risks exposures of using these machines, and implementing robust security policies, procedures and instilling a strong cyber risk culture to counter the potential cyber risks they carry.

8. Social Engineering Fraud 

This type of fraud doesn’t require sophisticated software or a high level of technical knowledge. It only takes a basic understanding of a company’s organisational structure and key employees, which can be found through a quick internet search. Given the relative ease of conducting social engineering fraud when compared with carrying out a sophisticated hack or targeted ransomware attack, it should come as no surprise that this form of cybercrime is expected to continue, and even escalate, this year. 

9. Changing Attitudes and Awareness

There has been a slow but changing attitude in the New Zealand business community that cyber risk is a real and serious issue. The geographic isolation that has long protected us from other global threats is a safety net that is no longer an excuse to hide behind when it comes to cyber risks. NZ business leaders are now actively tackling cyber risk and cyber security as an organisational issue as opposed to relegating this responsibility as solely an ‘IT matter.’

10. Less about Security, More about Resiliency

While decisions can be made to invest money in preventing cyber events from occurring, the nature of operating a company in today’s highly technological and connected world means that cyber risks will always be there. Therefore, the cyber security conversation should also include a focus on resiliency and a holistic approach to protecting your company, considering factors to both prevent an attack as well as ensuring that the organisation is equipped to respond and recover from one.