“She’ll be right”

Cyber crime and the “she’ll be right” Kiwi attitude

Cyber crime is not a new phenomenon. It can no longer be considered an emerging risk and the focus of these disruptions has shifted from large global corporations like Sony, Citibank or Saudi Armaco, to smaller organisations. It does not discriminate and knows no geographical boundaries. As individuals, business owners or Directors, we are none of us immune – so it begs the question, why is the uptake of cyber insurance in this country so poor?

There has been a distinct move towards targeting smaller businesses for financial gain, using a number of smart tools in order to do so. The smaller the business, the more effective the crime, as often, the business does not have the governance in place to identify and halt an illegal transaction until after it has happened.

The two biggest cyber crimes we have seen this year at Long Burroughs both involved very small businesses paying large invoices, supposedly to well-known third parties. All seemed well, until those third parties contacted the business chasing settlement of the invoices – at which point the businesses realised something was wrong. Weeks had passed by, and the funds were long gone.

“Invoice hacking” or “redirection” is the hardest form of cyber crime to detect and has the highest strike rate of success. The two aforementioned businesses had less than five employees and under $1,000,000 in annual turnover. The owners managed debit control themselves and in the absence of multi-factor sign off, the funds were paid to an alternative account. Unknown to the business owners, their emails had been hacked, real invoices secured, accounts amended, and re-sent to the business owner.

By the time the business owners realised the issue, time had passed – they had no recourse from their bank, the funds could not be saved or returned, and they still had the issue of the outstanding debts to third parties.

Both businesses had been made aware of cyber exposures and options presented to provide this cover. The premium for doing so was under $1,500 a year per business and would have provided indemnity for both losses – over $200,000 in losses in total, both material figures to these small businesses.

Despite stories like this, in New Zealand, the uptake of this cover is extremely low. Insurers have tried to incentivise uptake by offering low cost/stripped back cyber cover options to assist small businesses by being able to afford the purchase, with limited results. The issue seems to be one of attitude. The underlying New Zealand motto of “she’ll be right” combined with the misconception that small businesses are not the target, is a dangerous combination.

Cyber Liability policies offer much wider protection than just invoice hacking, covering losses arising from first and third party breaches such as, phishing scams, network lockout/interruption, data breaches and malware attacks.

Global surveys of Directors confirms cyber security as a top five concern, right alongside massive global issues such as climate change and inflation. The risk is real, and while difficult to quantify, can have a huge impact on businesses, regardless of size.