Fewer than one in 10 New Zealand businesses are thought to have taken out insurance to help them deal with a cyber attack despite a rise in the number of businesses coming under fire.
Tanya Wood, a partner at law firm Duncan Cotterill who specialises in insurance law, said feedback from insurers was that uptake from commercial businesses was as low as 4 to 5 per cent and for small to medium sized business it ranged from single digits up to 10 per cent.
"There is generally a lack of awareness from SMEs in particular. In the media there is lots of coverage around bigger attacks on larger institutions. There is very rarely coverage on the more regular attacks to small to medium businesses and what that risk looks like for them."
But she said the range of industries affected by cyber attacks were across the board from panel beaters through to charities, banks and transport agencies.
"It is not just the larger corporates and most of the cost in responding is the upfront cost of IT specialists coming in and investigating the attack. Those costs are in the hundreds of thousands. Not many businesses can afford to self-insure that amount."
Wood said cyber attack insurance typically covered any losses from the interruption of the organisation being able to do business.
"It would cover loss of revenue while your system is down and you can't access it and would also generally provide first response cover which is sending an IT specialist to investigate what the cause of the attack was and to restore systems or data."
Some policies also included extortion cover that would respond in the case of a ransom demand.
"I know there has been some consternation around the ethics involved in extortion cover but I think in practice there are good technical ways the IT people can respond to the attack without resorting to a payment."
Wood said policies also typically covered third party liability - such as covering a fine the Privacy Commissioner might impose should there be accessing of personal data or a defamation claim made by a person affected by their data being breached.
What it didn't cover was downstream losses or liabilities, which could include reputational damage resulting in a loss of customers or business. "By and large cover responds to upfront costs the business would otherwise have to foot themselves."
Wood said anyone who used computers in their business, sent out money or receives money as part of their business and/or works remotely could be at risk from a cyber attack.
"Most businesses will send out invoices for payment or vice versa and hold personal or corporate information and rely on computer systems to operate their business."
Michael Moyes, a partner with Duncan Cotterill who helps businesses undertake risk assessments, said lockdown definitely made businesses more prone to an attack.
"Any organisations that had to pull together a working from home capability quite quickly that can mean there is a security vulnerability. The sheer amount of traffic increase since lockdown has meant we are perhaps easier targets."
Moyes said there were simple steps organisations could take if they were worried about a cyber attack.
"One of the best ways to try to minimise risk is training staff because a lot of the cyber security incidents that are being reported are low level standard phishing campaigns.
"Somebody is impersonating a legitimate organisation, they are coming in via an email that might look legitimate but there is usually tell-tale signs. Simply training people how to identify those campaigns and dodgy emails is really your first line of defence."
He said other steps like having good password practice and two factor authentication were also a good idea.
"From a technology perspective it can be as simple as having software on all devices up to date so that the security around older software isn't your vulnerability."
He said investing more in security technology or outsourcing some of those aspects to an expert could mean an organisation benefits from a much higher standard of cyber security protection.
"Over the past few years cloud services have a lot more resource around protection. They will be investing in security a lot more than most NZ businesses can afford to. So in some cases they could be much safer."
Larger businesses that wanted to take more steps could also look at getting their systems and procedures audited to make sure they were adequate to protect data and ensure they had enough insurance cover.