Recent cyber attacks in New Zealand have demonstrated that all countries, regardless of size, face cyber risk. Leaders representing smaller nations might hold onto a false belief that the cyber risk faced by their countries is much lower than that of larger countries, such as the US or Japan. This belief may be born from of a low number of reported cyber events and associated news coverage within their country. But cyber really does pose a global threat. RMS’ Messrs Russell Thomas and Matt Harrison give an informed view.
The New Zealand Stock Exchange (NZX) was brought offline on 25 August 2020 due to a distributed denial of service (DDoS) attack from an unknown attacker - an attack repeated over five days, resulting in multiple intermittent market closures. The NZX has since partnered with an IT service provider (Akamai), whose content delivery network services have effectively defended against subsequent DDoS attacks.
Earlier this year, RMS monitored reports of cyber attacks in Australia, New Zealand and numerous countries across Asia - both DDoS and ransomware attacks - demonstrating that no nation or corporation is immune to cyber risk. This raises the question as to whether cyber security is being taken seriously enough in New Zealand and other countries in the region.
Cyber wake-up call
RMS has reviewed publicly available information about these cyber events, and we conclude that they are in-line with our current models of cyber risk. In other words, they are not ‘game-changers’, but they do serve as a useful ‘wake-up call’.
Making assumptions about a country’s cyber risk is dangerous; cyber risk is a true global peril because it does not have the inherent geographic constraints that are prevalent in natural perils (e.g., hurricanes, flood, fire, etc.). Even if they have not experienced cyber losses recently, all regions and countries are at risk.
Here are some of the reasons why this is a global risk, and applies to all nations:
- Increasing worldwide adoption of computers and automation: This increases the potential for economic loss due to cyber attacks
- Commonality of software: Across the globe, we all use and rely on similar software and technology. Therefore, a vulnerability is usually a global vulnerability
- Connectivity: The internet has helped us form a global economy, but also makes us open to attacks from anywhere. We are all connected, everywhere
- Threat actor adaptability and evolution: Cyber attack methods, tools and strategies that develop in one country or region can be adopted by threat actors in other regions, either by direct imitation or by ‘supply chain’ relationships
- Increase in government regulation, oversight, and legal sanctions
Because of these risk factors, the cyber insurance market is growing worldwide. In some countries, the forecast compound annual growth rate is greater than 20%. Cyber insurance market penetration has been greatest in the larger advanced countries such as the US, but it now appears that smaller countries such as New Zealand will be entering a rapid stage of growth and market acceptance.
Affirmative and systemic
A global threat needs risk modelling for all nations, and RMS has built a comprehensive global cyber model, designed to allow users to price affirmative cyber insurance risk as well as understand and measure the potential losses from a variety of systemic cyber events. Threats include attritional, large and catastrophic losses from data breaches, ransom/malware, cloud outages, DDoS, and financial theft. The model utilises our custom-built Cyber Incident Database, containing data on hundreds of thousands of cyber losses and events, as well as significant academic input, counterfactual analysis and scientific modelling.
To cover the growing global risk from cyber, the model has been specifically parameterised to support Australia, Japan, the US, Spain, Canada, the UK, Germany and France. But it can also accommodate other nations using pre-set options to establish a level of risk for an individual country as yet unparameterised. It allows adjustments to accommodate for changing legislation or different policy forms and conditions. With a fully customisable model, RMS is also able to work with clients individually to build a view to suit their needs.
With cyber risk on the rise in all nations, effective risk modelling can help to grow strong cyber insurance markets to build resilience to this global threat. A
Mr Russell Thomas is principal modeller, cyber and Mr Matt Harrison is director with RMS.