Richard Osborne
By Richard Osborne

Cyber ransom is very common worldwide and increasingly prevalent as a business risk in New Zealand.

Cyber Ransom: A Very Real Business Threat

Cyber ransom involves a hacker accessing a computer system and then threatening to stop it functioning or to release private information unless a ransom is paid. The hackers can be criminals or in some cases, state actors.

There are at least two recent publicly disclosed examples of cyber ransom involving a hospital (release of medical information) and a transport agency (compromise of card top up). There are many private examples of theft or immobilisation of data or services which don’t receive publicity.

What To Do If Impacted by Cyber Ransom

The Department of the Prime Minister and Cabinet has recently (April 2023) provided some very useful guidance on how to deal with cyber ransom payments:

  • Report the hack to the Police as it is a criminal act and contact CERT NZ (Computer Emergency Response Team), a government agency that provides advice on ransom responses.
  • The government position is that government departments should not pay ransoms.
  • For private individuals and organisations, the risks need to be thoroughly assessed.
  • For example, payment may not remedy the problem, get the system functioning or the data back and may encourage further attacks.
  • Potentially, payments may breach international sanctions which could have implications for those operating in offshore markets.
  • Of immediate concern is the impact of the Privacy Act 2020 on the release of personal New Zealand information. Basically, the Privacy Commission should be notified, and the steps required by the Act followed through to remedy the situation or reduce the damage from disclosure.

Overall, prevention is key and this is an increasing battle between the sophistication of the hackers and security systems: the CERT NZ website has helpful information on prevention, see www.cert.govt.nz.

What About Insurance?

Cyber insurance may be a partial backstop but because of the increasing risk, this kind of insurance is increasingly hard to get, and premiums are rising. As with any insurance policy, one would have to look very carefully at what is and is not covered.

For legal advice on your current cyber security landscape, contact our technology expert, Richard Osborne, on 09 969 0153, or use the form below.