New Geneva Association & IFTRIP task force to address emerging cyber terror risks

The Geneva Association is launching a joint task force on cyber terrorism and cyber warfare with the International Forum of Terrorism Risk Reinsurance and Insurance Pools (IFTRIP). The special-purpose task force aims to conduct research on cyber terrorism risks across the re/insurance industry. Its initial findings will be published in mid-2020.

The launch of this new task force was announced at the IFTRIP 2019 International Conference in Brussels, Belgium. It will be led by Rachel Anne Carter, the Geneva Association’s Director of Cyber, supported by Julian Enoizi, CEO of Pool Re and Christopher Wallace, CEO of Australian Reinsurance Pool Corporation and president of IFTRIP.

Read the press release

TransUnion says data on 37,000 Canadians may have been compromised

TransUnion says someone fraudulently accessed data using a customer’s login credentials

The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada’s credit monitoring agencies with data blemishes on their record.

The TransUnion incident is much more limited than the high-profile data hack at credit monitoring agency Equifax Inc. in 2017, which exposed the information of 147 million people, including about 19,000 Canadians.

TransUnion said in a statement Wednesday that someone fraudulently accessed its data through the use of one of its business customer’s login credentials between June and July.

Company spokesperson David Blumberg said that while the investigation is ongoing, the company maintains that the fraudulent login was not a failure of its systems.

“The unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s system,” he said.

Canadian Western Bank (CWB) confirmed that the credit report data was accessed through an account at its leasing division.

“In August, we learned that CWB National Leasing’s account was illegally used by an unauthorized third party to perform unauthorized credit checks,” said company spokesperson Maya Filipovic.

She said no personal information held by CWB National Leasing was taken, disclosed or misused in any way.

Type of personal information accessed

TransUnion did not disclose what kind of personal information was compromised by the fraudulent login.

A credit check by a bank or lender could give access to an individual’s name, date of birth, current and former addresses, information on existing credit and loan obligations, credit repayment history and potentially their social insurance number.

TransUnion said it learned of the breach in August and has notified those whose information may have been accessed as well as the privacy commissioners.

The incident is the latest of numerous data breaches in recent years, including the Equifax breach. More recently, Capital One said in July that data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June that the data of about 2.7 million accounts was hit with a breach.

The problem is that no system is foolproof, said Hasan Cavusoglu, an associate professor of management information systems at the UBC Sauder School of Business.

“The reality is this is a moving target. Organizations are every day exposed to new type of attack vectors, new kinds of threat actors.”

He said customers have little choice but to have their data held with TransUnion and Equifax.

“As long as you do some kind of transaction, your data will inevitably fall into these companies.”

The two credit monitoring agencies collect a variety of financial data to help banks and other lenders figure out how reliably a customer might pay them back. The model means the agencies want to collect as much information as possible to clearly represent someone’s credit worthiness, said Cavusoglu.

While breaches are impossible to rule out entirely, major financial institutions like credit agencies have significant incentives to keep the data safe, he said.

“Reputational damage as a result of these kinds of attacks is tremendous, let alone other kind of maybe regulatory sort of penalties as well as some legal costs associated with it. So they don’t want that reputational damage.”

Chicago-based TransUnion continues to look for ways to strengthen its defences against unauthorized access of any kind, and supports customers in efforts to protect their data, Blumberg said.

Dispelling 5 Common Cybersecurity Myths

Dispelling 5 Common Cybersecurity Myths

There’s a lot of existing advice and information on cybersecurity out there, but don’t fall victim to any of these common misconceptions that give you a false sense of security.

Myth #1 – All your vendors maintain appropriate security controls

The reality is, your organization’s security is only as strong as your weakest vendor. Vendors can create unforeseen vulnerabilities by not adhering to their own policies. When you first contracted with a vendor, their cybersecurity controls may have been sufficient, but are they continuing to comply with and update them in response to the changing cybersecurity landscape? In the past, each cyberattack would be looked at individually, but now they’re being linked together, creating a domino effect. Many of the large breaches we’ve all heard about can be attributed to a hacker compromising a vendor and leveraging that access to pivot and attack the vendor’s customers. Make sure you’re checking in quarterly or annually to ensure that your partner’s policies and procedures are up to date, reflect current practices and are being followed. Additionally, request that they provide a copy of their cyber insurance policy.

Myth #2 – Cloud services have built-in cyber protections

Almost every company utilizes cloud services in one form or another. The security team for a cloud service company is on the front lines of the internet’s most critical information security issues and their domain continues to expand. Cloud services have responded by operating within a shared security model. The cloud service company controls the physical servers through to the configuration level that is accessible to users. The user retains responsibility for the actual data and services that are being run on the virtual server, unless otherwise stated in your contract. It’s essential that organizations thoroughly understand their responsibilities and how to best leverage the provided security features to ensure they’re taking necessary precautions to avoid an incident. A hybrid security plan that takes into account both on premise and cloud systems is critical.

Myth #3 – It’s possible to predict the next big cyber attack

Today’s headlines are full of cyber breaches that impact not only the companies that experienced the breach, but their customers and beyond. Though there’s a lot of dialogue around the devices, companies and systems that could potentially be attacked, there is no way to predict exactly when or where the next large-scale attack will occur. This is very similar to thinking we can predict earthquakes; despite monitoring seismic activity for patterns, there is no way to predict exactly when and where the next “big one” will occur. So how should businesses and consumers prepare for a cyberattack? If you lived in an earthquake-prone area you would purchase a house that is built to code, have emergency supplies and have earthquake insurance. Prepping for a cyber event is no different; you take precautions and put controls in place to mitigate your risk and reduce impact. Precautions include purchasing cyber insurance, implementing an effective cybersecurity program and developing incident response, business continuity, and disaster recovery plans. Insurance provides the peace of mind needed in the event of an attack and the support to help you get back up and running while reducing financial impact.

Myth #4 – What worked in the past is good enough

In this ever-changing cybersecurity landscape, traditional methods of securing your perimeter, protecting data and addressing privacy concerns are not enough. The main shift we’ve seen is more visibility into what actions a company is taking to reduce their risks. Cybersecurity cannot effectively operate in a silo; it’s the responsibility of every employee and department to incorporate security controls into their daily business operations. To do so, create a layered approach to securing both internal and external resources to properly address risk. Make sure you are increasing your security budget every year to continue to add to your infrastructure tools and ongoing training and education. Providing your team with continued education and new technology is critical in minimizing the risk and impact of a breach.

Myth #5 – My business is not a target

With the sheer amount of news coverage on large-scale cyber attacks, it can lead businesses to become numb to them and contribute to the notion that they’re not important enough to be the next target. In truth, smaller organizations are often a target because of the access they provide to a larger target. Acceptance of the fact that it’s generally a matter of when, not if, a cyber incident will occur is difficult for many companies to adjust to. In the past, breach prevention was the only goal, but today, having a security team that is realistic and accepts that a breach is likely will make them stronger and faster to respond. Companies will ultimately be judged on both the controls they had in place to prevent a breach and their response during and after an incident. Incorporating cyber insurance into your overall cybersecurity plan will not only provide peace of mind to your customers, but also help minimize the impact and downtime after an attack.

Managing Cyber Risk

Remain vigilant and protect your company with the most up to date cybersecurity and insurance options. Don’t fall for the myths or become numb to the countless news stories of breaches. As it’s commonly said, it’s not if your company will face a breach, it’s when.

Source:

Slice

Photo Credit: ILSTV.com

Canadian banks look to in house hackers to improve and test cybersecurity

Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all.

The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TD Bank’s vice-president of cyber threat management.

“We’re doing it exactly how our adversaries would do it… So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.

Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyberthreats increases.

A Senate report last month entitled “cyber.assault: It should keep you up at night” sounded the alarm about the potential consequences of major cyberattacks in Canada.

“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the Standing Senate Committee on Banking, Trade and Commerce. “We must take the appropriate steps now, or soon we will all be victims.”

Bank of Canada governor Stephen Poloz has also raised concerns about a cyberattack.

In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.

New regulations that require Canadian businesses to alert their customers about privacy breaches or face hefty fines took effect at the beginning of this month.

In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.

BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada. At the same time, Simplii also warned that “fraudsters” may have accessed certain personal and account information for about 40,000 clients.

BMO’s chief executive Darryl White said he could not comment on the details of the privacy breach, as an ongoing investigation is underway, but noted there was a “very immaterial impact from a fraud perspective” and no material financial fallout.

“We are a lot smarter as every event goes on. And there are events every day, there are events every hour of every day… It’s a continual improvement exercise,” White told reporters after the bank’s recent investor day.

Meanwhile, BMO is also turning to in-house ethical hackers to test their systems. According to a recent job posting, BMO is seeking a senior manager with a certification in ethical hacking and whose responsibilities include managing a team of “network penetration testing” specialists.

CIBC did not respond to questions about whether it utilizes ethical hackers.

“We leverage internal and external expertise, and work closely with industry and government to enhance cyber security resilience, threat intelligence and best practices,” a spokeswoman said in a statement.

Alberta-based bank ATB Financial in a recent job post said it was recruiting a “Senior Penetration Tester” with ethical hacking experience. An ATB spokeswoman said the posting is to fill a recently vacated role.

The Bank of Nova Scotia also established its own in-house “red team” of hackers to test its defences, said its chief information security officer Steve Hawkins.

“Scotiabank has used and continues to use third-parties to handle this penetration testing. However, because the volume of global cyber threats has significantly risen, the Bank wanted to have its own capabilities in-house and created its own red team this year,” he said.

With the string of data breaches in recent years, what does worry TD’s Lovinger is the cumulative amount of data that has been exposed.

“Hackers now sit on a wealth of information… That they can now leverage to do more targeted attacks,” he said.

Royal Bank of Canada has had in-house ethical hacking capabilities for a few years now, as part of its cybersecurity program, said Adam Evans, the bank’s vice-president of cyber operations and chief information officer.

“We want to make sure that we are testing our defences to make sure they stay relevant,” he said.

RBC has been upping its cybersecurity budget and adding to its team annually. It now has roughly 400 cybersecurity professionals, up 50 per cent from three years ago, but a talent gap looms, Evans said.

Demand for talent in Canada is climbing by seven per cent annually and there will be more than 5,000 roles to fill between 2018 and 2021, according to Deloitte. By 2022, the cybersecurity workforce gap is expected to reach 1.8 million, it said.

As of October, there were 1,024 cybersecurity vacancies for every million Canadian job postings, up five per cent over the past year, according to Indeed Canada. That’s up 73 per cent since the beginning of 2015, said Brendon Bernard, an economist for the job search platform.

Meanwhile, several Canadian banks have made recent investments in research or capabilities abroad or in universities at home to tap cybersecurity talent. For example, TD opened a cybersecurity-focused office in Tel Aviv, Scotiabank announced a partnership with an Israeli cybersecurity company and RBC made an investment in research at Ben-Gurion University.

“With the talent gap in cyber, it’s something that organizations are going to have to address,” said Evans. “Because there is just not enough qualified people out there.”

Privacy concerns over credit card use for legal online pot purchases

Canada’s privacy commissioner is planning to issue guidance for buyers and sellers of legal cannabis amid ongoing concern about potential fallout, such as being barred from the United States, if transactions become known by third parties.

The concern has been heightened in provinces where anonymously paying cash in-store is not possible in light of a controversial Statistics Canada initiative to obtain detailed bank records from all Canadians.

“Our office recognizes the sensitive nature of cannabis-related transactions _ particularly if information about those transactions is processed in a jurisdiction where cannabis consumption is not legal,” said Tobi Cohen, a spokeswoman for the federal privacy commissioner. “Organizations need to make it plain to individuals that their information may be processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”

British Columbia has already issued its own guidance and privacy-protection tips. For example, it notes that online sellers collect personal information such as name, date of birth, home address, credit card number, purchase history and email address.

“Providing personal information, especially through online formats, creates additional security risks,” the document by B.C.’s privacy commissioner notes. “Cannabis is illegal in most jurisdictions outside of Canada; the personal information of cannabis users is therefore very sensitive.”

Legal online purchases across Canada show up on bank statements in a variety of ways, depending on the retailer.

In Manitoba, for example, an order from the outlet Delta 9 shows up as “D9-2 -8675309 Winnipeg MB,” while purchases in British Columbia appear as `”BCS Online Vancouver.” Those in Nova Scotia are recorded as coming from the provincial liquor corporation _ “NSLC #2098/e-commerce Halifax.” Similarly, in Newfoundland and Labrador, orders register as NLC #700 St. John’s N.L.

In Ontario, where the only way to buy marijuana legally is online through the Ontario Cannabis Store using a credit card, transactions show up as “OCS/SOC.”

Jesse, 39, of Toronto, who’s in marketing and who asked his last name not be used, said he has mixed feelings about “OCS/SOC” appearing on his credit-card statement.

“I’m not crazy about being potentially profiled at the U.S. border because of a purchase that’s thrown up in my credit history,” Jesse said. “At the same time, I’m not losing sleep over it because there’s no precedent (for that) yet.”

In the pre-legal era, online outlets usually masked credit-card purchases, perhaps by using a generic notation such as “Organics,” and some still do so now. However, a spokeswoman for the Ontario Cannabis Store said such an approach doesn’t fly.

“As a legal business operating in Ontario, it is required that we operate with transparency,” Amanda Winton said. “This includes using our registered business name for payment services.”

Ontario’s privacy commissioner, Brian Beamish, said his office recommends redacting sensitive information in a case where, for example, a landlord might ask a prospective tenant for a credit card statement. Beamish also said a generic name used to record cannabis transactions could become widely known.

“The key issue here is the protection of bank information, whether it’s related to legal cannabis transactions or any other personal banking decision,” Beamish said.

Troy Patterson, who works with a licensed cannabis producer in Kincardine, Ont., said pot is legal and he wasn’t particularly worried about purchases showing up on credit card or similar statements.

“Now, if that info were to be weaponized against people, say for insurance or other purposes, that would be a huge issue,” Patterson said.

Feds take aim at terrorist use of cryptocurrencies, prepaid cards

By Jim Bronskill

THE CANADIAN PRESS

OTTAWA _ The federal government is proposing measures that take aim at shadowy payments made by terrorists and money launderers using virtual currencies and prepaid credit cards.

The planned regulations would help close loopholes in Canada’s anti-money laundering regime and address shortcomings pointed out by an international watchdog.

Virtual currencies, such as Bitcoin, are increasingly being used to commit fraud and cybercrime and to buy illicit goods and services in the darker corners of the internet, notes a federal summary accompanying the proposed changes.

“They allow for the rapid transfer of funds within or across borders, oftentimes without any intermediary, are generally characterized by non-face-to-face customer relationships, and can circumvent the physical ‘brick and mortar’ financial system entirely.”

The measures would impose new reporting obligations on people and businesses dealing in such cryptocurrencies.

Like more traditional money service businesses, they would have to register with Fintrac, Canada’s anti-money laundering agency, as well as keep track of virtual currency transactions of $10,000 or more.

Prepaid credit cards can be abused because it is difficult to trace the origins of money loaded to them, the government says.

Under the changes, prepaid cards would be treated like bank accounts, meaning issuers would need to verify the card purchaser’s identity, keep records and report any suspicious dealings.

The measures would not apply to gift cards tied to specific retailers or shopping centres.

The planned changes represent an attempt by regulators to keep up with the dawn of new financial technologies to deliver services more conveniently.

“While providing benefits to consumers, the new business models can complicate monitoring as well as make it more difficult for authorities to follow the money trail,” the federal summary says.

The overall goal is to ensure banks, money service businesses and others who provide access to the financial system know their customers and keep good records, the summary adds.

“Such information could assist in the investigation, apprehension and prosecution of money launderers and terrorist financiers.”

The proposals come as the RCMP makes the fight against money laundering “a key strategic priority” for its federal policing branch by “elevating the priority” of the crime, according to an internal memo released under the Access to Information Act.

Other proposed changes would:

_Require foreign money service businesses to report suspicious transactions to Fintrac, ensuring a level playing field with domestic businesses;

_ Force financial institutions to confirm the accuracy of any new ownership information about companies as it comes in, a measure intended to prevent firms from hiding the identities of their true proprietors;

_ Impose stricter record-keeping and reporting requirements on the life insurance sector, which has begun issuing mortgages and loans against the amount of a policy.

The government is accepting public comment on the planned measures until early September.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest