In an email obtained by IT World Canada, LifeLabs chief executive officer Charles Brown released a statement to customers on June 11, noting “I cannot change what happened, but I assure you that I have made every effort toward making change to provide you services you can trust.”
Here is the list of changes LifeLabs is introducing, according to the email:
Brown also wrote that the breach delivered LifeLabs a stern reminder that “we must continuously work to protect ourselves against cybercrime” and that “data protection and privacy are now central to everything we do.”
The update from LifeLabs comes on the heels of a report from data protection company Veritas that says public consumers are seeking apologies, fines and even prison sentences for CEOs who fail to protect their businesses. Forty per cent of consumers hold business leaders personally responsible for ransomware attacks businesses suffer, according to the Veritas survey, which interviewed roughly 12,000 consumers. Thirty per cent would demand the CEO be banned from running a company if it suffered a cyberattack. Twenty-three per cent of those surveyed want to send CEOs to prison for mishandling data.
Existing investor Valor Equity Partners led Series C round; largest ever cyber insurance funding round
SAN FRANCISCO — May 20, 2020 — Coalition, the leading cyber insurance and security company, today announced it has raised $90 million in equity capital to fuel its mission to solve cyber risk, and support its rapid growth and global expansion. Valor Equity Partners led the funding with participation from Felicis Ventures, Greyhound Capital, and Coalition’s existing investors.
The investment comes as the company’s customer base crosses 25,000 — a 600% increase from the prior year — making it one of the largest providers of cyber insurance and security in the United States. Coalition’s unique product offerings combine best-in-class insurance and proactive cybersecurity tools to help keep businesses safe. Cyber losses cost the global economy upwards of $1.5 trillion each year, and yet the majority of businesses are under-insured and under-prepared to manage and mitigate the risks of an increasingly digital world. Coalition is addressing this gap by providing no-cost cybersecurity tools to prevent losses, security and incident response services to contain them, and comprehensive cyber insurance to help organizations recover from failures and breaches.
“Cybersecurity isn’t a technology problem, it’s a risk management problem,” said Joshua Motta, Founder and CEO of Coalition. “Traditional cybersecurity technology such as firewalls and antivirus were designed to protect networks, not businesses. Coalition protects an entire business by offering cybersecurity-as-a-service without any additional hardware or software, security and incident response services, and comprehensive insurance cover of up to $15 million.”
The announced funding will help Coalition target three key areas:
Cybersecurity Access: once accessible only to national governments and large enterprises, Coalition will continue to make available, at no cost, state-of-the-art cybersecurity capabilities to small and midsize businesses. Coalition’s small and midsize policyholders experienced claims that cost an average of $160,000 — an expense that few businesses can afford to bear. “Businesses need more protection than traditional insurers can offer, including help preventing incidents from happening in the first place, and support during and after a crisis,” said Vivek Pattipati, Partner at Valor Equity Partners. “We believe Coalition will be as disruptive to the cybersecurity industry as it has been to the insurance industry.”
International Expansion: cyber risks know no boundaries, and Coalition plans to make its offerings available globally starting with Canada. “As the entire world becomes increasingly digital, Coalition has a tremendous opportunity to address the real risks that cyber poses across many markets,” said Pogos Saiadian, Partner at Greyhound Capital.
New Products: Coalition plans to develop additional insurance products to address a new range of threats technology brings to both tangible and intangible assets — many of which are not well covered by traditional insurance policies. “The future of cyber insurance is in integrated solutions to protect against cyber incidents across all asset types,” said Sundeep Peechu, Managing Director at Felicis Ventures. “Coalition is uniquely positioned to challenge the status quo of insurance by unraveling the complexity of modeling and pricing cyber as a peril.”
Antonio Gracias, Founder and CEO of Valor Equity Partners said: “We view Coalition as a category-defining company that is fundamentally changing the way organizations engage with insurance. Coalition is one of the fastest growing insurance technology companies despite raising a fraction of the capital of its peers.”
In total, Coalition has raised $125 million in equity funding from investors, including Vy Capital, Ribbit Capital, Hillhouse Capital, Valor Equity Partners, and Greenoaks Capital, among others. All existing investors participated in Coalition’s latest round of funding.
Coalition is the leading provider of cyber insurance and security, combining comprehensive insurance and proactive cybersecurity tools to help businesses manage and mitigate cyber risk. Backed by leading global insurers Swiss Re Corporate Solutions, Lloyd’s of London, and Argo Group, Coalition provides companies with up to USD $15 million of cyber and technology insurance coverage in all 50 states and the District of Columbia, as well as CAD $20M of coverage across all 10 provinces in Canada. Coalition’s cyber risk management platform provides automated security alerts, threat intelligence, expert guidance, and cybersecurity tools to help businesses remain resilient in the face of cyber attacks. Headquartered in San Francisco, Coalition has presences in New York, Los Angeles, Chicago, Dallas, Washington DC, Miami, Atlanta, Denver, Austin, and now Vancouver and Toronto.
The acquisition combines Aon’s industry-leading investment in cyber security with Cytelligence’s unique technical expertise in incident response and digital forensics services to strengthen Aon’s cyber security client value proposition
CHICAGO, Feb. 4, 2020 /CNW/ — Aon plc (NYSE: AON), a leading global professional services firm providing a broad range of risk, retirement and health solutions, announced today the acquisition of Cytelligence Inc, a Canadian-based cyber security firm that provides incident response advisory, digital forensic expertise, security consulting services and cyber security training for employees to help organizations respond to cyber security threats and strengthen their security position.
The acquisition will help Aon expand its current coverages within the cyber market at a time when cyber claims are almost doubling year-over-year. The 2019 Cybersecurity Almanac published by Cisco and Cybersecurity Ventures predicts that cyber events will cost $6 trillion annually by 2021, as companies are digitizing most of their processes and are often operating remotely. Global cyber insurance premiums are expected to grow from $4 billion in 2018 to $20 billion by 2025. According to Aon’s 2019 Global Risk Management Survey, cyber-attacks were identified as a top ten risk facing organizations and is predicted to be one of the top three risks for organizations in 2022.
“As the number of network intrusions, data breaches, ransomware attacks, and similar threats continues to increase in both frequency and severity, expertise in cyber incident response becomes critical to organizations and insurance companies,” said J Hogg, CEO of Aon’s Cyber Solutions. “The Cytelligence team are deep experts in cyber incident response, ransomware mitigation, and cyber security training for employees, which will help cement our position in both North America and globally as an industry leader.”
Cytelligence will join the growing portfolio of Aon’s Cyber Solutions, which combines digital risk management services, security services, professional risk solutions, and a global risk consulting practice. This acquisition enhances Aon’s 2016 acquisition of Stroz Friedberg and now allows Aon’s Cyber Solutions to offer an even more holistic portfolio of services to clients from proactive security services, to incident response, to risk quantification and insurance broking.
“Together, we will deliver complete proactive solutions from risk assessment, cyber risk policy underwriting to secure insurance coverage to protect critical assets, to cyber breach response, effective and efficient cyber incident remediation, meticulous data collection and data preservation,” said Daniel Tobok, CEO of Cytelligence. “Put simply, everything that is connected to the internet can be compromised. proactive companies and their Boards are preparing now with proactive actions with penetration testing, vulnerability assessments, security audits, and training of their employees.”
Cytelligence has offices in Toronto, Ottawa, New York, San Francisco and Miami. The firm employs professionals in cyber security and education, investigations, and forensic analytics. The firm was founded in June 2016.
Mr. Tobok will join Aon as the Canadian President, Aon’s Cyber Solutions.
About Aon Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
About Cytelligence Cytelligence is a leading international cyber security boutique with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics. We are known for our technique: well planned, well executed and detailed-oriented engagements. Our Offensive Security Consulting includes: Penetration Testing, Vulnerability Assessments, Security Audits, and Secure Development Lifecycle Management, including code reviews.
No country is immune from cyber attacks. But 2019 saw Canadian organizations victimized like never before.
Arguably the worst breach — not only in 2019 one of the worst in Canadian history — was the theft of personal information on 15 million people in Ontario and B.C. held by medical test laboratory LifeLabs. This data included patient names, addresses, email addresses, login passwords, dates of birth, health card numbers and in some cases lab test results.
The second worse breach was the theft by a suspected employee of information on all 4.2 personal banking customers in Quebec and Ontario of the Dejardins credit union.
Copied were names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits. Not stolen were passwords, identification questions or secret codes.
Getting a handle on how many data breaches there are in this country is getting better now that most organizations have to report them to the Office of the Federal Privacy Commissioner (OPC).
In November the OPC estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory reporting — and that didn’t include the LifeLabs breach.
Small wonder Ed Dubrovsky, managing director for incident response at Toronto-based Cytelligence said “unfortunately it’s been an amazing year” — for attackers.
Among the publicly-reported incidents
In August two people were arrested after a data breach at Quebec’s tax collection agency affecting 23,000 past and present employees at Revenu Québec. Most of the data were names and social insurance numbers. The province said an internal investigation showed the data wasn’t used for malicious purposes or sold to third parties;
Proof of the alarming new trend of ransomware being combined with data-stealing capability was evident when a Manitoba-based insurance company acknowledgedit was hit by ransomware by a gang that threatened to release customer information unless it was paid;
Questions were raised about the dealings of some organizations with suppliers. In December the city of Hamilton, Ont., notified residents of a potential disclosure of their personal information through Alectra Utilities, which provides water billing service for the municipality. According to a news report an India-based subcontractor to Alectra had access to customer data it held, and there may have been other subcontractors whose staff could also see personal data. The incident raised questions of consent;
Nova Scotia’s privacy commissioner blamed the government for not doing enough security testing before making a new provincial Freedom of Information website live, allowing two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people;
The U.S. increased pressure on Canada not to allow Canadian wireless carriers to buy wireless network equipment from Chinese manufacturer Huawei for security reasons. A decision will likely be tied to the outcome of a Vancouver extradition hearing for Huawei’s CFO and the detention by China of two Canadians;
To help improve the security maturity of small and medium-sized businesses the federal government launched a cyber certification program. The hope is it will also increase public confidence in Canadian firms selling products online.
Dubrovsky sees some complacency in the attitude of Canadians and organizations. “We’re just accepting this is a risk,” as a result of the almost daily stories of breaches. “Unfortunately I don’t think there’s enough being done, still” by IT departments. “We don’t understand the threat actors are also ramping up both the damage they’re causing and the monetary demands.”
Clients to Gain Greater Insight into the Effectiveness of Cybersecurity Investments
Marsh, the world’s leading insurance broker and risk adviser, announced the launch of an enhanced suite of cyber risk quantification consulting capabilities that offer clients new insight into the impact of their cybersecurity investments.
The enhanced consulting capabilities are powered by Blue[i] Cyber, a new cyber risk analytics engine that integrates Marsh’s market-leading cyber risk quantification models with X-Analytics, Secure Systems Innovation Corporation (SSIC)’s patented cyber risk model for which Marsh is the exclusive insurance broker and risk consulting provider.
With these enhanced cyber risk consulting capabilities, Marsh clients for the first time will be able to quickly and easily:
Evaluate the effectiveness of cybersecurity controls and prioritize risk mitigation accordingly.
Engage in data-driven “what-if” scenarios to evaluate existing and future cyber investments.
Evolve cybersecurity from technical jargon to a board-level conversation.
Meet cyber risk disclosures and reporting requirements more easily.
Use financial analysis of cyber risk exposure to inform their risk management strategies, including risk mitigation and risk transfer decisions.
“Although cyber often ranks high on risk agendas, many organizations struggle to understand how their cybersecurity strategy impacts their financial exposure to cyber risk,” said Reid Sawyer, US Cyber Risk Consulting Practice Leader, Marsh. “With Marsh’s enhanced quantification consulting capabilities, clients will be able to gain greater clarity into the impact their cybersecurity investments have on risk reduction and make more informed cyber risk capital allocation decisions.”
The enhanced cyber risk quantification consulting capabilities powered by Blue[i] Cyber are immediately available in the US, Canada, and Europe.
Marsh is the world’s leading insurance broker and risk adviser. With over 35,000 colleagues operating in more than 130 countries, Marsh serves commercial and individual clients with data driven risk solutions and advisory services. Marsh is a business of Marsh & McLennan Companies (NYSE: MMC), the leading global professional services firm in the areas of risk, strategy and people. With annual revenue approaching US$17 billion and 76,000 colleagues worldwide, MMC helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter, Mercer, and Oliver Wyman. Follow Marsh on Twitter @MarshGlobal; LinkedIn; Facebook; and YouTube, or subscribe to BRINK.
In the past decade, there have been several reports of cybersecurity attacks and data breaches to large corporations.1 In many cases, those affected by the breach want to hold the directors and officers accountable, as they feel the corporation failed to implement the proper security measures to prevent a breach from happening or did not effectively handle the aftermath of the breach. However, directors and officers generally enjoy limited personal liability subject to a few exceptions.2 Nevertheless, as more specific guidance emerges for directors and officers handling cybersecurity issues, the scope of this liability may widen.3 Thus, directors and officers should not take comfort in the substantial barriers that prevent them from being held liable for issues relating to the organization.4 In fact, despite these substantial barriers, shareholders continue to pursue derivative actions against directors and officers.
This article will discuss the scope of personal liability directors and officers face relating to cybersecurity breaches, and recent actions pursued against directors and officers in Canada and the US. Following the article, key takeaways will be provided.
Scope of liability
Cybersecurity poses a significant threat to directors and officers as cyber threats continue to emerge, and the rules and regulations that guide cybersecurity continue to evolve. Directors and officers may be held liable in the event of a cybersecurity attack if they are found to have breached their duty of care or have failed to comply with any disclosure requirements. Moreover, directors and officers can be personally liable where a company fails to comply with Canada’s Anti-Spam Legislation (CASL).5
Directors and officers have a duty to exercise reasonable care and diligence, both at common law6 and under corporate statutes.7 Failure to oversee the company’s cybersecurity measures adequately, before and after a breach occurs, could be considered a breach of this duty.8 Moreover, failure to comply with federal and provincial disclosure requirements after a breach could lead to liability for secondary market misrepresentation.9
Therefore, having an appropriate response or compliance plan, and effective security measures to protect the company against future cyber threats is essential. This will help support any claim by a director or officer that all requisite care and diligence was met, and all regulations were complied with.10
Lastly, directors and officers can be held personally liable and receive fines where the company has violated CASL. Penalties for non-compliance with CASL carries a maximum fine of CA$1 million for individuals and CA$10 million for organizations.11 Moreover, directors and officers can be vicariously liable for non-compliance of an organization even where the regulator, Canadian Radio-television and Telecommunications Commission (CRTC), does not pursue the organization. In fact, the CRTC has made a public statement that directors and officers cannot hide behind their company’s structure or online entities to avoid liability.
Derivative actions in Canada and the US
Currently, there have not been any attempts at a lawsuit against directors and officers in relation to cybersecurity in Canada.12 However, given the amount of derivatives actions commenced in the US, it is possible that it could give rise to such claims in Canada. The US has seen several derivative action suits against directors and officers relating to cybersecurity over the past few years.13 All but one have been unsuccessful, largely due to technical and procedural reasons. However, in January 2019, a derivative action lawsuit settled for US$29 million, compensating the plaintiffs significantly.14 This is the first time shareholders have been awarded monetary damages for a breach-related derivative lawsuit. This settlement could spark the beginning of successful derivative action lawsuits, and inspire others to pursue civil actions against directors and officers for cybersecurity breaches. Moreover, this settlement can be used as a benchmark for future civil actions to compare to when deciding on the amount to be awarded. Effectively, this settlement may not only effect civil actions in the US, but also allow derivative actions to gain traction in Canada.
Penalties for violation of Canada’s Anti-Spam Legislation
More recently, the CTRC has held directors and officers personally liable for a company’s violation of CASL. On April 23, 2019, the CTRC found that a coupon marketing company, nCrowd, had violated CASL, and found the former CEO of the company to be personally liable.15 As a result, he received a CA$100,000 fine. Further, a different company that was also part of this scheme with nCrowd, had also violated CASL, and CRTC held this company’s CEO vicariously liable for the violation. As a result, he received a fine of CA$10,000. Ultimately, liability under CASL can extend beyond the corporation if the person authorized, acquiesced or participated in the commission of the violation.
Directors and officers should familiarize themselves with all regulatory guidelines to protect the company from a data breach and to avoid being personally liable for the breach;
D&O liability insurance does not always offer protection for cyber-related incidents or threats. It is important to confirm whether this is protected and the scope of protection provided. Not having proper protection could expose directors and officers to liability and significant payouts;
There have been no derivative action attempts relating to cybersecurity breaches in Canada, but given the current climate in the US, it is possible this will encourage such claims to occur in Canada; and
Directors and officers can be held either personally or vicariously liable for a company’s violation of CASL if that individual played some role in the commission of the violation.
Cybersecurity attacks and data breaches are inevitable and can happen to any organization, thus remaining a significant threat to corporate governance. While a cybersecurity attack is a crime, directors and officers may still be held liable for a breach if they failed to oversee the company’s security measures prior to the breach, or failed to take the necessary course of action after the breach occurred. Ultimately, boards of organizations must recognize the current cybersecurity environment that exists, and assemble a reasonable response plan to respond to these threats when and if they occur. Our final article will provide key takeaways and best practices for both insureds and insurers in relation to cybersecurity risks.
A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.
Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.