Article by Imran Ahmad
It was not long ago that a company’s cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.
Who Connects to You?
Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else’s system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.
What Connects to You?
The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using “privacy by design” principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.
How Can You Protect Your Business?
Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:
- Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
- Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
- Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company’s reputation in the wake of a cyber breach.
Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it’s important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.
The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.
If you’re unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn
Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.
An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.
Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.
Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.
Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.
Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
By David Paddon
THE CANADIAN PRESS
TORONTO _ A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.
The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.
The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.
“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.
If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.
However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy _ a newer but increasingly common insurance.
“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.
The multinational advisory firm said in its 2018 cybersecurity report that many industries _ including those with points programs _ will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.
In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.
“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”
So-called bug bounties a way to reward ethical hackers who find bugs so they can be exterminated have been used to good effect by tech companies.
Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences following the lead of tech companies and financial services providers.
Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet and for good reason: “I think there’s bugs in the bug bounty program.”
One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.
“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”
The Wawanesa Mutual Insurance Company (Wawanesa), one of the largest Canadian property and casualty insurers, is launching a new portfolio of innovative cyber protection insurance products for Canadian homeowners and home-based businesses.
Effective January 1, 2018, Wawanesa will be one of the first major insurance companies in Canada to offer a personal cyber product on a mass market basis. The cyber protection portfolio, currently unmatched in its comprehensiveness goes beyond any insurance offered today to meet individual consumers’ evolving needs and preferences. It includes protection for:
- Cyber-attack: recovery of data and restoration of systems that have been lost or damaged;
- Cyber extortion: payments and assistance in responding to demands to damage, disable, deny access to or disseminate content from devices, systems or data;
- Online fraud: coverage for scams that result in a direct financial loss to the policyholder and;
- Data breach: payment for services if third-party private person data entrusted to a household resident is breached.
“We’re committed to being an industry leader – and innovator – in providing coverages that help Canadians protect themselves and their digital connections,” said Keith Hartry, Wawanesa’s Chief Operating Officer. “As the world becomes more interconnected and criminals become both more invasive and sophisticated, we’re ready to safe-guard anyone who operates a connected home device, stores information electronically and accesses data online.”
Modern life is full of cyber risks and many homeowners or home-based business owners don’t realize this until it’s too late.
According to Statistics Canada, cyber-crime grew by 30% in 2016. The cost to the Canadian economy is estimated between $3 billion and $5 billion a year.
“Cyber-crime is not only increasing, it’s getting much harder to stop,” added Hartry. “And Canadians are looking for solutions that protect them and ultimately provide peace of mind. And that’s what our portfolio is built to do.”
For information about the new cyber protection visit https://www.wawanesa.com/personalcyber/.
About The Wawanesa Mutual Insurance Company
Wawanesa Mutual Insurance is one of the largest property and casualty insurers in Canada with $3 billion in annual revenues and assets of more than $9 billion. Wawanesa Mutual, founded in 1896 with executive offices in Winnipeg, is the parent company of Wawanesa General, which offers property and casualty insurance in California and Oregon, and Wawanesa Life, which distributes life insurance products and services throughout Canada. With over 3,000 employees, Wawanesa proudly serves over two million policyholders through nine regional offices and 41 service offices in Canadaand the United States. Wawanesa actively gives back to organizations that strengthen communities where it operates, donating well above internationally recognized benchmarks for excellence in corporate philanthropy.
SOURCE The Wawanesa Mutual Insurance Company
TORONTO (November 27, 2017) – Crawford & Company (Canada) Inc. today announced that it has grown its global cyber practice with the addition of Neal Jardine, cyber practice leader, Canada. With the ever increasing risk of cyber-attacks and data breaches worldwide, and as part of a larger global cyber practice, Crawford & Company’s® established and effective cyber program is comprised of more than 100 accredited incident managers and adjusters throughout the world. As the sole cyber loss management partner for a number of international insurer clients and corporations, Crawford is a leading cyber claim management expert for the marketplace.
As a seasoned senior general adjuster with Crawford’s Global Technical Services (GTS®) division, Neal Jardine has more than a decade of experience, both domestically and internationally, adjusting property and casualty claims, including cyber losses. Leveraging his experience as a professional loss adjuster and academic credentials in computer science, Jardine possesses a unique set of skills and knowledge to effectively mitigate cyber losses. His technical understanding of network architecture, data management systems and their supporting technologies enables him to identify risks and best respond to client needs following a cyber incident.
“We are fortunate to be able to leverage Crawford’s global cyber team to bring to the Canadian market proven best practices in our cyber incident response model,” said Paul Hancock, vice president, Global Technical Services (GTS®), Canada. “Neal is well placed to develop our Canadian practice and access the technical resources of the delivery model.”
More details of Crawford’s global cyber risk program are available on the company’s website. For more information, contact Neal Jardine, Senior General Adjuster / Cyber Practice Leader Tel: 416.957.5040 Email: Neal.Jardine@crawco.ca For media inquiries, please contact: Gary Gardner, Senior Vice President Global Client Development Tel: 416.957.5019 Email: Gary.Gardner@crawco.ca About Crawford® Based in Atlanta,
Crawford & Company (NYSE: CRD‐A and CRD‐B) is the world’s largest publicly listed independent provider of claims management solutions to insurance companies and self‐insured entities with an expansive global network serving clients in more than 70 countries. The Company’s two classes of stock are substantially identical, except with respect to voting rights and the Company’s ability to pay greater cash dividends on the nonvoting Class A Common Stock (CRD-A) than on the voting Class B Common Stock (CRD-B), subject to certain limitations. In addition, with respect to mergers or similar transactions, holders of CRD-A must receive the same type and amount of consideration as holders of CRD-B, unless different consideration is approved by the holders of 75% of CRD-A, voting as a class.
More information is available at www.crawfordandcompany.com.
Specialist insurer Beazley has appointed Miki Ho as cyber risk underwriter. Based in the company’s Toronto office, Mr Ho’s focus will be on developing Beazley’s portfolio of cyber liability and technology risks for large enterprises in Canada.
Mr Ho joins Beazley from Allianz where he was a senior underwriter for cyber and professional liability risks, following previous underwriting and broking roles with a portfolio of clients in the financial institutions sector.
Paul Bantick, Beazley’s Technology, Media & Business focus group leader says: “We are excited by the opportunities we see to support Canadian businesses against the risks of cyber liability and data breach. With the cyber and technology risk landscapes changing rapidly and the number of data breaches unabated, the demand for cyber insurance products is growing strongly. With Miki having joined our team, we are well placed to take advance of this growing demand and the opportunities that exist in the Canadian market.”
Phil Baker, head of Beazley Canada, adds: “Beazley is a market-leading provider of cyber liability, technology errors & omissions, and miscellaneous professional liability coverage, with a global team structured to deliver local solutions. Miki will play a pivotal role in delivering those local solutions to brokers and clients in Canada.”
Note to editors:
Beazley plc is the parent company of specialist insurance businesses with operations in Europe, the US, Canada, Latin America, Asia and Australia. Beazley manages six Lloyd’s syndicates and, in 2016, underwrote gross premiums worldwide of $2,195.6 million. All Lloyd’s syndicates are rated A by A.M. Best.
Beazley’s underwriters in the United States focus on writing a range of specialist insurance products. In the admitted market, coverage is provided by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in all 50 states. In the surplus lines market, coverage is provided by the Beazley syndicates at Lloyd’s.
Beazley is a market leader in many of its chosen lines, which include professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business.
For more information please go to: www.beazley.com