Connected And Protected: Insuring Your Business Against Cyber Breaches

Article by Imran Ahmad

It was not long ago that a company’s cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.

Who Connects to You?

Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else’s system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.

What Connects to You?

The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using “privacy by design” principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.

How Can You Protect Your Business?

Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:

  • Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
  • Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
  • Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company’s reputation in the wake of a cyber breach.

Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it’s important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.

The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.

If you’re unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Chubb Launches Proprietary Online Cyber Risk Index

Chubb, a leader in cyber risk assessment and underwriting, has launched its Chubb Cyber IndexSM, a new interactive platform that showcases nearly two decades worth of Chubb’s proprietary commercial cyber claims data. The Index is designed to highlight a range of cyber threats based on an organization’s industry and size.

“We’re thrilled to offer businesses throughout North America this interactive capability to provide insight into real threats facing them on a daily basis,” said Bill Stewart, Division President of Chubb’s Global Cyber Risk practice. “The first step to protecting a business from a cyber attack is staying aware of what threats are most prominent to a company’s size and industry. Our Cyber Index will help users to better understand their exposures and manage risk before a cyber incident occurs.”

The innovative Index provides users with a simple and immediate means of identifying the leading cyber risks their business may face based on real-world examples of cyber attacks and data breaches. With a user-friendly interface, accessible via desktop or mobile device, users are able to set parameters unique to their company, and view historical trends based on type of threat, size of a company and which industry that company operates within.

“Chubb has nearly two decades of cyber claims data, which enables us to help clients gain insight into the types of events affecting their industries,” said Michael Tanenbaum, Executive Vice President, Chubb.  “That insight has helped us to monitor the evolution of the marketplace and understand various threats and how they impact different businesses, based on their profile.”

Along with delivering key intelligence to businesses of all sizes, the Index will be updated biweekly, and ultimately will deliver real-time data.

“As cyber risks evolve, Chubb will continue to focus and respond to the environment by its strong commitment to the industry and by providing best-in-class solutions to clients,” said Mr. Tanenbaum.  “In the meantime, organizations of all sizes need to proactively assess current procedures in place to mitigate the risk from potential cyber-attacks, and ensure that their cyber insurance policy is structured to addresses any gaps.”

The Index is free to access and can be used at http://www.chubb.com/cybermedia.

About Chubb:
Chubb is the world’s largest publicly traded property and casualty insurance company, and the largest commercial insurer in the United States. With operations in 54 countries and territories, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. As an underwriting company, we assess, assume and manage risk with insight and discipline. We service and pay our claims fairly and promptly. The company is also defined by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at: chubb.com.

SOURCE Chubb

Cyber Cross-Jurisdictional Risks And The Impact Of GDPR: Europe

Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn

Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.

An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.

Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.

Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.

Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.

Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Bell Canada alert prompts RCMP, privacy watchdog to investigate data breach

By David Paddon

THE CANADIAN PRESS

TORONTO _ The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.

Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.

Bell also told customers that additional security, authentication and identification requirements have been implemented.

“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.

Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.

“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.

Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

Anderson said that the public should realize that centralized data is vulnerable, by its nature.

“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.

Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.

The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.

But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.

Here are some of the trends, challenges and threats that await us all in 2018

By Joey | Security Boulevard 

We had an interesting year in 2017. If any trend is obvious, it’s that 2018 will continue to be interesting for the cybersec industry. How interesting? Here is are the 18 trends that we think will be making the headlines and should be on your radar for 2018.

The Return of the Spam

In 2004 Bill Gates said that spam would be dead in 2 years. Over a decade later, things are still pretty bad. While we can stop greater than 99.95% of spam email, it’s the very few that do get through that are increasingly sophisticated and preying on user vulnerability. You used to get emails focused on Viagra and reclaiming lost fortunes. Now, the spammer is more interested in having you click a malicious link and getting your password or triggering a ransomware and then doing the real damage from there.

Are we getting more spam today than ever before? We are the highest in a few years. However the spam we are getting, and the tiny amount getting through, is much more dangerous.

Continued Growth of Socially Engineered Threats

We talk a lot about this one. Social engineering is the fastest growing area in cyber crime. From Q2 to Q3 2017, there was a 74% increase in phishing attacks.

As Roger Grimes suggests that nearly 100% of attacks can be attributed to unpatched software and social engineering. “A single unpatched software program has at times accounted for over 90 percent of the web-based exploits” and the rest, save perhaps a single percent, goes to social engineering. There are predictions that Business Email Compromise (BEC) will hit $9 billion in 2018. It’s hard to know how accurate of a prediction it is, but BEC is a very serious and growing threat.

The Growth in Cloud and BYOD

An interesting trend in 2017 was a shift from urgency and fear in spam messaging to more social and rewards-focused scams. With the proliferation of BYOD, mobile and remote work, scammers realize that the value is in accessing the work network, rather than an immediate smaller payoff from an individual. And by enticing you with an e-card or mail order bride, they can arouse enough curiosity via your private email to get into your business network. Watch for email and cyber security measures that will protect devices and cloud networks, not only inboxes

In a similar vein, as businesses continue the shift to the cloud, and the traditional idea of a firewall falls, businesses will look for new ways to secure their IT networks, such as Email Archiving SolutionsEncryptionURL DefenseMobile Defenseand….training! With the growing diversity in how and where employees are accessing networks precludes strong awareness and training with a people-first approach.

Ransomware

The last year saw several big ransomware attacks make headlines. Most of their damage was in reputation, legal cost and confidence to the institutions (though the scammers made their own pay). 2 Interesting drivers of this growth are RaaS (ransomware as a service) where unskilled cybercriminals can launch attacks and a growing underground economy.

Ransomware is also growing in concert with Phishing and social engineering, both big trends we are watching in 2018. It will also be interesting to see how cryptocurrency valuations impact ransomware growth.

Blockchain Security

Speaking of cryptocurrency, there has already been significant investment in blockchain as security technology. Guardtime, out of Estonia, claims to be the largest blockchain company by revenues (perhaps before the most recent sharp surge in cryptocurrency valuations), and has secured all of Estonia’s medical records using blockchain tech. Blockchain has the potential to eliminate passwords, provide advanced encryption, and create tamper proof infrastructure. This will be a fascinating area to watch in 2018.

Legislation

The government should play a big role in the internet in 2018. Besides net neutrality and data privacy rights, in the EU GDPR comes into effect in 2018. This will dramatically have an impact data policies on multinationals operating in the EU.

After Uber’s second data breach and lengthy delay in disclosure, it is only fair to expect the US to follow suit at some point and create a national legal framework. Then again, they have a lot on their plate at the moment (and it looks only to be getting busier). National legislation will help companies react more sensibly after attacks.

AI in Response to Social Engineering Attacks

A lot of the hope in curbing some of the email and cyber risk is being placed on AI and Machine Learning. Ideally, we can reach a “singularity-like moment” where our algorithms get so advanced that any attempted scam or attack is known well in advance. It’s very challenging – because social engineering and targeted phishing are where the challenge lies. Human error is probably the biggest source of risk today. Can AI stop human error? Here’s hoping.

Domain Spoofing and Suspicious Domain Registrations

In ProofPoint’s 2017 Q3 threat report they noticed an alarming 20 to 1 ratio of Suspicious domain registrations to defensive registrations. This as suspicious domain registrations grew by 20%. There are a lot of frightening numbers in there. They found malicious URLs up 2,200% Q3, year over year.

There’s a lot in there to be frightened about, perhaps brands believe they are have covered their defensive bases. Perhaps as detection of malicious and spoofed URLs becomes faster and are taken offline earlier, scammers are being forced to do more work (or find more ways to effectively automate it). Either way, spoofing and malicious URLs will be a serious threat for those unprotected – and will certainly make headlines in 2018 for the wrong reasons.

Data borders: Kaspersky, China, GDPR

2017 was an interesting year in cross border cyber security. Kaspersky got banned from UK government systems where sensitive information is present. And then late in the year Trump approved a federal ban on Kaspersky.

There are questions as to whether they worked with or were compromised by the Russian government – at the bare minimum it appears that sensitive data, such as from the NSA was being stored in Russia.

Along with other legislation, we expect more governments to begin looking at companies who are exporting your data out of country of origin. “Data Localism” or keeping data in local data centers is already in place in Russia, China and Brazil.

Breach disclosure and other local requirements are also going to be a big concern in 2018. While data protection is a fast growing concern for many enterprises, the way in which disclosure requirements, “rights to be forgotten” and other legal requirements around data evolve will most likely be determined in 2018.

Cyber Warfare

We probably haven’t seen anything yet. Between apparent Russian meddling overseas, an expanding Chinese sphere of influence, and constant media reporting that the United States is on the brink of war with North Korea, who knows what kind of Cyber Warfare may break out, or what role it will play in more “kinetic” conflicts featuring drones, advanced missile systems, naval warfare and more. Of course, we could already be in the midst of this, with WannaCry apparently being sourced to North Korea.

Industry Specific Attacks

Scammers are increasingly targeting their attacks based on where the largest payout lies. These payouts are two-fold. The first on the single payout, finding large and accessible financial transactions. The second is in value of data.

The financial industry and heavy industrials have the large payout and transfers of funds. The Health industry has very valuable data. These industries will continue to see increasing amounts of attacks.

We’ve written extensively on health and security in 2017. We expect this trend to continue through 2018. One group purported that the majority of email addressed as from a healthcare provide were fraud! All the while, with companies with over $1 Billion in revenue, DMARC was properly used by 2% of companies!

Speaking of DMARC

While it might not be perfect, it is going to see mainstream adoption in 2018. It still has seen very low adoption rates in industries like banking, and when it is implemented, there are still often errors in implementation.

Quantum Computing

Long shot here, but could quantum computing be the savior of the industry? The simplest way that I see this, if you could make many times the calculations, wouldn’t that mean more attacks would be caught sooner? This will dramatically impact the development of AI (machine learning) and also speed up blockchain capabilities, all linked closely to the future of cybersecurity.

Hacked Therapy

Being hacked is a form of abuse. The trauma can serious negative impacts on its victims. Leaked private pictures. Destroyed credit ratings. All kinds of privacy invasion. 2017 saw what might have been the first conference “supporting victims of cyber crime”.  The trauma is enduring. Expect this conversation around cyber crime and mental health to become more prominent.

IoT Botnet Strike Disaster Looming?

IOT has long been discussed as being a risk. Now it seems that Botnets could be hiding on your connected devices. Mirai was one such example – a big reason being the use of default settings. It doesn’t appear that botnets are going anywhere just yet.

Biometric Authentication Compromise

Could the trend to biometric authentication results in a major breach? With iPhone and Samsung both experimenting and launching biometric authentication tools, there’s a lot of risk to be explored. Your partner or the person sitting next to you during a flight may not gain information relevant to your employer, but what are the limits? Could a major breach occur if a socially engineered attack was able to work beyond the constraints of biometric authentication? We might find out soon.

Simplifying Security

The complex technical environment that the security industry has known can make it seem pretty serious. While security skill ares no longer specialists, much of the available information about security is dense and technical, possibly putting off many of the users who organizations need to “know their stuff”. The reality of training and awareness is that we have to find the weakest links in the security chain and upgrade (no pun intended) their stack (no pun intended). People need plain-english information on security. It’s an imperative as an industry we can communicate in plain english and ensure awareness – to avoid human error as much as possible.

The Clearer Business Case.

It’s not always clear how to calculate a cost benefit on email security. “while 85 percent of firms believe that the economic costs from cyber attacks will increase in the coming year, only 23 percent have adopted a strategic plan to address business risks”. In the near future, any BCDR or security contingency will be based on a risk assessment, much like an insurance policy.

That’s the gist of it.

We aren’t going to bold in our predictions. Though perhaps one last bonus one is in order. We’ll go out on a limb and say if you are reading this, your company is better off. You’ll probably take steps to invest in your cyber and email security – if you haven’t already. The fact that you’ve read to this point makes you aware. And for that, we believe that your 2018 will be a safe and happy year!

 

Read more great articles like this one at: Security Boulevard 

Crawford & Company (Canada) Inc. Grows Cyber Practice in Canada

Press Release:

TORONTO (November 27, 2017) – Crawford & Company (Canada) Inc. today announced that it has grown its global cyber practice with the addition of Neal Jardine, cyber practice leader, Canada. With the ever increasing risk of cyber-attacks and data breaches worldwide, and as part of a larger global cyber practice, Crawford & Company’s® established and effective cyber program is comprised of more than 100 accredited incident managers and adjusters throughout the world. As the sole cyber loss management partner for a number of international insurer clients and corporations, Crawford is a leading cyber claim management expert for the marketplace.

As a seasoned senior general adjuster with Crawford’s Global Technical Services (GTS®) division, Neal Jardine has more than a decade of experience, both domestically and internationally, adjusting property and casualty claims, including cyber losses. Leveraging his experience as a professional loss adjuster and academic credentials in computer science, Jardine possesses a unique set of skills and knowledge to effectively mitigate cyber losses. His technical understanding of network architecture, data management systems and their supporting technologies enables him to identify risks and best respond to client needs following a cyber incident.

“We are fortunate to be able to leverage Crawford’s global cyber team to bring to the Canadian market proven best practices in our cyber incident response model,” said Paul Hancock, vice president, Global Technical Services (GTS®), Canada. “Neal is well placed to develop our Canadian practice and access the technical resources of the delivery model.”

More details of Crawford’s global cyber risk program are available on the company’s website. For more information, contact Neal Jardine, Senior General Adjuster / Cyber Practice Leader Tel: 416.957.5040 Email: Neal.Jardine@crawco.ca For media inquiries, please contact: Gary Gardner, Senior Vice President Global Client Development Tel: 416.957.5019 Email: Gary.Gardner@crawco.ca About Crawford® Based in Atlanta,

Crawford & Company (NYSE: CRD‐A and CRD‐B) is the world’s largest publicly listed independent provider of claims management solutions to insurance companies and self‐insured entities with an expansive global network serving clients in more than 70 countries. The Company’s two classes of stock are substantially identical, except with respect to voting rights and the Company’s ability to pay greater cash dividends on the nonvoting Class A Common Stock (CRD-A) than on the voting Class B Common Stock (CRD-B), subject to certain limitations. In addition, with respect to mergers or similar transactions, holders of CRD-A must receive the same type and amount of consideration as holders of CRD-B, unless different consideration is approved by the holders of 75% of CRD-A, voting as a class.

More information is available at www.crawfordandcompany.com.

Page 1 of 1212345...10...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest