Cyber Losses: A Serious Organizational Risk In The Modern World

Article by Brian Vail, QC

September 19, 2018, 2:21 PM EDT — Losses and costs relating to cyber liability incidents have escalated exponentially given that the world has become much more computer-dependent and technology is rapidly advancing. The losses suffered by organizations for cyber incidents that interrupt their operations as well as liability to third parties (customers, patients or others) have become commonplace. The question facing organizations today is not if they will suffer a cyberattack but when.

The world began rapidly changing with the Internet age. People and organizations are becoming increasingly involved and dependent on computers and electronic data and data transmission. An increasing number of companies operate e-businesses and many organizations are moving toward a paperless workplace. An entire economy has grown up whereby individual consumers access various online services, disclosing their personal information in the process. That information may be shared across connected multiple platforms.

The Allianz Risk Barometer for 2018 indicates that the number of cyber incidents is increasing at an “almost breathtaking pace.” It ranks cyber risk to be the second most serious business risk for 2018, after business interruption. The number of incidents of cybercrime is growing at an alarming rate.

This includes the introduction of malware to an organization’s computer systems to disrupt computer- controlled operations and corrupt data. The use of ransomware, whereby an organization’s data is encrypted subject to it providing a ransom (monetary or otherwise) to the hacker, has become big business. AON notes that “driven by widespread use of mobile technologies, cloud computing, corporate bring-your-own-device policies, big data analytics and 3D printing, cyber has emerged as one of the fastest growing risks for governments and companies across the globe” and is “in some instances more pervasive than traditional exposures.”[

In the United Kingdom alone, in 2016 46 per cent of all businesses reported at least one cybersecurity breach, including 66 per cent of medium-sized businesses and 68 per cent of large businesses.

Many small and mid-sized businesses have a false sense of security that they are not big enough or do not possess information that would attract the interest to cyber criminals. However the insurance industry suggests that 50 per cent of businesses report having been the victim of attack and 60 per cent of those struck are small and medium-sized businesses.

In Canada the average organizational cost of a data breach in 2016 was $6.03 million, up from $5.32 million in 2015, with an average cost of $278 per stolen record. Average notification costs rose from $120,000 in 2015 to $180,000 in 2016. The average costs of lost business rose from $1.99 million in 2015 to $2.24 million in 2016. These losses were caused 54 per cent by criminal/malicious attacks, 21 per cent by system glitches and 25 per cent by human error.

Thus, cyber claims are having and will continue to have a growing negative impact on the global economy. All organizations should be adopting strategies to protect themselves and minimize losses and planning to respond to such claims. Businesses should be reviewing their computer systems, training and monitoring staff and developing an incident response plan to prevent cyber incidents. They should also be reviewing and updating their insurance coverage to address the risks involved. Both prevention and response are not simply an IT problem. They require a team approach involving multiple departments and vendors (IT, management, human resources, public relations, an insurance broker and legal counsel).

It is a mistake for smaller or medium size business to ignore this issue as much as for large organizations as a cyber incident may seriously impact or even bankrupt an unprepared organization.

They are becoming the most sought-after target by cyber criminals.

Originally published in The Lawyer’s Daily

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Ontario police warn of recent cyberattacks targeting local governments

By Michelle McQuigge

THE CANADIAN PRESS

A rash of cyberattacks on Ontario municipal governments in which hackers demand a ransom to unlock compromised systems has prompted the provincial police force to warn about what it describes as a recent trend.

Ontario Provincial Police didn’t disclose how many municipalities had been temporarily crippled by the incidents known as ransomware attacks, but at least two recently had their systems compromised and the mayor of one of them said he’s heard of multiple other cases.

In an advisory issued Friday, the OPP said it wanted communities to be aware of the spate of incidents.

“In recent months there have been several ransomware (hack/virus) attacks on businesses and municipal government offices within Ontario,” wrote the force, which did not respond to requests for further comment.

“The OPP does not support paying ransomware attackers, as it only encourages further criminal activity, and there is no guarantee that payment will restore the encrypted data.”

Police described a ransomware attack as one where a computer or network is infected with malware software intended to damage or disable _ that encrypts data on those systems. Those behind the attack then reveal that the information can only be retrieved with an encryption key, which commonly is only released upon the payment of a ransom.

The OPP said most such attacks are launched either through direct hacking into a vulnerable system or through phishing emails that urge users to click on files or links that then install the malware. Payment is usually demanded in Bitcoin or some other form of cryptocurrency, the OPP said.

That exact scenario played out earlier this month in Midland, Ont., according to Mayor Gord McKay.

On Sept. 1, officials discovered that many of the town’s servers had been compromised and locked down. McKay did not disclose exactly how much ransom was paid through an insurance company to the hackers, and said the cyberattack remains under investigation.

McKay said the attack crippled Midland’s financial systems, but said it was not as devastating as it may have been had it happened three months ago.

At that time, another ransomware attack on the nearby town of Wasaga Beach, Ont., prompted Midland’s officials to take out insurance to protect against such an incident, he said.

“We took a good regard as to what happened over there and said, ‘ok, no reason why it shouldn’t happen here … so let’s start taking precautionary measures,” he said.

The town managed to isolate online systems related to fire, police, water and waste-water services before the hackers struck, the mayor said. There’s also no evidence to suggest information on taxation, human resources and other affected systems was disseminated anywhere after the attack, he added.

Officials in Wasaga Beach did not respond to request for comment on the attack they experienced.

McKay said the decision to purchase insurance has proven beneficial and has helped the municipality recover faster than it might have otherwise. Access to the hacked systems has been provided over time, he said, and all the town’s systems are expected to be fully functional by next week.

The town’s experience suggests an emerging industry around cyberattacks has taken root, McKay said, adding he’s heard from municipalities both inside and outside of Ontario who’ve gone through a similar ordeal.

“It’s happening a fair bit out there, but obviously people don’t like to talk about it,” he said.  “There’s an industry being built up about it, both on the bad guys’ side and also on the recovery side.”

Atty Mashatan, an information technology professor at Ryerson University, said worldwide malware attacks involving everything from hospitals to transit systems have given rise to a burgeoning industry.

She said there are numerous insurance offerings available to both businesses and individuals seeking protection from cybercrime. Like with standard insurance policies, she said packages vary considerably, adding the most comprehensive could cover the cost of legal fees incurred by potential lawsuits associated with security breaches.

But Mashatan stressed that the best insurance is sound security, adding both individuals and companies should cover off basics such as installing strong anti-malware and anti-virus protection as well as maintaining thorough offline backups of key information.

Common sense also has a role to play, she said.

“It has to do with the awareness of the individuals in your organization or in your household,” she said. “Don’t click on a link if you don’t trust it.”

McKay said the town of Midland had no choice but to pay the ransom demanded to reclaim its data, but such an approach finds little favour with Mashatan and the OPP.

The force urged victims of such cyberattacks to go to local police but also noted that ultimately it was up to those targeted to decide how to proceed.

“Companies and individual victims should address threats based upon the nature and severity of the threat and only after carefully considering the best interests of the individual or company’s employees, stakeholders and shareholders,” the force said.

Feds take aim at terrorist use of cryptocurrencies, prepaid cards

By Jim Bronskill

THE CANADIAN PRESS

OTTAWA _ The federal government is proposing measures that take aim at shadowy payments made by terrorists and money launderers using virtual currencies and prepaid credit cards.

The planned regulations would help close loopholes in Canada’s anti-money laundering regime and address shortcomings pointed out by an international watchdog.

Virtual currencies, such as Bitcoin, are increasingly being used to commit fraud and cybercrime and to buy illicit goods and services in the darker corners of the internet, notes a federal summary accompanying the proposed changes.

“They allow for the rapid transfer of funds within or across borders, oftentimes without any intermediary, are generally characterized by non-face-to-face customer relationships, and can circumvent the physical ‘brick and mortar’ financial system entirely.”

The measures would impose new reporting obligations on people and businesses dealing in such cryptocurrencies.

Like more traditional money service businesses, they would have to register with Fintrac, Canada’s anti-money laundering agency, as well as keep track of virtual currency transactions of $10,000 or more.

Prepaid credit cards can be abused because it is difficult to trace the origins of money loaded to them, the government says.

Under the changes, prepaid cards would be treated like bank accounts, meaning issuers would need to verify the card purchaser’s identity, keep records and report any suspicious dealings.

The measures would not apply to gift cards tied to specific retailers or shopping centres.

The planned changes represent an attempt by regulators to keep up with the dawn of new financial technologies to deliver services more conveniently.

“While providing benefits to consumers, the new business models can complicate monitoring as well as make it more difficult for authorities to follow the money trail,” the federal summary says.

The overall goal is to ensure banks, money service businesses and others who provide access to the financial system know their customers and keep good records, the summary adds.

“Such information could assist in the investigation, apprehension and prosecution of money launderers and terrorist financiers.”

The proposals come as the RCMP makes the fight against money laundering “a key strategic priority” for its federal policing branch by “elevating the priority” of the crime, according to an internal memo released under the Access to Information Act.

Other proposed changes would:

_Require foreign money service businesses to report suspicious transactions to Fintrac, ensuring a level playing field with domestic businesses;

_ Force financial institutions to confirm the accuracy of any new ownership information about companies as it comes in, a measure intended to prevent firms from hiding the identities of their true proprietors;

_ Impose stricter record-keeping and reporting requirements on the life insurance sector, which has begun issuing mortgages and loans against the amount of a policy.

The government is accepting public comment on the planned measures until early September.

Cyber insurance market sees steady growth as awareness increases

By Modestus Anaesoronye | Business Day

Cyber attacks were once again in the spotlight in 2017, with increasing frequency and severity, offering plentiful opportunities for growth of insurance, especially in small and medium-sized companies, according to A.M Best report.

The WannaCry and NotPetya ransomware attacks and the Equifax data breach received significant media attention and affected millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks. Also, in October 2017, Yahoo! updated its 2013 data breach tally from one billion to three billion of its accounts, potentially making this the most substantial, most extensive cyber breach ever recorded.

These events highlight the vital need for cyber insurance, but the market is bifurcated. On the one hand, national accounts and Fortune 500 companies seem to be embracing the need to partner with insurers and brokers as a way to counter cyber risks.

Financial institutions and healthcare companies are acutely aware of their cyber exposures and are increasing their coverage. Average policy limits are rising, with some of the largest companies’ coverage towers above the half-billion dollar mark.

On the other hand, the take-up rate for small to medium-sized enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth.

In 2017, cyber packaged policies in force increased 28 per cent, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but this is still something of a fledgeling business, and an increase of this magnitude, while material, does minimal to close the protection gap. However, interest from SMEs does seem to be gaining traction, and capacity from insurers is ample.

In the short term, despite the inherent challenges in managing aggregations and pricing, we believe the cyber insurance market presents a favourable opportunity for insurers. Demand is expected to grow due to the accelerating adoption of technology and the increasing awareness of cyber risks, especially among SMEs. Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the overall exposure of the property and casualty industry.

However, as insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to ensure that these exposures remain aligned with the company’s risk tolerances and appetites.

The extent to which an insurer grows its cyber business should also lend to a broader understanding of this relatively new risk and a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a crucial factor when insurers provide information to regulators, other stakeholders.

Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks, under two assumptions: that hackers target only more prominent businesses such as Target or Home Depot or that they already have coverage under another policy when they might not. However, this sentiment and tepid interest in cyber insurance among SMEs may be changing, in light of the near daily reminders of cyber-threats, attacks, and breaches feeding social media.

Pricing is another factor, as more business owners see the cost benefits and also realize their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers.

A data breach is only one factor in cyber risk, however many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much higher, as they may not be as resilient or diverse as national account clients.

Source: Business Day By Modestus Anaesoronye
Edited for ILSTV

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.

“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.

The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.

Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.

Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.

Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest