Beazley Canada strengthens its cyber risk team

Specialist insurer Beazley has appointed Miki Ho as cyber risk underwriter. Based in the company’s Toronto office, Mr Ho’s focus will be on developing Beazley’s portfolio of cyber liability and technology risks for large enterprises in Canada.

Mr Ho joins Beazley from Allianz where he was a senior underwriter for cyber and professional liability risks, following previous underwriting and broking roles with a portfolio of clients in the financial institutions sector.

Paul Bantick, Beazley’s Technology, Media & Business focus group leader says: “We are excited by the opportunities we see to support Canadian businesses against the risks of cyber liability and data breach. With the cyber and technology risk landscapes changing rapidly and the number of data breaches unabated, the demand for cyber insurance products is growing strongly. With Miki having joined our team, we are well placed to take advance of this growing demand and the opportunities that exist in the Canadian market.”

Phil Baker, head of Beazley Canada, adds: “Beazley is a market-leading provider of cyber liability, technology errors & omissions, and miscellaneous professional liability coverage, with a global team structured to deliver local solutions. Miki will play a pivotal role in delivering those local solutions to brokers and clients in Canada.”

Note to editors:

Beazley plc is the parent company of specialist insurance businesses with operations in Europe, the US, Canada, Latin AmericaAsia and Australia. Beazley manages six Lloyd’s syndicates and, in 2016, underwrote gross premiums worldwide of $2,195.6 million. All Lloyd’s syndicates are rated A by A.M. Best.

Beazley’s underwriters in the United States focus on writing a range of specialist insurance products. In the admitted market, coverage is provided by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in all 50 states. In the surplus lines market, coverage is provided by the Beazley syndicates at Lloyd’s.

Beazley is a market leader in many of its chosen lines, which include professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business.

For more information please go to: www.beazley.com

SOURCE Beazley

N.S. sends teen suicide expert to Cape Breton, promises new cyberbulling law

By Brett Bundale

THE CANADIAN PRESS

HALIFAX _ As a Cape Breton school board grapples with multiple teen suicides, the Nova Scotia government is sending a youth mental health expert to the grief-stricken community and promising new anti-cyberbullying legislation this fall.

Dr. Stan Kutcher, a Dalhousie University psychiatry professor, will travel to Cape Breton Monday to talk to families, schools, and the community about mental health concerns and what supports they need.

He is expected to report back to the province in the coming weeks.

The parents of a 13-year-old girl who took her own life on Father’s Day said bullying led to her death, and more needs to be done to protect other young people. They said their daughter, Madison Wilson, was subject to verbal abuse at school and through social media.

Premier Stephen McNeil said the province needs to have a broader conversation about bullying, especially online attacks.

“I can’t imagine how some of these young kids who are exposed to that are feeling,” he said Thursday. “We need to have a public conversation about what’s happening online. Our children can’t get away from it.”

McNeil said he hopes the province will engage the public in a broader conversation when it rolls out its updated anti-cyberbullying legislation.

Nova Scotia’s Cyber-Safety Act, the first law of its kind in Canada designed to protect victims of online harassment, was struck down in late 2015 after the province’s top court ruled that it infringed on Charter rights.

The law was passed in response to the death of Rehtaeh Parsons, a 17-year-old girl who was bullied and died after a suicide attempt.

Justice Minister Mark Furey said Thursday the recent suicides in Cape Breton, with at least one tied to cyberbullying, underscore the importance of the new legislation.

“We’re positioned now to introduce legislation this fall,” he said.

Furey said he hopes Kutcher, an expert on adolescent mental health, will be able to inform the province on what steps can be taken to support the community.

“Dr. Kutcher is a recognized mental health expert so his presence and participation in the discussion in Cape Breton will help the families, the school and the community deal with these tragic circumstances,” he said.

Darren Googoo, chairman of the Cape Breton Victoria Regional School Board, said this week the board is drafting a letter to the provincial Education Department with the idea of starting a dialogue on the issue.

“Our students are dealing with the trauma associated with the loss of a schoolmate and, going into the summer months, we want to make sure that we have a more co-ordinated approach with our provincial partners in health, in terms of providing services,” Googoo said.

Education Minister Zach Churchill said the province needs to “work together” to better understand the factors that contribute to teen suicides.

“We do have a collective responsibility to better understand these things, to learn from them and do our very best to improve the supports available,” he said. “We need to have an honest, open and frank conversation.”

However, it’s unclear whether additional resources, such as guidance counsellors or psychologists, will be made available.

In fact, Health Minister Randy Delorey said the province put additional resources in place for schools but it’s up to the board to decide “where exactly the resources are being allocated.”

He said questions about “how they’re choosing to spend their resources” are better directed to the school board.

However, he did admit that mental health is an area of priority for the province that requires more attention.

Understanding Cyber Threats, Monitoring Data Leakage & Monitoring Reputational Damage

Article by Aaron Baer

Organizations around the world were recently (and rather rudely) reminded of their data vulnerability when WannaCry unleashed its international ransomware attack that seized data remotely and demanded a ransom for its release. This attack provided an important reminder of the risks associated with data breaches and it forced many organizations to take a cold, hard look at their data protection strategies.

In light of this incident, there has arguably never been a better time for organizations to prioritize monitoring and managing digital risk. A recent report published by Digital Shadows (the “Report“) highlights the need for more sophisticated strategies as organizations’ digital footprints continue to expand at an overwhelming rate. As their digital footprints expand, organizations are exposed to new levels of external risk that are not adequately protected by traditional tactics.

A digital footprint is comprised of information left behind as a result of an organization’s or individual’s online activity – it exists outside the boundaries of internal protection. Employees, suppliers and many others with access to corporate data contribute to an organization’s digital footprint on a daily basis, and they (often unknowingly) expose sensitive information in the process.

While most information in the digital footprint is benign, there is a significant portion that is not. Threat actors focus on a subset called the ‘digital shadow,’ which includes exposed personal, corporate or technical information. Usually this information is highly confidential, sensitive or proprietary. Information left exposed in the digital shadow can be embarrassing for a company and can be leveraged by attackers looking to exploit, launch ransomware or other cyberattacks.

At the same time, organizations should be mindful that cyber-attackers are leaving their own digital footprints and digital shadows behind. The Report suggests that the most effective external digital risk management strategies involve monitoring this activity in order to gain insight and plan defensive strategies.

At a basic level, the Report suggests that external digital risk management requires identifying, assessing and taking steps to mitigate risk exposed by the digital footprint. More importantly, however, external digital risk management should involve: 1) understanding cyber threats, 2) monitoring data leakage, and 3) monitoring reputational risks.

Understanding Cyber Threats

According to the Report, tailored threat intelligence capability is the key to understanding cyber threats. Such intelligence should be premised on four main areas:

  1. Indications and warnings;
  2. Actor profiles;
  3. Campaign profiles; and
  4. Emerging tools.

In order to leverage threat intelligence, organizations should adapt their approach to their particular business. Further, they should focus on who the threat actors are, what they are planning, what tools they are using, and what tools may be developed in the future. Simply receiving generic information is not enough. Involving human analysts in the process, it is suggested, will help weed out irrelevant information and ultimately deliver capable and tailored intelligence.

Monitor Data Leakage

Organizations should be vigilant about monitoring data leakage, since attackers can use leaked data to their advantage. The Report suggests focusing on sensitive code, private encryption keys, employee credentials, confidential documents, intellectual property, and social media over-sharing. These areas of data leakage leave organizations particularly vulnerable, not only to attackers who seek to leverage this information in targeted cyber-attacks, but also to competitors and corporate espionage. Knowing the type of information leaked can provide insight into how the information might be used against you in the future.

Knowing when, where and how this information has been leaked is critical to implementing effective mitigation tactics. For example, if employees are leaking sensitive confidential information through the use of personal email or social media, organizations should be aware of this so that they can implement training and disciplinary procedures to counteract the behaviour.

Monitor Reputational Damage

Finally, the Report suggests that monitoring for reputational damage is a key component of effective external digital risk management. Organizations should be aware of ways by which their goodwill and branding are being leveraged online. According to the Report, the top five risk areas include:

  1. Phishing;
  2. Domain infringement;
  3. Spoofed profiles;
  4. Brand defamation; and
  5. Mobile application issues.

Being able to monitor and detect these activities can not only mitigate reputational damage, but also the negative impact on employees and customers.

In the context of cybersecurity, risk is a well-developed concept. The Report suggests that all risk management strategies should take into account external digital risks. As organizations continue to expand their global online presence and digital footprint, risk mitigation strategies must continue to evolve at the same pace.

As set out in another article recently published on The Spotlight, there are many ways to ensure your organization’s data is adequately protected in order to prevent costly data breaches. Organizations need to recognize the true scale of the cyberattacks they face, adapt to the changing landscape, and incorporate these best practices to protect their bottom line from the costs of data breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Know the Odds: The Cost of a Data Breach in 2017

Source: Security Intelligence: Larry Ponemon & Wendi Whitmore

We’ve all heard that when it comes to experiencing a data breach, the question is not if it will happen, but when. You may be wondering about the actual odds of it happening to your organization.

Think about it this way: The chances of being struck by lightning this year are 1 in 960,000. When it comes to experiencing a data breach, according to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the odds are as high as 1 in 4. Therefore, organizations must understand the probability of being attacked, how it affects them and, even more importantly, which factors can reduce or increase the impact and cost of a data breach.

Rapid Response Drives Down the Cost of a Data Breach

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 12th annual “Cost of Data Breach Study” is out. The findings revealed that the average total cost of a data breach is $3.62 million in 2017, a decrease of 10 percent over last year. Additionally, the global average cost per record for this year’s report is $141, which represents a decrease of 11.4 percent over last year.

Despite the reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records. The influencers that impact the cost of a data breach are driven by the country and the IT initiatives underway.

The good news is that organizations can take measures to minimize cost and impact. The 2017 “Cost of Data Breach Study” found that having access to an internal or outsourced incident response team has been the top cost-reducing factor for three years running. An incident response team typically accelerates the time frame in which security events can be contained, which is a significant factor in reducing the overall cost of a breach.

The IBM X-Force Incident Response and Intelligence Services (IRIS) team specializes in providing incident response planning, program development, remediation and threat intelligence to clients in over 133 countries. The team has experience responding to and helping to contain many of the largest data breaches in the world.

Five Steps to Accelerate Your Incident Response

Listed below are five additional tips to help accelerate your organization’s response to a breach.

  1. Speed to respond is critical. The more quickly you can identify what’s happened, what the attacker has access to, and how to contain and remove that access, the more successful you will be.
  2. Set up retainers in advance. In the event of a breach, an experienced team of incident response experts can help you quickly identify and contain the attack, and minimize costly delays.
  3. Access the data needed to answer investigative questions. Be prepared to provide responders with logs and tools to help them understand what happened. For example, what did the attackers access and what did they copy or remove from your environment?
  4. Mitigate the attacker’s access quickly. Plan with the IT staff in advance to understand how to be effective and efficient in a crisis. Consider the following:
    1. How to execute an enterprisewide password reset quickly;
    2. How to reset your service accounts; and
    3. How many of your service accounts have domain administrator credentials.
  1. Establish an internal communications plan. If you have to shut down parts of your environment or reset thousands of users’ passwords, your employees will have a lot of questions. This speculation can have critical ramifications, so it’s important to document a plan to ensure that your employees understand what they can and cannot share publicly.

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

Article by Peter Stockburger

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.

About Dentons

Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com

Insurance a second line of defence against cyberattack losses

Insurance a second line of defence against cyberattack losses

DAVID ISRAELSON | The Globe and Mail

Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.

It’s relatively new, but it’s a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.

“We haven’t had a lot of requests so far, but it’s a huge field,” says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.

By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.

The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied’s report says.

Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.

“It’s usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy,” he says.

Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. “We put it [a recommendation] in all the letters we send, either to take coverage or to increase it.”

While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.

“Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach,” say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.

“This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard,” he says.

Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.

Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.

Writing in Canadian Lawyer magazine, she said that, “29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime.”

While any SMB can be a cybercriminal’s target and suffer damage, the risk goes up if the business’s data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.

This coverage is “modest” for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. “We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure,” LawPro says.

Lawyers (and others) should always look to what’s covered and what’s not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. “The interesting part of every policy is the exclusions,” he says.

Indeed, LawPro cautions its lawyer policy holders to “remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm.”

Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it’s buyer beware, Ms. Lifshitz warns.

“Every insurance company deals with coverage differently. There are always going to be carve-outs” for situations that insurers won’t cover, she says.

Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It’s the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.

If a smaller entity hasn’t taken the steps to become cyberinsurance ready, they’re not going to get coverage, she says.

The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:

– How many records with personal information does your company keep?

– How much sensitive commercial information do you keep?

– What security do you have in place that might reduce your insurance premium?

– Do you need to encrypt all your laptops, phones and tablets?

– Do any third parties you deal with have unencrypted media?

– Would you be able to make a claim on the policy you choose even if you haven’t discovered a breach for several months or years?

Page 1 of 1012345...10...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest