Insurance a second line of defence against cyberattack losses

Insurance a second line of defence against cyberattack losses

DAVID ISRAELSON | The Globe and Mail

Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.

It’s relatively new, but it’s a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.

“We haven’t had a lot of requests so far, but it’s a huge field,” says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.

By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.

The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied’s report says.

Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.

“It’s usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy,” he says.

Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. “We put it [a recommendation] in all the letters we send, either to take coverage or to increase it.”

While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.

“Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach,” say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.

“This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard,” he says.

Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.

Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.

Writing in Canadian Lawyer magazine, she said that, “29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime.”

While any SMB can be a cybercriminal’s target and suffer damage, the risk goes up if the business’s data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.

This coverage is “modest” for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. “We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure,” LawPro says.

Lawyers (and others) should always look to what’s covered and what’s not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. “The interesting part of every policy is the exclusions,” he says.

Indeed, LawPro cautions its lawyer policy holders to “remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm.”

Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it’s buyer beware, Ms. Lifshitz warns.

“Every insurance company deals with coverage differently. There are always going to be carve-outs” for situations that insurers won’t cover, she says.

Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It’s the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.

If a smaller entity hasn’t taken the steps to become cyberinsurance ready, they’re not going to get coverage, she says.

The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:

– How many records with personal information does your company keep?

– How much sensitive commercial information do you keep?

– What security do you have in place that might reduce your insurance premium?

– Do you need to encrypt all your laptops, phones and tablets?

– Do any third parties you deal with have unencrypted media?

– Would you be able to make a claim on the policy you choose even if you haven’t discovered a breach for several months or years?

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Article by Ruth Promislow and Ethan Schiff

Given the increasing threat of cyberattacks and the corresponding costs, businesses are increasingly considering cybersecurity insurance. But insurance is only as effective as the scope of the coverage. Though Canadian courts have not yet interpreted insurance policies in the cybersecurity context, American cases highlight five noteworthy pitfalls.

  1. Coverage Denied Because the Insured Did Not Comply with Underlying Obligations

Just as health coverage may be contingent upon the insured maintaining a healthy lifestyle, cybersecurity insurance may be contingent upon the insured meeting certain technical standards. In Columbia Casualty Co v Cottage Health System, the insurer denied coverage and alleged that the insured failed to comply with required “procedures and risk controls”, which imposed an obligation to “follow minimum required practices”.

  1. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a claim on its insurance due to a data breach resulting in stolen records belonging to its customers. P.F. Chang’s did not suffer an injury. The court concluded that the relevant insurance policy did not cover P.F. Chang’s because the policy required that the claimant suffer an injury. The policy at issue was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.”

  1. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a claim on its insurance for defence and indemnification due to losses resulting from a data breach by criminal hackers. The policy provided coverage for “oral or written publication in any manner of the material that violates a person’s right of privacy.” The court held, however, that the policy only provided coverage if Sony published the material itself. Since the hackers published the material, Zurich had no obligation to indemnify Sony.

  1. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly results from cyber activity. In Apache Corp v Great American Insurance Company, the insured became the victim of fraud after an employee wrongfully determined that a known vendor’s telephone and email request to transfer money was authentic. The request turned out to be fraudulent and the insured reimbursed the vendor. The insured made a claim based on its insurance which covered for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer…”. The court held that the circumstances were not covered because the computer use was not the direct result of the loss, but rather was “merely incidental”.

  1. Coverage Denied Because the Litigation Was Outside the Scope of Covered Claims

Insurance may provide coverage for certain claims to the exclusion of others. In Travelers Property Casualty Company of America v Federal Recovery Services Inc, the insured made a claim based on costs incurred for litigation resulting from a tort claim for intentional misuse of its data storage activities. The insurer denied the claim because the policy only provided coverage if the loss was caused by “any error, omission or negligent act.” The court held that the lawsuit against the insured for “knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The United States case law highlights the importance of understanding your company’s risks and vulnerabilities in order to define the precise scope of cybersecurity insurance required. A risk and vulnerability assessment is a critical component to establishing an overall cybersecurity plan that will mitigate risk and corresponding damages.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Cyber mortgage fraud on the rise, lenders warn

Cyber mortgage fraud on the rise, lenders warn

Excerpted article was written by Duncan Hughes | Financial Review

Sophisticated mortgage fraud using authentic digital applications are on the rise, according to fraud experts tracking an estimated $1 billion in fraudulent credit applications each year.

Connective, a leading mortgage and service provider to broker networks, is warning about an increase in the use of new technologies being used to  deceive lenders and brokers.

“Technological advancements of digital applications enable people to create documents or change existing documents to be more and more authentic looking,” said Paul Palmer, a compliance manager for Connective, which claims to play a role in 10 per cent of the nation’s mortgages.

Mr Palmer warned there is a “significant increase” in the number of suspicious loan application referrals to mortgage brokers from real estate agents or other mortgage brokers.

 A referral is when one agent refers a client to another agent in return for potential future work.

“New-to-industry brokers are being targeted by people who have clients that can only service or get a loan through submitting fraudulent applications,” Mr Palmer said.

The cost of financial fraud in Australia is growing by more than one third a year, according to analysis by Equifax, which monitors data provided by the nation’s big four banks, international financial institutions, telecom providers and other credit providers.

Mortgage fraud increased by 13 per cent, the third fastest increase after personal loan (16 per cent) and consumer credit card (47 per cent) fraud, Equifax’s analysis reveals.

Imelda Newton, general manager, said online fraud and an 80 per cent increase in stolen identities – the fastest growing type of fraud – are fuelling the rapid increase.

More than 70 per cent of frauds happen in Melbourne and Sydney, with the highest concentrations in Sydney’s Parramatta and Melbourne’s north-west.

Identity fraud happens where genuine identity is stolen from an individual and misused for financial gain.

Other major causes of mortgage fraud include falsifying personal details, payslips, bank statements and tax assessments; failing to disclose debts, lying about financial commitments and fabricating identity.

“We see a lot of differences in fonts, in key financial data, and a lot of mathematical errors,” said Mr Palmer, who recommends brokers get certified identification.

Australian Securities and Investments Commission investigated 583 cases of misappropriation, theft and fraud in the six months to the end of August last year, a 3 per cent increase on the previous 12 months.

Online applications account for more than half of fraudulent applications followed by brokers, according to Equifax’s analysis of channels used by fraudsters.

Matthew Bransgrove, a lawyer with Bransgroves Lawyers and mortgage fraud specialist, said lenders and other financial institutions are not keen to admit the amount of fraudulent activity.

Mr Bransgrove said fraudulent activities range from opportunistic individuals to criminal networks that pay bogus loan applicants to submit fraudulent applications using false information.

“The fraudsters would not be doing it if they were not winning,” he said.

Local lenders began cracking down on overseas loan applications last year when they discovered a large number of applications were fraudulent.

For example, The Australian Financial Review recently revealed foreign real estate buyers paid about $200 each for forged bank income and spending statements used in mortgage applications, mortgage industry sources said.

Bilingual lending experts said a loan application in Chinese was a “ludicrously obvious forgery” for a $960,000 loan to purchase a $1.06 million Sydney apartment.

Since then, most of the loans have been stopped or are subject to stricter lending criteria. Self-employed applicants need to provide confirmation the business has been running longer than two years and details of ownership structure. There are also much more stringent checks on documents and identity.

Connective’s group legal counsel, Monique Hope-Pearson, said: “Culture and fraud continue to be big ticket items for the regulator. As an industry, we need to work together to ensure that all players are acting ethically and doing the right thing.”

Ms Hope-Pearson said it conducts regular review, provides policies, procedures and training to ensure compliance.

Read more: http://www.afr.com/personal-finance/cyber-mortgage-fraud-on-the-rise-lenders-warn-20170328-gv8m85#ixzz4crGT7xaf
Follow us: @FinancialReview on Twitter | financialreview on Facebook

Stay a step ahead: RBC gives tips to be cyber smart

Technology has made lives easier, connecting people and businesses in an unprecedented ways. But with the steady pace of advancement and change comes the heightened risk of fraud, particularly digital and online fraud. Words like “phishing” and “smishing” that did not exist a decade ago have entered our everyday lexicon.

“The reality is that cyber-crime has become an increasingly problematic issue, not only for the financial services sector, but for other industries in Canada and around the globe,” said Adam Evans, vice-president risk management at RBC. “It takes a combined effort between organizations and consumers to prevent fraudsters and cyber scammers from getting their hands on your private information.”

According to the Canadian Banking Association, 72 per cent of Canadians use online and mobile banking as their primary means of banking, up from 52 per cent in 2012. It’s clear that Canadians are accepting of new and convenient banking and payment technologies but it’s important they know how to stay safe when using these tools.

“Empowering our clients and the public to protect themselves is one of the best lines of defense,” added Evans. “As Canada’s largest bank we believe we have a responsibility to help educate the public on common cyber, fraud and privacy scams.”

Canadians can do their part to stay safe
Watch the RBC Be Cyber Smart video series; a collection of cyber awareness tips for individuals, families, youth and RBC clients:

  1. Choose powerful passwords. Use multiple passwords, change them frequently and use ones that include a mix of letters and numbers: all essential components of online safety.
  2. Don’t respond to unsolicited requests for confidential information. Be aware of schemes that ask for personal or financial information – they could be pretexting.
  3. Beware of the phishDo not click on a link in an email, call a phone number, wire money or take any requested action, unless you first verify that a request is legitimate.
  4. Be cautious when sharing on social media. Be careful about including personal information online, on social networking sites and in email.
  5. Be wary of public Wi-Fi. Avoid using public Wi-Fi to online bank, online shop or access any confidential information.
  6. Keep your personal information private. Laptop and phone screens can easily be seen and your side of a phone conversation can be heard by everyone around you.

RBC is a proud participant in Fraud Prevention and Cyber Awareness months and aims to build awareness among clients and employees year-round. Read more tips and watch the Be Cyber Smart video series anytime on RBC’s Privacy & Security website.

About RBC
Royal Bank of Canada is Canada’s largest bank, and one of the largest banks in the world, based on market capitalization. We are one of North America’s leading diversified financial services companies, and provide personal and commercial banking, wealth management, insurance, investor services and capital markets products and services on a global basis. We have over 80,000 full- and part-time employees who serve more than 16 million personal, business, public sector and institutional clients through offices in Canada, the U.S. and 35 other countries. For more information, please visit http://www.rbc.com/.‎

RBC helps communities prosper, supporting a broad range of community initiatives through donations, community investments and employee volunteer activities. For more information please see: http://www.rbc.com/community-sustainability/.

SOURCE RBC

Cybersecurity Trends to Watch in 2017

Cybersecurity Trends to Watch in 2017

Eric Basu | Business to Community

Today, North American households play host to an average of 13 internet connected devices. It’s at times like these when parties of all sizes should be relying on the expertise of IT professionals — however, a recent report showed that more than 80% of cybersecurity experts say there’s a deficit of skilled workers in the sector, and nearly as many said this has a serious impact on the compromising of devices and applications by cyberattacks. That’s the theme of the new year we’re in: no device nor individual is safe from the wrath of cyberattacks.

Take a look at the cybersecurity trends that started in 2016 and are expected to continue to make news throughout the new year.

Malicious Botnet Attacks

Cybersecurity issues have been, and will continue to be, dominated by the rise in botnets targeting Internet of Things (IoT) devices with Distributed Denial-of-Service (DDoS) attacks. In 2016, we saw hackers harnessing the power of smart devices to take down large domains and internet providers, affecting thousands of websites, including Twitter and Spotify. The most notable were two pieces of malware called Mirai and Bashlight which together have enslaved more than a million IoT devices.

There will be an estimated 28.4 billion internet-connected devices this year, up nearly 5.5 billion devices since the previous year. With the number of IoT devices expected to reach 50 billion by 2020, we’ll see a lot more government intervention this year in regards to regulating the security of these connected devices.

That could involve taking the steps proposed by the European Union and the Obama administration: creating independent bodies that will oversee the production and regulation of labels for smart devices. This proposal would give consumers the tools to make more educated cybersecurity choices and force manufacturers to include more stringent security measures.

Overall, Gartner projects that worldwide spending on IoT security will rise to $434 million this coming year.

Need for Proactive Approaches

Another trend we’ll see this year is companies taking a proactive approach to cybersecurity, rather than forming policies strictly as a reaction to a hack.

Proactively addressing cybersecurity involves taking into consideration the weaknesses that come with both IT and human staff. A large part of that involves limiting the number of devices employees use for professional purposes. These devices can create an issue since they bypass the security perimeters meant to protect workplace computers. It’s predicted that by 2018, a quarter of all corporate information will not pass through this security perimeter and will instead travel directly from mobile devices to the cloud.

Workplace security won’t be as straightforward as fitting an account with an employee username and password. Three Mobile, one of the largest mobile companies in the United Kingdom, put six million customers’ personal data at risk this past November when an employee login was used to hack into the system. A similar hack occurred at Talk Talk, another British mobile company, earlier in the year.

With devices becoming increasingly portable and less secure, we will see companies take more precautions with their employees and create defensive cybersecurity systems that address the agility of new devices and dangerous malware.

Vulnerability assessments should be done at all levels to determine the likeliness of an attack, and how to prevent it.

Application Security On the Rise

Organizations will continue to place more of an emphasis on application security throughout this year. That’s according to a recent report that surveyed 475 businesses and organizations in the U.S. More than one-fifth of those involved in the survey said applications were the source of breaches of secure information and cyberattacks.

Organizations are getting better at coordinating their security efforts, though. Forty percent of businesses have some sort of policy that third-party application providers must follow when providing a program or service. The responsibility of application security is being taken more seriously, too. More than one-third of organizations claimed that their application security programs are maturing.

Fake News & Social Media

Social media and fake news monitoring will become a part of company’s’ cybersecurity strategies.

As the dust settled on the 2016 American election, people wanted to know if fake news articles played a role in the outcome. The Pew Research Center found that 62% of all Americans rely on social media for their news, with 44% of them using Facebook as their number one source.

Fake news sites came in a number of forms, from aggregators that rewrote stories with inflammatory headlines to articles with fake statistics and false reports about the candidates.

While not a hack in the traditional sense, fake news sites and hyper-partisan social media accounts play a role in corroding trust and blurring the line between fact and fiction. In 2017, we will see companies start to protect themselves from this kind of attack by incorporating social security measures into their cybersecurity best practices and processes.

It will be up to programmers and engineers to rewrite algorithms and develop monitoring tools to detect spam-ridden content and false information. But until this picks up, users will have to navigate their social streams more critically than ever before to distinguish genuine engagement from false persuasion.

Increased Security Is the Big-Picture Trend

From hijacked IoT devices to published propaganda, both companies and individuals are on high alert in terms of cybersecurity this year. We can expect to see businesses adopt security measures that address some of these rising concerns which will mean greater security for consumers, too.

Is your company doing something different in the way of cybersecurity in 2017?

Author: Eric Basu

 

 

Off-Duty Conduct: What Can Happen When Employees Go Viral

By Michael Horvat | Mondaq

It seems that a week cannot go by without the news reporting on a seemingly private or embarrassing event that has gone public. With the abundance of cameras in our daily public lives and the instantaneous sharing of information, our actions and statements can be easily broadcast as they happen. Our new “public” life is ever more on display. Some recent examples include being caught on video engaging in public mischief (such as throwing a beer can onto a sports field on national television) or engaging in a post on Twitter or other social media sites with “friends” that is resent or retweeted for everyone to see. How employers and their employees cope and navigate the greying line between an individual’s private life and their connection to the workplace is likely to become of greater issue, especially among a new generation of employees who have grown up in a world of social media and use it as their primary vehicle of communication.

As employees become more aware that their employers are noticing what happens away from the office or shop floor, employers must equally understand that there are still limits as to what behaviour they can regulate when the work day has ended.

In the past, there used to be a clearer time and distance aspect with respect to off-duty conduct. If it happened away from the workplace and outside of work hours, it was presumed to be the employee’s own business and, strictly speaking, of no concern to the boss, unless it tied the company brand and employee together in a bad light.

The law regarding an employer’s response to off-duty employment conduct has evolved as the web of social connections between employer and employee ties them together outside of regular business hours. Bullying behaviour in the office has to be addressed, so why not address bullying that occurs on Facebook or Twitter. Human Resources departments now have no choice but to take notice and act, whether it is to address potential harm that may arise from bad publicity or to address concerns by co-workers due to comments or actions made by colleagues in “private” internet communications that have become public. (Anecdotal evidence counters the notion that anything on the internet or that is electronically distributed is or can remain private.)

Employees must understand that companies will act to address off-duty conduct when that conduct could detrimentally affect their image, brand or business, or otherwise impact the well-being of coworkers. In some cases, employers will have no choice but to engage in an investigation into such behaviour and discipline or terminate the employee if misconduct is found to have occurred. For example, under recent changes to the Occupational Health and Safety Act, Ontario companies are now mandated to have policies in place regarding the reporting and investigation of harassment and sexual harassment complaints. The application of such policies extends beyond the workplace. Off-duty comments made on Facebook towards a co-worker can create a hostile work environment as easily as comments made in the lunchroom.

Consequently, it is recommended that all employers have policies which provide direction to their employees about their use of social media (such as Facebook, Twitter, Instagram). These policies should caution their employees about the use of technology both at the workplace (when using company email and computers) and away from the workplace. The policies should also refer to the company’s harassment policies and code of conduct rules and advise employees that offduty conduct can also be subject to investigation and discipline (including discharge). Finally, employees must be trained in the application of these policies and the company must consistently review and enforce their application.

However, employers must be prepared to distinguish between actions which create a public relations issue (our employee has embarrassed the company) that require only a public relations response, with a human resources issue (our employee has breached policy and caused damage to the company’s goodwill or to another employee) which could require investigation and discipline.

Not every case where harm is caused to the company’s brand or reputation will require a human resources response and the harm or potential harm caused will only be one factor among many when determining if investigation and discipline will be appropriate in the circumstances. Other factors will include the degree of responsibility exercised or public position held by the employee, and whether the misconduct will hinder that employee’s ability to perform his/her job and/or  their ability to work with co-workers and their co-workers corresponding willingness to continue to work with them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Page 1 of 1012345...10...Last »

Pin It on Pinterest

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!