4 scams to watch out for this holiday season

Frauds, scams spike this time of year, says RCMP

CBC News

As shoppers gear up for the holiday season, police say fraudsters are also preparing to take advantage of those who aren’t careful.

The holidays are ripe for fraudulent activity, with various types of scams appearing around this time of year, according to Jeff Thomson, a senior intelligence analyst with the RCMP’s fraud unit.

Here are some of the most common scams Thomson said people should watch out for.

SIM swapping

Thomson said the RCMP has seen a recent spike in identity theft through what’s known as SIM swapping.

Fraudsters will send a phishing email, which appears to be from your service provider, offering you free data or something similar — and a link for you to claim your “prize.”

The link asks for personal information to update your cellular account profile. Fraudsters will then contact your service provider and, using that information, gain access to your phone.

“If you have your bank accounts, your social media accounts, email accounts — they can now start to gain access to the accounts you have on your mobile device,” Thomson said.

If you receive an email from your service provider with an offer, Thomson recommends calling them to verify it’s real.

Evolving phone scams

This one might sound familiar: someone allegedly calls from the Canada Revenue Agency (CRA) and demands payment for back taxes while threatening the victim with arrest.

Thomson said the RCMP are seeing a spike in these kinds of scams, but instead of the CRA, the fraudsters claim to be from Service Canada.

“The Service Canada scam I’m seeing as the evolution of the CRA scam,” Thomson said.

Fraudsters tell victims their social insurance number (SIN) is compromised and then attempt a two-part scam.

First, they’ll attempt to coax your name, date of birth, SIN and other personal information from you.

Then they’ll say police or investigators need to follow up, which later turns into a demand for cash. Thomson said that usually takes the form of fraudsters telling victims to move money into a “safe account.”

Like with the CRA scam, Thomson said Canadian agencies wouldn’t call and ask for personal information.

Online shopping scams

As more and more shoppers turn to the internet to find that perfect holiday gift, fraudsters are taking notice.

Thomson said one scam comes in the form of an unbelievable offer for a wish-list item — but often it’s counterfeit or of an inferior quality.

To avoid being duped, Thomson recommends only shopping at well-known websites, reading reviews on lesser-known ones first, and using payment programs that have credit card protection.

“If a deal seems too good to be true, it probably is,” he said.

Loan scams

This scam typically preys on victims looking for extra cash during the holidays.

Fraudsters offer loans, Thomson said, and then either take personal information or begin to demand payments.

Thomson advises people to be cautious and only seek loans from credible providers.

CBC News

 

New Geneva Association & IFTRIP task force to address emerging cyber terror risks

The Geneva Association is launching a joint task force on cyber terrorism and cyber warfare with the International Forum of Terrorism Risk Reinsurance and Insurance Pools (IFTRIP). The special-purpose task force aims to conduct research on cyber terrorism risks across the re/insurance industry. Its initial findings will be published in mid-2020.

The launch of this new task force was announced at the IFTRIP 2019 International Conference in Brussels, Belgium. It will be led by Rachel Anne Carter, the Geneva Association’s Director of Cyber, supported by Julian Enoizi, CEO of Pool Re and Christopher Wallace, CEO of Australian Reinsurance Pool Corporation and president of IFTRIP.

Read the press release

Why Cybersecurity Should Matter To Your Small Business

Huffpost Canada

In an increasingly demanding economy where time and efficiency are crucial, it’s incumbent on small business owners to ensure their proverbial ducks are in a row. Perhaps none of those ducks are more important than security, namely cybersecurity. Having e-commerce protection for both consumers and owners is essential to ensure your business doesn’t suffer from potential privacy breaches. In partnership with Intact Insurance, we’ve identified five reasons why cybersecurity should be top priority for your business.

1. Protect your business from phishing schemes

One of the biggest online foes for small businesses are phishing schemes. According to this 2019 US report, one in every 99 emails is a phishing scheme. This is when a scammer pretends to be a legitimate company or individual in the hopes of receiving your personal, banking or credit card information. Opening these emails can open up a Pandora’s box of problems. It’s important that business owners and employees recognize certain characteristics of these emails to avoid being a victim. If you don’t recognize the company or name of the sender, don’t open on the email. If you’re still unsure, try calling the company directly to verify the authenticity of the email.

“Invest in the ongoing training of your employees and managers to be able to recognize phishing scams,” recommends Yan Lacoursière, Senior Loss Prevention Consultant at Intact Insurance. Scammers use the human aspect to trick you (lack of knowledge and kindness, for example). “Remember, when in doubt, don’t click on anything and don’t give away any sensitive information,” he says.

2. Protect your business from denial of service attacks

Cybersecurity has also grown in stature due to the fact that phones and tablets can do everything traditional computers can. However, it also opens other avenues for risks from outside computers including a DDoS, or distributed denial of service attack. It’s a malicious attempt to crash one’s server by flooding the website with too much traffic. A strong preventive measure would be to use a cloud-based DDoS mitigation service – it’s what keeps a website running during an attack. Offloading server functionality to a cloud platform allows it to filter through malicious traffic before it reaches you.

3. Protect your business from online hackers

No matter the size of the company or its location, the looming threat of hackers stealing sensitive information is very real. According to the Insurance Bureau of Canada, nearly one in five small businesses (18%) have been affected by a cyber attack or data breach in the last two years. This not only applies to your company’s website but all social media and email accounts, too. Avoid the online threat by changing passwords regularly (quarterly is recommended) and disabling auto-fill forms. Store data in a virtual data room and hide admin pages from search engines, so hackers can’t find it easily. Above all else, keep your operating system and antivirus programs up to date to stay protected from malware.

4. Protect your business from wi-fi eavesdropping

By default, wi-fi is not secure. Hotspots don’t use encryption, providing no protection at all when on a public network. So, if you’re working remotely, the best way to secure data is to connect to a Virtual Private Network (VPN). By doing this, every activity on your or your employees’ computers is sent through an encrypted tunnel, making it extremely hard for anyone to eavesdrop and capture any passwords, emails and file transfers.

5. Have the right insurance when all else fails

The cost of repairing a breach and covering legal expenses could set you and your company back. Contact your broker to learn how privacy breach coveragecan manage the impact caused by theft, loss, or unauthorized access to your customers’ or employees’ personal information. Running a small business online can be both overwhelming and exciting. By staying informed and taking the right steps, you can ensure the safety of your business, employees and clients’ data. Not only that, you’ll be able to watch your business grow and fulfill your dreams.

 

 

Cyber Insurance And D&O Liability

Last Updated: September 19 2019

Article by Deepshikha Dutt

Introduction

In the past decade, there have been several reports of cybersecurity attacks and data breaches to large corporations.1 In many cases, those affected by the breach want to hold the directors and officers accountable, as they feel the corporation failed to implement the proper security measures to prevent a breach from happening or did not effectively handle the aftermath of the breach. However, directors and officers generally enjoy limited personal liability subject to a few exceptions.2 Nevertheless, as more specific guidance emerges for directors and officers handling cybersecurity issues, the scope of this liability may widen.3 Thus, directors and officers should not take comfort in the substantial barriers that prevent them from being held liable for issues relating to the organization.4 In fact, despite these substantial barriers, shareholders continue to pursue derivative actions against directors and officers.

This article will discuss the scope of personal liability directors and officers face relating to cybersecurity breaches, and recent actions pursued against directors and officers in Canada and the US. Following the article, key takeaways will be provided.

Scope of liability

Cybersecurity poses a significant threat to directors and officers as cyber threats continue to emerge, and the rules and regulations that guide cybersecurity continue to evolve. Directors and officers may be held liable in the event of a cybersecurity attack if they are found to have breached their duty of care or have failed to comply with any disclosure requirements. Moreover, directors and officers can be personally liable where a company fails to comply with Canada’s Anti-Spam Legislation (CASL).5

Directors and officers have a duty to exercise reasonable care and diligence, both at common law6 and under corporate statutes.7 Failure to oversee the company’s cybersecurity measures adequately, before and after a breach occurs, could be considered a breach of this duty.8 Moreover, failure to comply with federal and provincial disclosure requirements after a breach could lead to liability for secondary market misrepresentation.9

Therefore, having an appropriate response or compliance plan, and effective security measures to protect the company against future cyber threats is essential. This will help support any claim by a director or officer that all requisite care and diligence was met, and all regulations were complied with.10

Lastly, directors and officers can be held personally liable and receive fines where the company has violated CASL. Penalties for non-compliance with CASL carries a maximum fine of CA$1 million for individuals and CA$10 million for organizations.11 Moreover, directors and officers can be vicariously liable for non-compliance of an organization even where the regulator, Canadian Radio-television and Telecommunications Commission (CRTC), does not pursue the organization. In fact, the CRTC has made a public statement that directors and officers cannot hide behind their company’s structure or online entities to avoid liability.

Derivative actions in Canada and the US

Currently, there have not been any attempts at a lawsuit against directors and officers in relation to cybersecurity in Canada.12 However, given the amount of derivatives actions commenced in the US, it is possible that it could give rise to such claims in Canada. The US has seen several derivative action suits against directors and officers relating to cybersecurity over the past few years.13 All but one have been unsuccessful, largely due to technical and procedural reasons. However, in January 2019, a derivative action lawsuit settled for US$29 million, compensating the plaintiffs significantly.14 This is the first time shareholders have been awarded monetary damages for a breach-related derivative lawsuit. This settlement could spark the beginning of successful derivative action lawsuits, and inspire others to pursue civil actions against directors and officers for cybersecurity breaches. Moreover, this settlement can be used as a benchmark for future civil actions to compare to when deciding on the amount to be awarded. Effectively, this settlement may not only effect civil actions in the US, but also allow derivative actions to gain traction in Canada.

Penalties for violation of Canada’s Anti-Spam Legislation

More recently, the CTRC has held directors and officers personally liable for a company’s violation of CASL. On April 23, 2019, the CTRC found that a coupon marketing company, nCrowd, had violated CASL, and found the former CEO of the company to be personally liable.15 As a result, he received a CA$100,000 fine. Further, a different company that was also part of this scheme with nCrowd, had also violated CASL, and CRTC held this company’s CEO vicariously liable for the violation. As a result, he received a fine of CA$10,000. Ultimately, liability under CASL can extend beyond the corporation if the person authorized, acquiesced or participated in the commission of the violation.

Key takeaways

  • Directors and officers should familiarize themselves with all regulatory guidelines to protect the company from a data breach and to avoid being personally liable for the breach;
  • D&O liability insurance does not always offer protection for cyber-related incidents or threats. It is important to confirm whether this is protected and the scope of protection provided. Not having proper protection could expose directors and officers to liability and significant payouts;
  • There have been no derivative action attempts relating to cybersecurity breaches in Canada, but given the current climate in the US, it is possible this will encourage such claims to occur in Canada; and
  • Directors and officers can be held either personally or vicariously liable for a company’s violation of CASL if that individual played some role in the commission of the violation.

Conclusion

Cybersecurity attacks and data breaches are inevitable and can happen to any organization, thus remaining a significant threat to corporate governance. While a cybersecurity attack is a crime, directors and officers may still be held liable for a breach if they failed to oversee the company’s security measures prior to the breach, or failed to take the necessary course of action after the breach occurred. Ultimately, boards of organizations must recognize the current cybersecurity environment that exists, and assemble a reasonable response plan to respond to these threats when and if they occur. Our final article will provide key takeaways and best practices for both insureds and insurers in relation to cybersecurity risks.

A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.

About Dentons

Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

Dispelling 5 Common Cybersecurity Myths

Dispelling 5 Common Cybersecurity Myths

There’s a lot of existing advice and information on cybersecurity out there, but don’t fall victim to any of these common misconceptions that give you a false sense of security.

Myth #1 – All your vendors maintain appropriate security controls

The reality is, your organization’s security is only as strong as your weakest vendor. Vendors can create unforeseen vulnerabilities by not adhering to their own policies. When you first contracted with a vendor, their cybersecurity controls may have been sufficient, but are they continuing to comply with and update them in response to the changing cybersecurity landscape? In the past, each cyberattack would be looked at individually, but now they’re being linked together, creating a domino effect. Many of the large breaches we’ve all heard about can be attributed to a hacker compromising a vendor and leveraging that access to pivot and attack the vendor’s customers. Make sure you’re checking in quarterly or annually to ensure that your partner’s policies and procedures are up to date, reflect current practices and are being followed. Additionally, request that they provide a copy of their cyber insurance policy.

Myth #2 – Cloud services have built-in cyber protections

Almost every company utilizes cloud services in one form or another. The security team for a cloud service company is on the front lines of the internet’s most critical information security issues and their domain continues to expand. Cloud services have responded by operating within a shared security model. The cloud service company controls the physical servers through to the configuration level that is accessible to users. The user retains responsibility for the actual data and services that are being run on the virtual server, unless otherwise stated in your contract. It’s essential that organizations thoroughly understand their responsibilities and how to best leverage the provided security features to ensure they’re taking necessary precautions to avoid an incident. A hybrid security plan that takes into account both on premise and cloud systems is critical.

Myth #3 – It’s possible to predict the next big cyber attack

Today’s headlines are full of cyber breaches that impact not only the companies that experienced the breach, but their customers and beyond. Though there’s a lot of dialogue around the devices, companies and systems that could potentially be attacked, there is no way to predict exactly when or where the next large-scale attack will occur. This is very similar to thinking we can predict earthquakes; despite monitoring seismic activity for patterns, there is no way to predict exactly when and where the next “big one” will occur. So how should businesses and consumers prepare for a cyberattack? If you lived in an earthquake-prone area you would purchase a house that is built to code, have emergency supplies and have earthquake insurance. Prepping for a cyber event is no different; you take precautions and put controls in place to mitigate your risk and reduce impact. Precautions include purchasing cyber insurance, implementing an effective cybersecurity program and developing incident response, business continuity, and disaster recovery plans. Insurance provides the peace of mind needed in the event of an attack and the support to help you get back up and running while reducing financial impact.

Myth #4 – What worked in the past is good enough

In this ever-changing cybersecurity landscape, traditional methods of securing your perimeter, protecting data and addressing privacy concerns are not enough. The main shift we’ve seen is more visibility into what actions a company is taking to reduce their risks. Cybersecurity cannot effectively operate in a silo; it’s the responsibility of every employee and department to incorporate security controls into their daily business operations. To do so, create a layered approach to securing both internal and external resources to properly address risk. Make sure you are increasing your security budget every year to continue to add to your infrastructure tools and ongoing training and education. Providing your team with continued education and new technology is critical in minimizing the risk and impact of a breach.

Myth #5 – My business is not a target

With the sheer amount of news coverage on large-scale cyber attacks, it can lead businesses to become numb to them and contribute to the notion that they’re not important enough to be the next target. In truth, smaller organizations are often a target because of the access they provide to a larger target. Acceptance of the fact that it’s generally a matter of when, not if, a cyber incident will occur is difficult for many companies to adjust to. In the past, breach prevention was the only goal, but today, having a security team that is realistic and accepts that a breach is likely will make them stronger and faster to respond. Companies will ultimately be judged on both the controls they had in place to prevent a breach and their response during and after an incident. Incorporating cyber insurance into your overall cybersecurity plan will not only provide peace of mind to your customers, but also help minimize the impact and downtime after an attack.

Managing Cyber Risk

Remain vigilant and protect your company with the most up to date cybersecurity and insurance options. Don’t fall for the myths or become numb to the countless news stories of breaches. As it’s commonly said, it’s not if your company will face a breach, it’s when.

Source:

Slice

Photo Credit: ILSTV.com

Quebec-based credit union federation learned of data breach from police

Read more

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest