Aon: Business interruption due to a breach is top cyber risk concern

Aon: Business interruption due to a breach is top cyber risk concern

Findings underscore importance of conducting a cyber risk assessment, Aon outlines three-step approach for assessing cyber risk

Press Release:

CHICAGO (April 11, 2016) – Aon Global Risk Consulting, the risk consulting business of Aon plc (NYSE:AON), the leading global provider of risk management and human resource consulting and outsourcing, today released its 2016 Captive Cyber Survey report, which finds that the costs of business interruption due to a breach is the top cyber risk concern for businesses across all industries.

As Aon’s first cyber captive survey,  the findings offer a better understanding of organizations’ current attitude towards cyber threats, risk assessment, insurance purchasing trends and loss adjustment concerns and provides insight into current retail market trends, including captives and other risk financing solutions.

“Our findings also indicate that there is a disparity between companies recognizing that cyber is one of the fastest growing and permeating risks, and actually understanding what their individual exposures and coverage needs are,” said Peter Mullen, chief executive officer of Aon Risk Solutions’ Aon Captive and Insurance Management practice, who spearheaded the report. “Captives are a great alternative risk transfer solution for bridging this gap while the industry’s approach to cyber risk management catches up to the evolving pace of technology.”

The survey findings indicate that 94 percent of companies would share risk with others in their industry as part of a captive facility writing cyber. What’s more, Aon experts anticipate alternative risk transfer options to become increasingly sought after as these solutions give companies some control over underwriting, coverage scope and claims adjustment, while providing an opportunity to share best practices, experience and data in a private setting.

Additional highlights of the report include:

  • 61 percent of survey respondents buy cyber limits in the $10-25 million range, but overall 60 percent of large companies do not buy cyber insurance
  • Of those that do, 68 percent of companies surveyed buy cyber for balance sheet protection closely followed by ensuring due diligence comfort for the board
  • Only 25 percent of respondents that buy limits are confident that they comply with international best practices and standards for information security  governance
  • 95 percent of companies surveyed state clear policy wording as the most important issue in the cyber risk market, and 75 percent of large companies express concerns about the loss adjustment process

“Given the evolving nature and complexity of cyber exposures, we found that the use of cyber risk assessments is surprisingly low,” said Kevin Kalinich, global practice leader for cyber/network risk at Aon Risk Solutions. “Conducting such an assessment is a useful tool for improving risk understanding and maturity as well as for helping organizations better prepare for potential business interruption during or after a breach. Aon is at the forefront of assisting clients to develop and implement a risk assessment approach that is cross departmental and can translate cyber exposures into financial impact.”

Aon recommends the following three steps to begin a cyber risk assessment:

  1. Scenario Analysis: Benchmark the existing cyber risk profile and work with business stakeholders to prioritize cyber risk scenarios
  2. Financial Modeling: Leverage advanced financial simulation tools using deterministic modeling to quantify first and third party costs of select cyber scenarios. Consider performing an analysis on non-damage business interruption scenarios using forensic accounting capabilities.
  3. Insurability Risk Review: Test the adequacy of limits against the assessed cyber risk as well as review the optimization of the proposed insurance program

About the 2016 Aon Captive Cyber Survey

Aon’s 2016 Captive Cyber Survey is designed to offer analysis of top cyber risk concerns, risk assessment approaches, attitudes toward cyber insurance and policy cover and structure. The survey, conducted for the first time in fall 2015, gathered input from risk managers and directors of more than 125 captive insurance companies. The 2016 findings will allow organizations to gain insight into the mounting threat of cyber risk, benchmark their risk management practices and identify approaches that may increase their preparedness.

More information about the 2016 Aon Captive Cyber Survey can be found here: http://www.aon.com/risk-services/cyber.jsp

Edmonton casino victim of cyberattack; employee, customer information stolen

Edmonton casino victim of cyberattack; employee, customer information stolen

The Canadian Press

EDMONTON — Officials at an Edmonton-area casino are doing damage control after finding out they were the target of a cyberattack that put employee and customer information at risk.

Over the weekend, computer systems at the River Cree Resort and Casino went down, but what happened wasn’t made clear until this week.

General manager Vik Mahajan says at first they thought it was a technical failure but later realized it was an actual attack.

He says there was theft of customer and employee information — though he won’t say how many people are involved — but the incident didn’t affect the casino floor.

Officials say as soon as the attack was discovered, police were contacted, along with cyber security experts at a private company.

Mahajan wouldn’t say what type of cyberattack took place, or what information was compromised.

“We’re trying to sift through all that,” Mahajan says. “I know there’s some personal information in our system that would relate to associates as well as customers and how much of that information is gone, we are trying to determine that.”

River Cree has been contacting people whose information may have been compromised.

The Alberta Gaming and Liquor Commission has been contacted, and is investigating as well.

canada-press

(CTV Edmonton)

Canada: Legal Trends 2016: Cybersecurity

Article by Blake, Cassels & Graydon LLP

New privacy torts have recently emerged in certain Canadian jurisdictions, including intrusion upon seclusion and publicity given to private life. Intrusion upon seclusion allows a plaintiff to sue if (1) a person has intentionally or recklessly invaded his/her private affairs without justification and (2) a reasonable person would view the invasion as highly offensive. In Ontario, damages of up to C$20,000 are available, even if the plaintiff suffered no economic harm. Publicity given to private life allows a plaintiff to sue for publication of private facts when there is no legitimate public interest. Courts are increasingly certifying class actions for such privacy claims, even absent proof of harm. We expect the number of privacy class actions to continue to grow given the increasing number of data breaches.

TWO | PENDING FEDERAL MANDATORY BREACH NOTIFICATION REQUIREMENTS

Currently, Alberta is the only Canadian jurisdiction that has mandatory requirements to report data breaches outside the health-care context. New mandatory breach notification provisions of the Personal Information Protection and Electronic Documents Act, the federal statute that applies to collection, use and disclosure of personal information for commercial purposes, received Royal Assent on June 18, 2015. However, the act will not become effective until regulations are approved, which is expected to occur in 2016. These regulations will require organizations to notify the Privacy Commissioner of Canada if there is a breach of data security involving personal information in an organization’s control that poses a “real risk of significant harm” to affected individuals. Organizations will also be required to notify government institutions and other organizations of the breach in certain circumstances, including when those other entities may be able to reduce or mitigate the risk of harm to the affected individuals. Additionally, organizations will have to keep records of all sufficiently serious data breaches, even those that do not meet the harm threshold. Knowingly failing to report or record a data breach is an offence punishable by a fine of up to C$100,000.

When the new notification duties become effective, the number of privacy class actions will inevitably increase, as more information about data breaches will be available to plaintiff class counsel.

THREE | BOARD AND MANAGEMENT AWARENESS AND INVOLVEMENT

The rash of recent high-profile cyber breaches, including that of Canadian-based AshleyMadison.com, has made cybersecurity a top concern for Canadian boards. Boards want to better understand not only their role in managing cyber risks in their organizations, but also their exposure for failing to do so. When there is a breach, shareholders and others may sue directors and officers directly for the breach. Under the Canada Business Corporations Act, directors and officers are required to exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances. As a result, Canadian boards are increasingly trying to determine how to provide effective oversight of cyber risks within their organizations. Questions that Canadian boards are frequently asking relate to the board’s role in ensuring that effective governance structures for managing cyber risks are established, top-level security and privacy policies are put in place, security programs are implemented and regularly assessed, and security incident response protocols are established and regularly tested.

FOUR | THIRD-PARTY SERVICE PROVIDERS

It is no longer sufficient for organizations to focus only on the security of their own internal networks. As a result of cloud computing, data is increasingly in the custody of third-party service providers. Recognizing the risks posed by working with external providers, Canadian organizations are taking steps to better understand their external providers’ security practices and business continuity programs. While pre-engagement security assessments are currently quite common for organizations that entrust sensitive data to external providers, in light of information security management industry standards, the trend is moving toward regular, in-term security assessments.

An organization should consider imposing information security obligations in its contract with an external provider, where the provider has custody of the organization’s sensitive data or where the provider’s network “connects” to the organization’s network. Careful thought should be given to the appropriate security controls to apply to the provider, which may include a requirement for the provider to comply with one or more (or a combination) of the organization’s own security policies, the provider’s security policies and/or applicable ISO or other industry security standards. Rights to conduct security audits or assessments of the provider’s operations and receive audit reports or other regular reporting on security events from the provider should also be considered and spelled out in the contract. The contract with the provider should also specifically address how security breaches suffered by the provider should be reported, handled and managed. Of course, the contract should include sufficient provider obligations to enable the organization to comply with its data breach notifications and any other privacy and security obligations under applicable laws. Liability for data breaches should be allocated between the organization and the provider.

An organization should also consider whether a provider should be required to purchase cyber-liability insurance (if practicable) and whether the organization itself should obtain additional coverage to further mitigate its cyber-risk exposure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Pink Shirt Day focuses on the importance of Kindness

Since 2008, over $1.2 million has been raised for the cause through the sale of pink shirts and granted to non-profit organizations including Boys & Girls Clubs, Red Cross RespectED Violence Prevention Program, and Kids Help Phone. These programs teach children empathy, kindness and the importance of building healthy relationships – both with themselves and their peers.

The t-shirt design was created pro-bono by award-winning advertising agency ‘Rethink’ and states “Kindness is one size fits all”. Kindness is universal — a trait the CKNW Orphans’ Fund encourage everyone to express openly every day. The phrase “one size fits all” works for one simple reason: it stands for inclusive, both in clothing and in our everyday lives. We’re all gloriously different, but we all have the capacity to put kindness out into the world.

Coast Capital Savings, a large supporter and presenting sponsor of Pink Shirt Day, is passionate about the cause. “Our community promise is to help build a richer future for youth. One of the ways we do this is by supporting anti-bullying initiatives, like Pink Shirt Day, that teach kindness and respect, attributes that are important in helping to build belonging,” says Wendy Lachance, Director, Community Leadership.

Some fundraising campaigns are also running across the province in the month of February including pink cupcakes at Take Five Café, classes by donation on Pink Shirt Day at YYoga and more.

Net proceeds will benefit the CKNW Orphans’ Fund in support of anti-bullying programs in BC. For updates on CKNW Orphans’ Fund Pink Shirt Day, please visit www.pinkshirtday.ca, on Twitter @pinkshirtday, and on Facebook.

About Pink Shirt Day: In 2007, two Nova Scotia students decided to take action after witnessing a younger student being bullied for wearing a pink shirt to school. The students bought 50 pink t-shirts and encouraged schoolmates to wear them and send a powerful message of solidarity to the bully. CKNW Orphan’s Fund was inspired by the story and to date have raised more than $1.2 million for anti-bullying programs in British Columbia with the sales of Pink Shirt Day T-Shirts.

About CKNW Orphans’ Fund: Dedicated to enhancing the lives of children with social, physical and mental challenges living in BC communities. We provide funding to both individual children and organizations for a variety of developmental needs, with an emphasis on therapies, educational bursaries, and specialized medical equipment.

Are you compliant with the anti-bullying laws?

Ontario, Manitoba, Québec and Saskatchewan have already introduced legislation against bullying and B.C. recently enacted Bill 14 [Workers Compensation Amendment Act] to address the effects of bullying at work.

Become compliant with existing laws. Complete ILScorp’s “Understanding Workplace Bullying & Tools for Safeguarding an Organization from Bullying Behaviour” courses.

With these anti-bullying courses you will:

  • determine whether a problem exists in a workplace
  • learn how to prevent incidents
  • gain tools for safeguarding your organization from bullying behaviour
  • develop a workplace bullying prevention program

This course is included free of charge as part of your ILS General CE Course Subscription. This course is General and Adjuster CE accredited, however, ILScorp recommends that all employees receive this training for law compliance.

Become an ILScorp group member

Cyber Incidents Rank as Top Concern for Canadian Businesses

TORONTO–(BUSINESS WIRE)–The risk landscape for businesses is substantially changing in 2016. While businesses are less concerned about the impact of traditional industrial risks such as natural catastrophes or fire, they are increasingly worried about the impact of other disruptive events, fierce competition in their markets and cyber incidents. These are the key findings of the Allianz Risk Barometer 2016, the fifth annual survey on corporate risks published by Allianz Global Corporate & Specialty® (AGCS), which surveyed over 800 risk managers and insurance experts from more than 40 countries.

According to the Allianz Risk Barometer, Business and Supply Chain Interruption (BI) remains the top risk for businesses globally for the fourth year in succession. However, many companies are concerned that BI losses, which usually result from property damage, will increasingly be driven by cyber-attacks, technical failure or geo-political instability as new “non-physical damage” causes of disruption.

Market Developments, which consist of market volatility, intensified competition and market stagnation, together with Cyber Incidents, debuted in the top three global business risks; Cyber Incidents also was cited as the most important long-term risk for companies in the next 10 years. In contrast, Natural Catastrophes dropped two positions to fourth year-over-year, reflecting the fact that in 2015 losses from natural disasters reached their lowest level since 2009.

In Canada, Cyber Incidents was cited by 57% of respondents as the top business risk, followed by BI (37%);Natural Catastrophes, Changes in Legislation/Regulation and Loss of Reputation/Brand Value all tied for third place (23%).

“Canadian companies are becoming more aware of cyber risks and the need for coverage is increasing,“ said Ulrich Kadow, chief agent for Canada. “The Canadian cyber market is experiencing a changing regulatory landscape and Allianz is investing into products and risk management strategies to help our clients manage this exposure.“

Globally, Cyber Incidents gained 11 percentage points year-over-year, to move from fifth position to third place (28% of global responses). In contrast, five years ago, Cyber Incidents was identified as a risk by just 1% of responses. Loss of reputation (69%) is cited as the main cause of economic loss for businesses after a Cyber Incident, followed by BI (60%) and liability claims after a data breach (52%).

Specific risk profiles for regions and sectors

In addition to a regional analysis (including Canada/North America), the Allianz Risk Barometer also explores sector-specific risks, for example, in manufacturing, marine & shipping and other major industries.

For more information and to download the full report, please visit:http://www.agcs.allianz.com/assets/PDFs/Reports/AllianzRiskBarometer2016.pdf

About Allianz Global Corporate & Specialty

Allianz Global Corporate & Specialty (AGCS) SE is the Allianz Group’s dedicated carrier for corporate and specialty insurance business. AGCS provides insurance and risk consultancy across the whole spectrum of specialty, alternative risk transfer and corporate business: Marine, Aviation (incl. Space), Energy, Engineering, Entertainment, Financial Lines (incl. D&O), Liability, Mid-Corporate and Property insurance (incl. International Insurance Programs).

Worldwide, AGCS operates in 28 countries with own units and in more than 160 countries through the Allianz Group network and partners. In 2014 it employed more than 3,500 people and provided insurance solutions to more than half of the Fortune Global 500 companies, writing a total of €5.4 billion gross premium worldwide annually. AGCS SE is rated AA by Standard & Poor’s and A+ by A.M. Best.

Contacts:

Allianz Global Corporate & Specialty
Sabrina J. Glavan, 646-472-1510
sabrina.glavan@agcs.allianz.com
or
Harden Communications Partners
Erin Burke, 631-239-6903
eburke@hardenpartners.com

Cybersecurity Incidents In Canada Increased by 160% Year Over year

TORONTO – According to PwC’s Global State of Information Security® (GSISS) Survey 2016, Canadian companies are taking steps towards establishing holistic, integrated safeguards against cyberattacks. While investment in safeguards against cybersecurity threats have increased by 82% year over year, it still accounts for an average of only 5% of overall IT (Information Technology) spending.

Because of the impact cybersecurity attacks can have on the overall health of a company and a brand, boards are playing an increasingly significant role in informing the development of cybersecurity strategies. In fact, this year’s report found that 50% of Canadian companies surveyed indicated that their board participates in defining their organization’s security budgets, compared to only 25% in 2014.

As part of an expanding digital service offering PwC Canada is launching, Game of Threats™, a digital game that simulates the speed and complexity of real-world cyber breaches to help executives better understand how to resource and protect companies. Using gaming theory, the interactive game replicates real-world challenges faced by companies on a daily basis.  Users will learn about different threats, identify reputational, operational, financial and regulatory impacts as well as understand what can be done to prevent an attack.

“Overall, the Canadian data provides solid evidence that Canadian companies are taking steps towards mitigating cyberattacks but the threat is still very real,” said Richard Wilson, Partner, Cybersecurity & Privacy Practice, PwC Canada. “Canadian business and public sector leaders need to better understand the full range of impacts a cybersecurity breach can have on their organizations.  This issue has evolved far beyond data loss. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public.”

There are 3 areas where public and private sector organizations are heavily investing in cybersecurity right now,” said David Craig, Partner, Cybersecurity & Privacy Practice, PwC Canada. “Solutions to manage how employees, customers and third parties access and use data, outsourced Managed Security Services to monitor and detect security events more efficiently, and data privacy compliance in anticipation of mandatory breach notifications.”

According to the GSISS report, harnessing the power of cloud-based cybersecurity as a viable tool in Canada has led companies to greater productivity such as streamlined monitoring, advanced authentication, and threat intelligence.  Overall, Canadian companies surveyed matched their global counterparts on the adoption of cloud-based cybersecurity services.

Additional notable findings this year’s report include:

  • Evolving Cybersecurity Roles: 50% of respondents have a CISO (Chief Information Security Officer) in charge of the security program.
  • Investing in Insurance: Technically adept adversaries will always find new ways to circumvent security safeguards. That’s why many businesses (59%) are purchasing cybersecurity insurance to help mitigate the financial impact of cybercrimes when they do occur.
  • Threats at Home and Abroad: Incidents attributed to foreign nation-states increased the most (up 67% YoY) while current or recent employees continue to be the most cited source of incidents (66%).

To explore the Canadian insights emerging from this year’s survey please visit: www.pwc.com/ca/gsiss.

About PwC Canada

PwC Canada helps organizations and individuals create the value they’re looking for. More than 6,500 partners and staff in offices across the country are committed to delivering quality in assurance, tax, consulting and deals services. PwC Canada is a member of the PwC network of firms with more than 195,000 people in 157 countries. Find out more by visiting us at www.pwc.com/ca.

© 2015 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved.

PwC refers to the Canadian member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

SOURCE PricewaterhouseCoopers (PwC Management Services LLP)

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest