Quebec-based credit union federation learned of data breach from police
During this session we will begin by discussing recent changes made to the Personal Information Protection Electronic and Documents Act. This is a natural spring board when discussing cyber insurance with clients. Next, we will briefly look at today’s cyber insurance market place to review common challenges. Then we will roll up our sleeves and get into the actual coverage forms most common in our market. Data Compromise Coverage, Computer Attack Coverage and Network Security Liability Coverage are the three major topics.
Access Duration from the Date of Purchase: 6 months
Credit Hours: 3
Credit Type: General/Adjuster – Technical and RIBO – Technical
Credit #: AIC#50977;MB32089
Accrediting Provinces: BC, AB, SK, MB, ON
Get Instant Access(Fast, easy, done)
Access Duration from the Date of Purchase: 6 months
Credit Hours: 3
Credit Type: ChAD – Insurance Technique
Credit #: AFC11036
Accrediting Provinces: QC
Get Instant Access(Fast, easy, done)
WHITEHOUSE STATION, N.J., Jan. 8, 2019 /CNW/ — As business decision-makers look to the year ahead, it is critical to address existing and new cyber security concerns. To help with that process, Chubb has launched its first annual cyber security predictions, which focus on the top risks in 2019 and beyond.
“The cyber risk landscape is constantly evolving — it’s vital to stay on top of potential risks as they emerge,” said Michael Tanenbaum, Head of Chubb Cyber North America. “We expect shifts in the regulatory landscape, changes to the fundamental models of cyber crime, and additional risks brought on by the explosive growth in Internet of Things (IoT) devices. It is critical to stay abreast of these things in 2019.”
“Throughout the years, we have seen everything from Y2K to today’s mega-breaches and the evolution of cyber crime,” said Bill Stewart, Division President of Chubb’s Global Cyber Risk practice. “We continue to stay ahead of the latest cyber risks to help our clients protect against and respond to an ever-increasing cyber threat.”
Chubb, an innovator in the cyber insurance space, has more than 20 years of experience writing cyber insurance policies. Based on that experience, the Chubb Cyber practice has issued the following three cyber security predictions for 2019 and beyond:
Cybersecurity regulation and enforcement will increase and focus more on actions taken by businesses pre-incident,in addition to post-incident protocol.
Until now, regulatory efforts have largely focused on steps businesses must take after a cyber incident, including fixing vulnerabilities, notifying law enforcement, and notifying customers. Chubb anticipates this will change as lawmakers also focus regulatory attention on companies’ data collection and data usage practices, as well as on the actions that organizations should take to better prevent a cyber incident from occurring in the first place. This phenomenon has already begun to take hold in the United States with laws such as the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation and the California Consumer Privacy Act, which have put new obligations on organizations to not only protect the information they collect, but also to ensure that they are allowed to collect such information, that they are using that information legally, and that they remain responsible for that information when they share it with a third party.
Additionally, this trend has been seen globally, which impacts many more businesses now than ever before. The internet and virtual connection has provided great opportunity to many organizations, but it could also be subjecting them to the laws of the jurisdictions in which their new customers reside. Thus, organizations not only need to ensure that they are in compliance with the laws of the state in which they physically operate, but also determine if they are subject to the laws of the locations where they virtually operate. In the coming years, organizations of all sizes can expect to see increased data regulation in the United States and abroad, which will focus on data privacy, data use, as well as data security.
Crime does pay, and business is booming: the business model of cyber crime will tilt heavily toward direct monetization attacks.
During the past 20 years, the dark market has become saturated with private records and personally identifiable information (PII). In 2019, rather than seeking additional PII, cyber criminals will prioritize attacks that result in direct monetization as they operationalize PII that they’ve already obtained. In order to pursue these types of attacks, criminals will continue to employ ransomware.
Already a threat on the rise, ransomware will continue to grow and will remain a top cyber threat for the next five years, and will become even more destructive and costly. Social engineering financial fraud also will ramp up, and cryptojacking — the unauthorized use of someone’s computer to mine cryptocurrency — will be employed heavily by cyber criminals.
Cyber criminals will target individuals just as much as businesses as billions of Internet of Things (IoT) devices come online.
As billions of additional IoT devices come online during the next year, cyber criminals will have even more avenues to target individuals. As device use overlaps between enterprise and individual, we will see more targeted ransomware and phishing attacks. Video and audio capabilities on devices — from smartphones to refrigerators, smart assistant devices, and nanny-cams— will help cyber criminals gather personal information and images. Bad actors can gain access to businesses through personal devices — particularly when businesses allow individuals to connect with their personal devices through an enterprise server. As an increasing number of IoT devices come online, businesses will need to monitor vigilantly to intercept and short-circuit cyber risks.
As always, business leaders should look to defend their companies from cyber attacks rather than react to cyber attacks. As cyber threats evolve, cyber insurance will play a key role in the awareness, preparedness, and resiliency of governments, corporations, and individuals.
To learn more, visit www.chubb.com/cyber. Here you will find a host of cyber-related resources, including access to The Chubb Cyber IndexSM, which provides real-time access to proprietary Chubb claims data and insight into current cyber threats and how you can protect your company against them.
Chubb is the world’s largest publicly traded property and casualty insurance company, and the largest commercial insurer in the United States. With operations in 54 countries and territories, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. As an underwriting company, we assess, assume and manage risk with insight and discipline. We service and pay our claims fairly and promptly. The company is also defined by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at: chubb.com.
Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all.
The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TD Bank’s vice-president of cyber threat management.
“We’re doing it exactly how our adversaries would do it… So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.
Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyberthreats increases.
A Senate report last month entitled “cyber.assault: It should keep you up at night” sounded the alarm about the potential consequences of major cyberattacks in Canada.
“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the Standing Senate Committee on Banking, Trade and Commerce. “We must take the appropriate steps now, or soon we will all be victims.”
Bank of Canada governor Stephen Poloz has also raised concerns about a cyberattack.
In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.
New regulations that require Canadian businesses to alert their customers about privacy breaches or face hefty fines took effect at the beginning of this month.
In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.
BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada. At the same time, Simplii also warned that “fraudsters” may have accessed certain personal and account information for about 40,000 clients.
BMO’s chief executive Darryl White said he could not comment on the details of the privacy breach, as an ongoing investigation is underway, but noted there was a “very immaterial impact from a fraud perspective” and no material financial fallout.
“We are a lot smarter as every event goes on. And there are events every day, there are events every hour of every day… It’s a continual improvement exercise,” White told reporters after the bank’s recent investor day.
Meanwhile, BMO is also turning to in-house ethical hackers to test their systems. According to a recent job posting, BMO is seeking a senior manager with a certification in ethical hacking and whose responsibilities include managing a team of “network penetration testing” specialists.
CIBC did not respond to questions about whether it utilizes ethical hackers.
“We leverage internal and external expertise, and work closely with industry and government to enhance cyber security resilience, threat intelligence and best practices,” a spokeswoman said in a statement.
Alberta-based bank ATB Financial in a recent job post said it was recruiting a “Senior Penetration Tester” with ethical hacking experience. An ATB spokeswoman said the posting is to fill a recently vacated role.
The Bank of Nova Scotia also established its own in-house “red team” of hackers to test its defences, said its chief information security officer Steve Hawkins.
“Scotiabank has used and continues to use third-parties to handle this penetration testing. However, because the volume of global cyber threats has significantly risen, the Bank wanted to have its own capabilities in-house and created its own red team this year,” he said.
With the string of data breaches in recent years, what does worry TD’s Lovinger is the cumulative amount of data that has been exposed.
“Hackers now sit on a wealth of information… That they can now leverage to do more targeted attacks,” he said.
Royal Bank of Canada has had in-house ethical hacking capabilities for a few years now, as part of its cybersecurity program, said Adam Evans, the bank’s vice-president of cyber operations and chief information officer.
“We want to make sure that we are testing our defences to make sure they stay relevant,” he said.
RBC has been upping its cybersecurity budget and adding to its team annually. It now has roughly 400 cybersecurity professionals, up 50 per cent from three years ago, but a talent gap looms, Evans said.
Demand for talent in Canada is climbing by seven per cent annually and there will be more than 5,000 roles to fill between 2018 and 2021, according to Deloitte. By 2022, the cybersecurity workforce gap is expected to reach 1.8 million, it said.
As of October, there were 1,024 cybersecurity vacancies for every million Canadian job postings, up five per cent over the past year, according to Indeed Canada. That’s up 73 per cent since the beginning of 2015, said Brendon Bernard, an economist for the job search platform.
Meanwhile, several Canadian banks have made recent investments in research or capabilities abroad or in universities at home to tap cybersecurity talent. For example, TD opened a cybersecurity-focused office in Tel Aviv, Scotiabank announced a partnership with an Israeli cybersecurity company and RBC made an investment in research at Ben-Gurion University.
“With the talent gap in cyber, it’s something that organizations are going to have to address,” said Evans. “Because there is just not enough qualified people out there.”
Canada’s privacy commissioner is planning to issue guidance for buyers and sellers of legal cannabis amid ongoing concern about potential fallout, such as being barred from the United States, if transactions become known by third parties.
The concern has been heightened in provinces where anonymously paying cash in-store is not possible in light of a controversial Statistics Canada initiative to obtain detailed bank records from all Canadians.
“Our office recognizes the sensitive nature of cannabis-related transactions _ particularly if information about those transactions is processed in a jurisdiction where cannabis consumption is not legal,” said Tobi Cohen, a spokeswoman for the federal privacy commissioner. “Organizations need to make it plain to individuals that their information may be processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”
British Columbia has already issued its own guidance and privacy-protection tips. For example, it notes that online sellers collect personal information such as name, date of birth, home address, credit card number, purchase history and email address.
“Providing personal information, especially through online formats, creates additional security risks,” the document by B.C.’s privacy commissioner notes. “Cannabis is illegal in most jurisdictions outside of Canada; the personal information of cannabis users is therefore very sensitive.”
Legal online purchases across Canada show up on bank statements in a variety of ways, depending on the retailer.
In Manitoba, for example, an order from the outlet Delta 9 shows up as “D9-2 -8675309 Winnipeg MB,” while purchases in British Columbia appear as `”BCS Online Vancouver.” Those in Nova Scotia are recorded as coming from the provincial liquor corporation _ “NSLC #2098/e-commerce Halifax.” Similarly, in Newfoundland and Labrador, orders register as NLC #700 St. John’s N.L.
In Ontario, where the only way to buy marijuana legally is online through the Ontario Cannabis Store using a credit card, transactions show up as “OCS/SOC.”
Jesse, 39, of Toronto, who’s in marketing and who asked his last name not be used, said he has mixed feelings about “OCS/SOC” appearing on his credit-card statement.
“I’m not crazy about being potentially profiled at the U.S. border because of a purchase that’s thrown up in my credit history,” Jesse said. “At the same time, I’m not losing sleep over it because there’s no precedent (for that) yet.”
In the pre-legal era, online outlets usually masked credit-card purchases, perhaps by using a generic notation such as “Organics,” and some still do so now. However, a spokeswoman for the Ontario Cannabis Store said such an approach doesn’t fly.
“As a legal business operating in Ontario, it is required that we operate with transparency,” Amanda Winton said. “This includes using our registered business name for payment services.”
Ontario’s privacy commissioner, Brian Beamish, said his office recommends redacting sensitive information in a case where, for example, a landlord might ask a prospective tenant for a credit card statement. Beamish also said a generic name used to record cannabis transactions could become widely known.
“The key issue here is the protection of bank information, whether it’s related to legal cannabis transactions or any other personal banking decision,” Beamish said.
Troy Patterson, who works with a licensed cannabis producer in Kincardine, Ont., said pot is legal and he wasn’t particularly worried about purchases showing up on credit card or similar statements.
More than one in five Canadian companies say they were hit by a cyberattack last year, with businesses spending $14 billion on cybersecurity as they confront greater risks in the digital world, according to a new Statistics Canada survey.
The most common suspected motive was an attempt to steal money or demand a ransom payment, according to the survey. Theft of personal or financial information was less typical less than one-quarter of the cyberattacks though it was the most cited reason for investing in cybersecurity, StatCan said.
“Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats,” the agency said in a release Monday.
“However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported.”
Only 10 per cent of businesses affected by a cyberattack reported it to law enforcement agencies last year, StatCan said.
That may change after Nov. 1, when key provisions of the three-year-old federal Digital Privacy Act come into effect, requiring companies to tell Canadian consumers when their personal information is breached.
In Europe, a sweeping new privacy law introduced in May imposed strict rules around data security and personal privacy, affecting Canadian companies that offer products or services to European Union consumers — and that could face fines of up to 20 million euros for violations.
In 2017, Canadian businesses shelled out $8 billion on cybersecurity staff and contractors, $4 billion on related software and hardware and $2 billion on other prevention and recovery measures, the survey found. The total represented less than one per cent of their total revenues.
Large businesses those with 250 or more employees were more than twice as likely as small ones between 10 and 49 employees to be apparent targets, according to the report. It said the attacks resulted in an average of 23 hours of “downtime” per company in 2017.
Data breaches have become a familiar feature on the corporate landscape. Last week, Facebook said an attack on its computer systems announced two weeks earlier had affected 30 million users.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
“There’s a lot more to come,” said Amir Belkhelladi, who runs cybersecurity for Deloitte in Eastern Canada. “Technology is becoming essential in our life, so cybercrime that leverages that technology is likely to increase.”
Belkhelladi welcomed the StatCan survey the first of its kind in the country as a basic metric to rank Canada against other countries, but stressed the less concrete consequences of cybercrime.
“The reality for many of the businesses and organizations out there, it’s an impact on their business reputation. That’s much less tangible, that’s much harder to quantify,” he said.
While many large companies now have sturdier safeguards such as cyber-liability insurance soft points along the supply chain can still open the backdoor to a breach.
“Very often you’ll see instances where the attack came through a supplier of some sort, or someone who’s in their ecosystem who’s trusted,” said Belkhelladi.
Data for the survey titled the Canadian Survey of Cyber Security and Cybercrime and conducted on behalf of Public Safety Canada were collected between January and April 2018, with a sample size of 12,597 businesses and a response rate of 86 per cent.