The Geneva Association is launching a joint task force on cyber terrorism and cyber warfare with the International Forum of Terrorism Risk Reinsurance and Insurance Pools (IFTRIP). The special-purpose task force aims to conduct research on cyber terrorism risks across the re/insurance industry. Its initial findings will be published in mid-2020.
The launch of this new task force was announced at the IFTRIP 2019 International Conference in Brussels, Belgium. It will be led by Rachel Anne Carter, the Geneva Association’s Director of Cyber, supported by Julian Enoizi, CEO of Pool Re and Christopher Wallace, CEO of Australian Reinsurance Pool Corporation and president of IFTRIP.
Read the press release
In an increasingly demanding economy where time and efficiency are crucial, it’s incumbent on small business owners to ensure their proverbial ducks are in a row. Perhaps none of those ducks are more important than security, namely cybersecurity. Having e-commerce protection for both consumers and owners is essential to ensure your business doesn’t suffer from potential privacy breaches. In partnership with Intact Insurance, we’ve identified five reasons why cybersecurity should be top priority for your business.
1. Protect your business from phishing schemes
One of the biggest online foes for small businesses are phishing schemes. According to this 2019 US report, one in every 99 emails is a phishing scheme. This is when a scammer pretends to be a legitimate company or individual in the hopes of receiving your personal, banking or credit card information. Opening these emails can open up a Pandora’s box of problems. It’s important that business owners and employees recognize certain characteristics of these emails to avoid being a victim. If you don’t recognize the company or name of the sender, don’t open on the email. If you’re still unsure, try calling the company directly to verify the authenticity of the email.
“Invest in the ongoing training of your employees and managers to be able to recognize phishing scams,” recommends Yan Lacoursière, Senior Loss Prevention Consultant at Intact Insurance. Scammers use the human aspect to trick you (lack of knowledge and kindness, for example). “Remember, when in doubt, don’t click on anything and don’t give away any sensitive information,” he says.
2. Protect your business from denial of service attacks
Cybersecurity has also grown in stature due to the fact that phones and tablets can do everything traditional computers can. However, it also opens other avenues for risks from outside computers including a DDoS, or distributed denial of service attack. It’s a malicious attempt to crash one’s server by flooding the website with too much traffic. A strong preventive measure would be to use a cloud-based DDoS mitigation service – it’s what keeps a website running during an attack. Offloading server functionality to a cloud platform allows it to filter through malicious traffic before it reaches you.
3. Protect your business from online hackers
No matter the size of the company or its location, the looming threat of hackers stealing sensitive information is very real. According to the Insurance Bureau of Canada, nearly one in five small businesses (18%) have been affected by a cyber attack or data breach in the last two years. This not only applies to your company’s website but all social media and email accounts, too. Avoid the online threat by changing passwords regularly (quarterly is recommended) and disabling auto-fill forms. Store data in a virtual data room and hide admin pages from search engines, so hackers can’t find it easily. Above all else, keep your operating system and antivirus programs up to date to stay protected from malware.
4. Protect your business from wi-fi eavesdropping
By default, wi-fi is not secure. Hotspots don’t use encryption, providing no protection at all when on a public network. So, if you’re working remotely, the best way to secure data is to connect to a Virtual Private Network (VPN). By doing this, every activity on your or your employees’ computers is sent through an encrypted tunnel, making it extremely hard for anyone to eavesdrop and capture any passwords, emails and file transfers.
5. Have the right insurance when all else fails
The cost of repairing a breach and covering legal expenses could set you and your company back. Contact your broker to learn how privacy breach coveragecan manage the impact caused by theft, loss, or unauthorized access to your customers’ or employees’ personal information. Running a small business online can be both overwhelming and exciting. By staying informed and taking the right steps, you can ensure the safety of your business, employees and clients’ data. Not only that, you’ll be able to watch your business grow and fulfill your dreams.
Last Updated: September 19 2019
Article by Deepshikha Dutt
In the past decade, there have been several reports of cybersecurity attacks and data breaches to large corporations.1 In many cases, those affected by the breach want to hold the directors and officers accountable, as they feel the corporation failed to implement the proper security measures to prevent a breach from happening or did not effectively handle the aftermath of the breach. However, directors and officers generally enjoy limited personal liability subject to a few exceptions.2 Nevertheless, as more specific guidance emerges for directors and officers handling cybersecurity issues, the scope of this liability may widen.3 Thus, directors and officers should not take comfort in the substantial barriers that prevent them from being held liable for issues relating to the organization.4 In fact, despite these substantial barriers, shareholders continue to pursue derivative actions against directors and officers.
This article will discuss the scope of personal liability directors and officers face relating to cybersecurity breaches, and recent actions pursued against directors and officers in Canada and the US. Following the article, key takeaways will be provided.
Scope of liability
Cybersecurity poses a significant threat to directors and officers as cyber threats continue to emerge, and the rules and regulations that guide cybersecurity continue to evolve. Directors and officers may be held liable in the event of a cybersecurity attack if they are found to have breached their duty of care or have failed to comply with any disclosure requirements. Moreover, directors and officers can be personally liable where a company fails to comply with Canada’s Anti-Spam Legislation (CASL).5
Directors and officers have a duty to exercise reasonable care and diligence, both at common law6 and under corporate statutes.7 Failure to oversee the company’s cybersecurity measures adequately, before and after a breach occurs, could be considered a breach of this duty.8 Moreover, failure to comply with federal and provincial disclosure requirements after a breach could lead to liability for secondary market misrepresentation.9
Therefore, having an appropriate response or compliance plan, and effective security measures to protect the company against future cyber threats is essential. This will help support any claim by a director or officer that all requisite care and diligence was met, and all regulations were complied with.10
Lastly, directors and officers can be held personally liable and receive fines where the company has violated CASL. Penalties for non-compliance with CASL carries a maximum fine of CA$1 million for individuals and CA$10 million for organizations.11 Moreover, directors and officers can be vicariously liable for non-compliance of an organization even where the regulator, Canadian Radio-television and Telecommunications Commission (CRTC), does not pursue the organization. In fact, the CRTC has made a public statement that directors and officers cannot hide behind their company’s structure or online entities to avoid liability.
Derivative actions in Canada and the US
Currently, there have not been any attempts at a lawsuit against directors and officers in relation to cybersecurity in Canada.12 However, given the amount of derivatives actions commenced in the US, it is possible that it could give rise to such claims in Canada. The US has seen several derivative action suits against directors and officers relating to cybersecurity over the past few years.13 All but one have been unsuccessful, largely due to technical and procedural reasons. However, in January 2019, a derivative action lawsuit settled for US$29 million, compensating the plaintiffs significantly.14 This is the first time shareholders have been awarded monetary damages for a breach-related derivative lawsuit. This settlement could spark the beginning of successful derivative action lawsuits, and inspire others to pursue civil actions against directors and officers for cybersecurity breaches. Moreover, this settlement can be used as a benchmark for future civil actions to compare to when deciding on the amount to be awarded. Effectively, this settlement may not only effect civil actions in the US, but also allow derivative actions to gain traction in Canada.
Penalties for violation of Canada’s Anti-Spam Legislation
More recently, the CTRC has held directors and officers personally liable for a company’s violation of CASL. On April 23, 2019, the CTRC found that a coupon marketing company, nCrowd, had violated CASL, and found the former CEO of the company to be personally liable.15 As a result, he received a CA$100,000 fine. Further, a different company that was also part of this scheme with nCrowd, had also violated CASL, and CRTC held this company’s CEO vicariously liable for the violation. As a result, he received a fine of CA$10,000. Ultimately, liability under CASL can extend beyond the corporation if the person authorized, acquiesced or participated in the commission of the violation.
- Directors and officers should familiarize themselves with all regulatory guidelines to protect the company from a data breach and to avoid being personally liable for the breach;
- D&O liability insurance does not always offer protection for cyber-related incidents or threats. It is important to confirm whether this is protected and the scope of protection provided. Not having proper protection could expose directors and officers to liability and significant payouts;
- There have been no derivative action attempts relating to cybersecurity breaches in Canada, but given the current climate in the US, it is possible this will encourage such claims to occur in Canada; and
- Directors and officers can be held either personally or vicariously liable for a company’s violation of CASL if that individual played some role in the commission of the violation.
Cybersecurity attacks and data breaches are inevitable and can happen to any organization, thus remaining a significant threat to corporate governance. While a cybersecurity attack is a crime, directors and officers may still be held liable for a breach if they failed to oversee the company’s security measures prior to the breach, or failed to take the necessary course of action after the breach occurred. Ultimately, boards of organizations must recognize the current cybersecurity environment that exists, and assemble a reasonable response plan to respond to these threats when and if they occur. Our final article will provide key takeaways and best practices for both insureds and insurers in relation to cybersecurity risks.
A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.
Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
There’s a lot of existing advice and information on cybersecurity out there, but don’t fall victim to any of these common misconceptions that give you a false sense of security.
Myth #1 – All your vendors maintain appropriate security controls
The reality is, your organization’s security is only as strong as your weakest vendor. Vendors can create unforeseen vulnerabilities by not adhering to their own policies. When you first contracted with a vendor, their cybersecurity controls may have been sufficient, but are they continuing to comply with and update them in response to the changing cybersecurity landscape? In the past, each cyberattack would be looked at individually, but now they’re being linked together, creating a domino effect. Many of the large breaches we’ve all heard about can be attributed to a hacker compromising a vendor and leveraging that access to pivot and attack the vendor’s customers. Make sure you’re checking in quarterly or annually to ensure that your partner’s policies and procedures are up to date, reflect current practices and are being followed. Additionally, request that they provide a copy of their cyber insurance policy.
Myth #2 – Cloud services have built-in cyber protections
Almost every company utilizes cloud services in one form or another. The security team for a cloud service company is on the front lines of the internet’s most critical information security issues and their domain continues to expand. Cloud services have responded by operating within a shared security model. The cloud service company controls the physical servers through to the configuration level that is accessible to users. The user retains responsibility for the actual data and services that are being run on the virtual server, unless otherwise stated in your contract. It’s essential that organizations thoroughly understand their responsibilities and how to best leverage the provided security features to ensure they’re taking necessary precautions to avoid an incident. A hybrid security plan that takes into account both on premise and cloud systems is critical.
Myth #3 – It’s possible to predict the next big cyber attack
Today’s headlines are full of cyber breaches that impact not only the companies that experienced the breach, but their customers and beyond. Though there’s a lot of dialogue around the devices, companies and systems that could potentially be attacked, there is no way to predict exactly when or where the next large-scale attack will occur. This is very similar to thinking we can predict earthquakes; despite monitoring seismic activity for patterns, there is no way to predict exactly when and where the next “big one” will occur. So how should businesses and consumers prepare for a cyberattack? If you lived in an earthquake-prone area you would purchase a house that is built to code, have emergency supplies and have earthquake insurance. Prepping for a cyber event is no different; you take precautions and put controls in place to mitigate your risk and reduce impact. Precautions include purchasing cyber insurance, implementing an effective cybersecurity program and developing incident response, business continuity, and disaster recovery plans. Insurance provides the peace of mind needed in the event of an attack and the support to help you get back up and running while reducing financial impact.
Myth #4 – What worked in the past is good enough
In this ever-changing cybersecurity landscape, traditional methods of securing your perimeter, protecting data and addressing privacy concerns are not enough. The main shift we’ve seen is more visibility into what actions a company is taking to reduce their risks. Cybersecurity cannot effectively operate in a silo; it’s the responsibility of every employee and department to incorporate security controls into their daily business operations. To do so, create a layered approach to securing both internal and external resources to properly address risk. Make sure you are increasing your security budget every year to continue to add to your infrastructure tools and ongoing training and education. Providing your team with continued education and new technology is critical in minimizing the risk and impact of a breach.
Myth #5 – My business is not a target
With the sheer amount of news coverage on large-scale cyber attacks, it can lead businesses to become numb to them and contribute to the notion that they’re not important enough to be the next target. In truth, smaller organizations are often a target because of the access they provide to a larger target. Acceptance of the fact that it’s generally a matter of when, not if, a cyber incident will occur is difficult for many companies to adjust to. In the past, breach prevention was the only goal, but today, having a security team that is realistic and accepts that a breach is likely will make them stronger and faster to respond. Companies will ultimately be judged on both the controls they had in place to prevent a breach and their response during and after an incident. Incorporating cyber insurance into your overall cybersecurity plan will not only provide peace of mind to your customers, but also help minimize the impact and downtime after an attack.
Managing Cyber Risk
Remain vigilant and protect your company with the most up to date cybersecurity and insurance options. Don’t fall for the myths or become numb to the countless news stories of breaches. As it’s commonly said, it’s not if your company will face a breach, it’s when.
Photo Credit: ILSTV.com