Cyber insurance market sees steady growth as awareness increases

By Modestus Anaesoronye | Business Day

Cyber attacks were once again in the spotlight in 2017, with increasing frequency and severity, offering plentiful opportunities for growth of insurance, especially in small and medium-sized companies, according to A.M Best report.

The WannaCry and NotPetya ransomware attacks and the Equifax data breach received significant media attention and affected millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks. Also, in October 2017, Yahoo! updated its 2013 data breach tally from one billion to three billion of its accounts, potentially making this the most substantial, most extensive cyber breach ever recorded.

These events highlight the vital need for cyber insurance, but the market is bifurcated. On the one hand, national accounts and Fortune 500 companies seem to be embracing the need to partner with insurers and brokers as a way to counter cyber risks.

Financial institutions and healthcare companies are acutely aware of their cyber exposures and are increasing their coverage. Average policy limits are rising, with some of the largest companies’ coverage towers above the half-billion dollar mark.

On the other hand, the take-up rate for small to medium-sized enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth.

In 2017, cyber packaged policies in force increased 28 per cent, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but this is still something of a fledgeling business, and an increase of this magnitude, while material, does minimal to close the protection gap. However, interest from SMEs does seem to be gaining traction, and capacity from insurers is ample.

In the short term, despite the inherent challenges in managing aggregations and pricing, we believe the cyber insurance market presents a favourable opportunity for insurers. Demand is expected to grow due to the accelerating adoption of technology and the increasing awareness of cyber risks, especially among SMEs. Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the overall exposure of the property and casualty industry.

However, as insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to ensure that these exposures remain aligned with the company’s risk tolerances and appetites.

The extent to which an insurer grows its cyber business should also lend to a broader understanding of this relatively new risk and a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a crucial factor when insurers provide information to regulators, other stakeholders.

Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks, under two assumptions: that hackers target only more prominent businesses such as Target or Home Depot or that they already have coverage under another policy when they might not. However, this sentiment and tepid interest in cyber insurance among SMEs may be changing, in light of the near daily reminders of cyber-threats, attacks, and breaches feeding social media.

Pricing is another factor, as more business owners see the cost benefits and also realize their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers.

A data breach is only one factor in cyber risk, however many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much higher, as they may not be as resilient or diverse as national account clients.

Source: Business Day By Modestus Anaesoronye
Edited for ILSTV

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

International probe shuts down cyberattack provider

By Mike Corder

THE ASSOCIATED PRESS

THE HAGUE, Netherlands _ In a major hit against cybercriminals, an international police operation has taken down what investigators called the world’s biggest provider of potentially crippling Distributed Denial of Service attacks.

On Wednesday, police hailed the success of the operation Wednesday, saying that a joint investigation led by Dutch and British experts and supported by European Union police agency Europol led to the arrest on Tuesday of the administrators of the website webstresser.org.

Europol said webstresser.org had more than 136,000 registered users and racked up 4 million attacks on banks, governments, police forces and the gaming industry. Distributed Denial of Service, or DDoS, attacks attempt to make online services unavailable by overwhelming them with traffic from multiple sources.

“It used to be that in order to launch a DDoS attack, one had to be pretty well versed in internet technology,” Europol said in a statement. “That is no longer the case.”

The agency said that registered users could pay a fee of as little as 15 euros ($18) per month to rent its services and launch cyberattacks.

Administrators of the service were arrested Tuesday in Britain, Croatia, Canada and Serbia, Europol said. The illegal service was shut down and computers and other infrastructure seized in the Netherlands, the United States and Germany.

Croatian police said that a 19-year-old Croat, whom they described as the owner of webstresser.org, was detained on charges of “serious criminal acts against computer systems, programs and data” that carry a possible sentence of one to eight years in prison.

Gert Ras, head of the Dutch police’s High Tech Crime unit, said the operation should send a clear warning to users of websites like webstresser.

“Don’t do it,” Ras said. “By tracking down the DDoS service you use, we strip you of your anonymity, hand you a criminal record and put your victims in a position to claim back damages from you.”

Connected And Protected: Insuring Your Business Against Cyber Breaches

Article by Imran Ahmad

It was not long ago that a company’s cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.

Who Connects to You?

Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else’s system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.

What Connects to You?

The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using “privacy by design” principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.

How Can You Protect Your Business?

Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:

  • Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
  • Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
  • Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company’s reputation in the wake of a cyber breach.

Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it’s important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.

The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.

If you’re unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Cyber Cross-Jurisdictional Risks And The Impact Of GDPR: Europe

Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn

Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.

An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.

Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.

Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.

Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.

Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Bell Canada alert prompts RCMP, privacy watchdog to investigate data breach

By David Paddon

THE CANADIAN PRESS

TORONTO _ The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.

Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.

Bell also told customers that additional security, authentication and identification requirements have been implemented.

“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.

Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.

“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.

Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

Anderson said that the public should realize that centralized data is vulnerable, by its nature.

“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.

Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.

The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.

But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.

Page 1 of 1112345...10...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest