Insurance a second line of defence against cyberattack losses

Insurance a second line of defence against cyberattack losses

DAVID ISRAELSON | The Globe and Mail

Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.

It’s relatively new, but it’s a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.

“We haven’t had a lot of requests so far, but it’s a huge field,” says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.

By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.

The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied’s report says.

Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.

“It’s usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy,” he says.

Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. “We put it [a recommendation] in all the letters we send, either to take coverage or to increase it.”

While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.

“Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach,” say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.

“This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard,” he says.

Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.

Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.

Writing in Canadian Lawyer magazine, she said that, “29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime.”

While any SMB can be a cybercriminal’s target and suffer damage, the risk goes up if the business’s data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.

This coverage is “modest” for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. “We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure,” LawPro says.

Lawyers (and others) should always look to what’s covered and what’s not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. “The interesting part of every policy is the exclusions,” he says.

Indeed, LawPro cautions its lawyer policy holders to “remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm.”

Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it’s buyer beware, Ms. Lifshitz warns.

“Every insurance company deals with coverage differently. There are always going to be carve-outs” for situations that insurers won’t cover, she says.

Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It’s the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.

If a smaller entity hasn’t taken the steps to become cyberinsurance ready, they’re not going to get coverage, she says.

The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:

– How many records with personal information does your company keep?

– How much sensitive commercial information do you keep?

– What security do you have in place that might reduce your insurance premium?

– Do you need to encrypt all your laptops, phones and tablets?

– Do any third parties you deal with have unencrypted media?

– Would you be able to make a claim on the policy you choose even if you haven’t discovered a breach for several months or years?

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Five Pitfalls Of Cybersecurity Insurance: Lessons From The United States

Article by Ruth Promislow and Ethan Schiff

Given the increasing threat of cyberattacks and the corresponding costs, businesses are increasingly considering cybersecurity insurance. But insurance is only as effective as the scope of the coverage. Though Canadian courts have not yet interpreted insurance policies in the cybersecurity context, American cases highlight five noteworthy pitfalls.

  1. Coverage Denied Because the Insured Did Not Comply with Underlying Obligations

Just as health coverage may be contingent upon the insured maintaining a healthy lifestyle, cybersecurity insurance may be contingent upon the insured meeting certain technical standards. In Columbia Casualty Co v Cottage Health System, the insurer denied coverage and alleged that the insured failed to comply with required “procedures and risk controls”, which imposed an obligation to “follow minimum required practices”.

  1. Coverage Denied Because the Incorrect Party Was Injured

In P.F. Chang’s v Federal Insurance Co, the insured (P.F. Chang’s) made a claim on its insurance due to a data breach resulting in stolen records belonging to its customers. P.F. Chang’s did not suffer an injury. The court concluded that the relevant insurance policy did not cover P.F. Chang’s because the policy required that the claimant suffer an injury. The policy at issue was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.”

  1. Coverage Denied Because the Incorrect Party Caused the Injury

In Zurich American Insurance Co v Sony Corp of America et al,1 Sony made a claim on its insurance for defence and indemnification due to losses resulting from a data breach by criminal hackers. The policy provided coverage for “oral or written publication in any manner of the material that violates a person’s right of privacy.” The court held, however, that the policy only provided coverage if Sony published the material itself. Since the hackers published the material, Zurich had no obligation to indemnify Sony.

  1. Coverage Denied Because the Cyber Activity Was Merely Incidental

Cybersecurity insurance may only provide coverage if the loss clearly results from cyber activity. In Apache Corp v Great American Insurance Company, the insured became the victim of fraud after an employee wrongfully determined that a known vendor’s telephone and email request to transfer money was authentic. The request turned out to be fraudulent and the insured reimbursed the vendor. The insured made a claim based on its insurance which covered for “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer…”. The court held that the circumstances were not covered because the computer use was not the direct result of the loss, but rather was “merely incidental”.

  1. Coverage Denied Because the Litigation Was Outside the Scope of Covered Claims

Insurance may provide coverage for certain claims to the exclusion of others. In Travelers Property Casualty Company of America v Federal Recovery Services Inc, the insured made a claim based on costs incurred for litigation resulting from a tort claim for intentional misuse of its data storage activities. The insurer denied the claim because the policy only provided coverage if the loss was caused by “any error, omission or negligent act.” The court held that the lawsuit against the insured for “knowledge, willfulness, and malice” was outside the scope of the coverage.

Conclusion

The United States case law highlights the importance of understanding your company’s risks and vulnerabilities in order to define the precise scope of cybersecurity insurance required. A risk and vulnerability assessment is a critical component to establishing an overall cybersecurity plan that will mitigate risk and corresponding damages.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Stay a step ahead: RBC gives tips to be cyber smart

Technology has made lives easier, connecting people and businesses in an unprecedented ways. But with the steady pace of advancement and change comes the heightened risk of fraud, particularly digital and online fraud. Words like “phishing” and “smishing” that did not exist a decade ago have entered our everyday lexicon.

“The reality is that cyber-crime has become an increasingly problematic issue, not only for the financial services sector, but for other industries in Canada and around the globe,” said Adam Evans, vice-president risk management at RBC. “It takes a combined effort between organizations and consumers to prevent fraudsters and cyber scammers from getting their hands on your private information.”

According to the Canadian Banking Association, 72 per cent of Canadians use online and mobile banking as their primary means of banking, up from 52 per cent in 2012. It’s clear that Canadians are accepting of new and convenient banking and payment technologies but it’s important they know how to stay safe when using these tools.

“Empowering our clients and the public to protect themselves is one of the best lines of defense,” added Evans. “As Canada’s largest bank we believe we have a responsibility to help educate the public on common cyber, fraud and privacy scams.”

Canadians can do their part to stay safe
Watch the RBC Be Cyber Smart video series; a collection of cyber awareness tips for individuals, families, youth and RBC clients:

  1. Choose powerful passwords. Use multiple passwords, change them frequently and use ones that include a mix of letters and numbers: all essential components of online safety.
  2. Don’t respond to unsolicited requests for confidential information. Be aware of schemes that ask for personal or financial information – they could be pretexting.
  3. Beware of the phishDo not click on a link in an email, call a phone number, wire money or take any requested action, unless you first verify that a request is legitimate.
  4. Be cautious when sharing on social media. Be careful about including personal information online, on social networking sites and in email.
  5. Be wary of public Wi-Fi. Avoid using public Wi-Fi to online bank, online shop or access any confidential information.
  6. Keep your personal information private. Laptop and phone screens can easily be seen and your side of a phone conversation can be heard by everyone around you.

RBC is a proud participant in Fraud Prevention and Cyber Awareness months and aims to build awareness among clients and employees year-round. Read more tips and watch the Be Cyber Smart video series anytime on RBC’s Privacy & Security website.

About RBC
Royal Bank of Canada is Canada’s largest bank, and one of the largest banks in the world, based on market capitalization. We are one of North America’s leading diversified financial services companies, and provide personal and commercial banking, wealth management, insurance, investor services and capital markets products and services on a global basis. We have over 80,000 full- and part-time employees who serve more than 16 million personal, business, public sector and institutional clients through offices in Canada, the U.S. and 35 other countries. For more information, please visit http://www.rbc.com/.‎

RBC helps communities prosper, supporting a broad range of community initiatives through donations, community investments and employee volunteer activities. For more information please see: http://www.rbc.com/community-sustainability/.

SOURCE RBC

Cybersecurity Trends to Watch in 2017

Cybersecurity Trends to Watch in 2017

Eric Basu | Business to Community

Today, North American households play host to an average of 13 internet connected devices. It’s at times like these when parties of all sizes should be relying on the expertise of IT professionals — however, a recent report showed that more than 80% of cybersecurity experts say there’s a deficit of skilled workers in the sector, and nearly as many said this has a serious impact on the compromising of devices and applications by cyberattacks. That’s the theme of the new year we’re in: no device nor individual is safe from the wrath of cyberattacks.

Take a look at the cybersecurity trends that started in 2016 and are expected to continue to make news throughout the new year.

Malicious Botnet Attacks

Cybersecurity issues have been, and will continue to be, dominated by the rise in botnets targeting Internet of Things (IoT) devices with Distributed Denial-of-Service (DDoS) attacks. In 2016, we saw hackers harnessing the power of smart devices to take down large domains and internet providers, affecting thousands of websites, including Twitter and Spotify. The most notable were two pieces of malware called Mirai and Bashlight which together have enslaved more than a million IoT devices.

There will be an estimated 28.4 billion internet-connected devices this year, up nearly 5.5 billion devices since the previous year. With the number of IoT devices expected to reach 50 billion by 2020, we’ll see a lot more government intervention this year in regards to regulating the security of these connected devices.

That could involve taking the steps proposed by the European Union and the Obama administration: creating independent bodies that will oversee the production and regulation of labels for smart devices. This proposal would give consumers the tools to make more educated cybersecurity choices and force manufacturers to include more stringent security measures.

Overall, Gartner projects that worldwide spending on IoT security will rise to $434 million this coming year.

Need for Proactive Approaches

Another trend we’ll see this year is companies taking a proactive approach to cybersecurity, rather than forming policies strictly as a reaction to a hack.

Proactively addressing cybersecurity involves taking into consideration the weaknesses that come with both IT and human staff. A large part of that involves limiting the number of devices employees use for professional purposes. These devices can create an issue since they bypass the security perimeters meant to protect workplace computers. It’s predicted that by 2018, a quarter of all corporate information will not pass through this security perimeter and will instead travel directly from mobile devices to the cloud.

Workplace security won’t be as straightforward as fitting an account with an employee username and password. Three Mobile, one of the largest mobile companies in the United Kingdom, put six million customers’ personal data at risk this past November when an employee login was used to hack into the system. A similar hack occurred at Talk Talk, another British mobile company, earlier in the year.

With devices becoming increasingly portable and less secure, we will see companies take more precautions with their employees and create defensive cybersecurity systems that address the agility of new devices and dangerous malware.

Vulnerability assessments should be done at all levels to determine the likeliness of an attack, and how to prevent it.

Application Security On the Rise

Organizations will continue to place more of an emphasis on application security throughout this year. That’s according to a recent report that surveyed 475 businesses and organizations in the U.S. More than one-fifth of those involved in the survey said applications were the source of breaches of secure information and cyberattacks.

Organizations are getting better at coordinating their security efforts, though. Forty percent of businesses have some sort of policy that third-party application providers must follow when providing a program or service. The responsibility of application security is being taken more seriously, too. More than one-third of organizations claimed that their application security programs are maturing.

Fake News & Social Media

Social media and fake news monitoring will become a part of company’s’ cybersecurity strategies.

As the dust settled on the 2016 American election, people wanted to know if fake news articles played a role in the outcome. The Pew Research Center found that 62% of all Americans rely on social media for their news, with 44% of them using Facebook as their number one source.

Fake news sites came in a number of forms, from aggregators that rewrote stories with inflammatory headlines to articles with fake statistics and false reports about the candidates.

While not a hack in the traditional sense, fake news sites and hyper-partisan social media accounts play a role in corroding trust and blurring the line between fact and fiction. In 2017, we will see companies start to protect themselves from this kind of attack by incorporating social security measures into their cybersecurity best practices and processes.

It will be up to programmers and engineers to rewrite algorithms and develop monitoring tools to detect spam-ridden content and false information. But until this picks up, users will have to navigate their social streams more critically than ever before to distinguish genuine engagement from false persuasion.

Increased Security Is the Big-Picture Trend

From hijacked IoT devices to published propaganda, both companies and individuals are on high alert in terms of cybersecurity this year. We can expect to see businesses adopt security measures that address some of these rising concerns which will mean greater security for consumers, too.

Is your company doing something different in the way of cybersecurity in 2017?

Author: Eric Basu

 

 

Canada: Cybersecurity – Ontario’s Next Big Startup Cluster?

Canada: Cybersecurity – Ontario’s Next Big Startup Cluster?

Article by Aird & Berlis LLP

A recent report from Deloitte, commissioned by the Ontario Centres of Excellence (OCE) and the Toronto Financial Services Alliance (TFSA), suggests that Southern Ontario is perfectly positioned to become a global hub for cybersecurity startups.

The current market for cybersecurity products is estimated at $106 billion. At the same time, the average Canadian data breach costs over $6 million, and analysts project the aggregate global costs of cybercrime at $2 trillion, with dramatic growth rates. With high enterprise risk but no single company leading the market for enterprise solutions, it’s an attractive sector for a new entrant.

Deloitte’s report argues that Canada, and Ontario in particular, should play a leadership role in the global development of this vertical.

Canada’s financial services sector is large, stable and increasingly interested in collaborating with new technology companies. Canadian banks have set themselves apart from the global class with a reputation for stability earned during the financial crisis. Investing in cybersecurity amplifies and helps protect that reputation. And as our friends at The Spotlight have covered, companies are increasingly becoming aware of the high costs of data theft.

This growing demand may soon be augmented by the actions of financial services regulators, who are increasingly turning their minds to regulatory technology as a means of imposing standards and solutions on the sector. If, for example, the Office of the Superintendent of Financial Services follows the EU’s lead and imposes standards for identify authentication and verification on the financial services and FinTech operators, it could be a huge payday for the right Canadian growth company.

In addition to thriving market demand, Ontario boasts world-class talent, R&D and incubation and accelleration facilities. The province is home to leading experts and commentators on cybersecurity, providing thought leadership and boosting traction. There is also significant access to capital from VCs, pension funds and government, allowing growth companies to scale when ready.

Finally, the Deloitte study identifies about 70 SMEs operating across the province in a variety of subject matter domains, with a majority of companies working on data protection, but others focusing on identification and authentication, application security, cloud and mobile security, and threat intelligence. This suggests that there are enough active companies on the ground to provide a healthy environment for competition, collaboration and talent acquisition, but there is still plenty of room for new entrants to gain traction.

In other words, the report suggests that the ingredients are in place for cybersecurity to become Ontario’s next big startup cluster.

On March 8th at the Design Exchange, OCE and TFSA will be co-hosting a “Finance Cybersecurity Partnering Forum,” intended to bring together Ontario’s top financial institutions, fintech and cybersecurity SMEs, and academic institutions. The Forum will discuss Deloitte’s report and feature case studies, talent development and collaboration models, and one-on-one networking. For more information or to register for the Forum, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Ontario: Two gamblers spearhead class action against casino over hacking of private data

By Colin Perkel

THE CANADIAN PRESS

TORONTO _ Two gamblers who allege their privacy was breached are spearheading a proposed class action against an Ontario casino whose databases were hacked.

In a notice of action, they also alleged Monday that Casino Rama, north of Toronto, unjustly enriched itself at the expense of the claimants.

In the allegations contained in the notice, Leonid Kaplan, of Barrie, Ont., says he provided casino staff with copies of his driver’s licence and credit card when he went there to gamble in September.

Kaplan says he received an email by the CEO of Casino Rama, John Drake, on November 10 with the subject line: “Unauthorized Access to Personal Information.”

The email stated that the organization had been the “victim of a cyberattack that resulted in the theft of past and present patron, employee and vendor information.”

The casino publicly confirmed the attack last week but did not say exactly when it occurred or over what period.

The other proposed representative plaintiff, Cheryl Mizzi, of Stouffville, Ont., says she and her husband regularly went to Casino Rama starting in 1999. They last visited in 2015. She, too, provided various forms of identification.

Neither proposed plaintiff have said what losses, if any, they incurred as a result of the privacy breach.

The lawsuit also names Ontario’s gaming commission, the Penn National Gaming and its Ontario subsidiary, which run the casino, and the Chippewas of Rama First Nation where the facility is located.

The suit, which has yet to be certified as a class action or tested in court, seeks $50 million in damages as well as another $10 million in punitive damages.

Lawyer Ted Charney said Monday the “unjust enrichment” claim arises from the casino generating revenues from gambling when customers thought reasonable security measures were in place to protect privacy.

“The casino elected not to invest in adequate staff and technology while collecting gambling revenues, promising to provide adequate security measures,” Charney said.

The suit also alleges the defendants breached contracts and violated consumer laws.

A Casino Rama spokeswoman did not address the allegations, but said Monday the organization was working with the authorities on the ongoing investigation.

“We are limited in how much detail we can provide,” Jenna Hunter said. “We deeply regret this situation and recognize the seriousness of the issue.”

Casino Rama Resort warned its customers, vendors as well as current and former staff last Thursday to keep an eye on their bank accounts, credit cards and other financial information.

The casino said it had “recently” discovered becoming the victim of a cyberattack that resulted in the large-scale data theft.

Stolen data appeared to include internal financial and security-incident reports, emails, payroll data, client information, social insurance numbers, and dates of birth, according to the casino.

“The hacker claims that the employee information dates from 2004 to 2016, and that some of the other categories of information taken date back to 2007,” the casino said in a statement.

The resort, which has 2,500 slot machines and more than 110 gaming tables, said the games themselves weren’t hacked.

Located on Rama First Nation, the casino opened 20 years ago.

CP3

Page 1 of 812345...Last »

Pin It on Pinterest

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!