DYK: Businesses spent $14B on cybersecurity in 2017, more than 20% hit by cyberattack

By Christopher Reynolds | The Canadian Press

More than one in five Canadian companies say they were hit by a cyberattack last year, with businesses spending $14 billion on cybersecurity as they confront greater risks in the digital world, according to a new Statistics Canada survey.

The most common suspected motive was an attempt to steal money or demand a ransom payment, according to the survey. Theft of personal or financial information was less typical  less than one-quarter of the cyberattacks  though it was the most cited reason for investing in cybersecurity, StatCan said.

“Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats,” the agency said in a release Monday.

“However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported.”

Only 10 per cent of businesses affected by a cyberattack reported it to law enforcement agencies last year, StatCan said.

That may change after Nov. 1, when key provisions of the three-year-old federal Digital Privacy Act come into effect, requiring companies to tell Canadian consumers when their personal information is breached.

RELATED STORIES:

In Europe, a sweeping new privacy law introduced in May imposed strict rules around data security and personal privacy, affecting Canadian companies that offer products or services to European Union consumers — and that could face fines of up to 20 million euros for violations.

In 2017, Canadian businesses shelled out $8 billion on cybersecurity staff and contractors, $4 billion on related software and hardware and $2 billion on other prevention and recovery measures, the survey found. The total represented less than one per cent of their total revenues.

Large businesses those with 250 or more employees were more than twice as likely as small ones between 10 and 49 employees  to be apparent targets, according to the report. It said the attacks resulted in an average of 23 hours of “downtime” per company in 2017.

Data breaches have become a familiar feature on the corporate landscape. Last week, Facebook said an attack on its computer systems announced two weeks earlier had affected 30 million users.

In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.

The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.

“There’s a lot more to come,” said Amir Belkhelladi, who runs cybersecurity for Deloitte in Eastern Canada. “Technology is becoming essential in our life, so cybercrime that leverages that technology is likely to increase.”

Belkhelladi welcomed the StatCan survey the first of its kind in the country as a basic metric to rank Canada against other countries, but stressed the less concrete consequences of cybercrime.

“The reality for many of the businesses and organizations out there, it’s an impact on their business reputation. That’s much less tangible, that’s much harder to quantify,” he said.

While many large companies now have sturdier safeguards such as cyber-liability insurance  soft points along the supply chain can still open the backdoor to a breach.

“Very often you’ll see instances where the attack came through a supplier of some sort, or someone who’s in their ecosystem who’s trusted,” said Belkhelladi.

Data for the survey  titled the Canadian Survey of Cyber Security and Cybercrime and conducted on behalf of Public Safety Canada were collected between January and April 2018, with a sample size of 12,597 businesses and a response rate of 86 per cent.

Does your small business need cyberattack insurance?

Front Row Insurance says small businesses in Canada are so poorly covered because the process is too complex and costly

For many small businesses, a fire that destroys all of their operations might be preferable to getting hacked. At least in the case of the fire, there’s a good chance the damages will be covered by insurance.

Cybersecurity protection for losses of data or network assets is in its infancy in Canada, at least as far as small and medium enterprises are concerned. Only about 7 per cent of small businesses – those with fewer than 50 employees – had cyberliability insurance in 2017, according to Statistics Canada.

Medium-sized businesses, or those with 50 to 249 employees, were slightly more prepared at 14 per cent, versus 24 per cent for large companies.

The costs are huge, meanwhile, with reports estimating that cybercrime costs the Canadian economy between $3-billion and $5-billion a year.

Figures from the United States suggest that nearly half of cyberattacks are aimed at small businesses, many of which never recover. About 60 per cent of companies go out of business within six months of an attack, according to U.S. National Cyber Security Alliance.

Part of the reason for why small businesses in Canada are so poorly covered might be because the process is too complex and costly.

“They were getting these applications that we were sending them [on behalf of] insurance carriers that were extremely complicated, asking very complex questions,” says Mike Groner, account executive for Front Row Insurance. “These were also clients who weren’t in a position to pay six, seven, even eight-hundred dollars a year for cyberliability insurance.”

To that end, Toronto-based Front Row has launched its own product, Hackinsure, which offers coverage for cybersecurity issues ranging from theft, fraud and ransomware to business interruption resulting from data loss.

Businesses can sign up online for the product, underwritten by Swiss insurer Chubb, without having to talk to a broker. Coverage ranges from $100,000 to $1-million, while annual premiums begin at $200.

Mr. Groner says Front Row was able to negotiate with Chubb to remove about 80 per cent of the standard cyberliability application that bigger enterprises typically must deal with.

Such applications generally ask companies to spell out corporate structures, including listing the names of various directors, executives and their responsibilities. Front Row boiled it down to only the most pertinent information.

“We removed any questions where it would have absolutely no bearing on the premium and quote itself,” Mr. Groner says. “They’re simple questions, like are they using Windows 7 or higher? Are they using an antivirus program? Are they using firewalls? Are they using backup-and-recover procedures? It doesn’t get invasive beyond that.”

Insurance industry experts say the problem with poor coverage may also stem from a lack of education and regulatory involvement. About 19 per cent of small and medium enterprises in the United States and 15 per cent in Britain are estimated to have standalone cyber coverage.

“Canadian companies are very bad with data,” says Mary Hardy, professor of actuarial science at the University of Waterloo. “There’s not so much oversight and requirement to produce data like there is [elsewhere].”

The federal government has taken notice of the problem, which was the impetus for a renewal of the National Cyber Security Strategy this past June. The plan is devoting $500-million over the next five years to help educate the public on cybersecurity and to develop expertise in the field.

Jeremy Depow, vice-president of policy and research for the Information and Communications Technology Council, says products such as Front Row’s HackInsure are positive steps toward spreading awareness. Companies getting hacked is no longer a question of if, but rather when, he says.

“Hopefully it starts to force businesses to live up to some kind of standard,” he says. “Insurance could be a way where you build in those standards to at least get small businesses up to the basics.”

The cybersecurity insurance market is expected to balloon over the next few years, hitting US$17.55-billion by 2023 from US$4- billion in 2017, according to a Reuters report.

Until recently, Front Row has focused mainly on providing insurance products to the entertainment industry, but the company has moved to the cybersecurity market by customer demand.

Beware! Your Insurance Program needs Cyber Liability insurance now more than ever!

Read more

Cyber Losses: A Serious Organizational Risk In The Modern World

Article by Brian Vail, QC

September 19, 2018, 2:21 PM EDT — Losses and costs relating to cyber liability incidents have escalated exponentially given that the world has become much more computer-dependent and technology is rapidly advancing. The losses suffered by organizations for cyber incidents that interrupt their operations as well as liability to third parties (customers, patients or others) have become commonplace. The question facing organizations today is not if they will suffer a cyberattack but when.

The world began rapidly changing with the Internet age. People and organizations are becoming increasingly involved and dependent on computers and electronic data and data transmission. An increasing number of companies operate e-businesses and many organizations are moving toward a paperless workplace. An entire economy has grown up whereby individual consumers access various online services, disclosing their personal information in the process. That information may be shared across connected multiple platforms.

The Allianz Risk Barometer for 2018 indicates that the number of cyber incidents is increasing at an “almost breathtaking pace.” It ranks cyber risk to be the second most serious business risk for 2018, after business interruption. The number of incidents of cybercrime is growing at an alarming rate.

This includes the introduction of malware to an organization’s computer systems to disrupt computer- controlled operations and corrupt data. The use of ransomware, whereby an organization’s data is encrypted subject to it providing a ransom (monetary or otherwise) to the hacker, has become big business. AON notes that “driven by widespread use of mobile technologies, cloud computing, corporate bring-your-own-device policies, big data analytics and 3D printing, cyber has emerged as one of the fastest growing risks for governments and companies across the globe” and is “in some instances more pervasive than traditional exposures.”[

In the United Kingdom alone, in 2016 46 per cent of all businesses reported at least one cybersecurity breach, including 66 per cent of medium-sized businesses and 68 per cent of large businesses.

Many small and mid-sized businesses have a false sense of security that they are not big enough or do not possess information that would attract the interest to cyber criminals. However the insurance industry suggests that 50 per cent of businesses report having been the victim of attack and 60 per cent of those struck are small and medium-sized businesses.

In Canada the average organizational cost of a data breach in 2016 was $6.03 million, up from $5.32 million in 2015, with an average cost of $278 per stolen record. Average notification costs rose from $120,000 in 2015 to $180,000 in 2016. The average costs of lost business rose from $1.99 million in 2015 to $2.24 million in 2016. These losses were caused 54 per cent by criminal/malicious attacks, 21 per cent by system glitches and 25 per cent by human error.

Thus, cyber claims are having and will continue to have a growing negative impact on the global economy. All organizations should be adopting strategies to protect themselves and minimize losses and planning to respond to such claims. Businesses should be reviewing their computer systems, training and monitoring staff and developing an incident response plan to prevent cyber incidents. They should also be reviewing and updating their insurance coverage to address the risks involved. Both prevention and response are not simply an IT problem. They require a team approach involving multiple departments and vendors (IT, management, human resources, public relations, an insurance broker and legal counsel).

It is a mistake for smaller or medium size business to ignore this issue as much as for large organizations as a cyber incident may seriously impact or even bankrupt an unprepared organization.

They are becoming the most sought-after target by cyber criminals.

Originally published in The Lawyer’s Daily

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Ontario police warn of recent cyberattacks targeting local governments

By Michelle McQuigge

THE CANADIAN PRESS

A rash of cyberattacks on Ontario municipal governments in which hackers demand a ransom to unlock compromised systems has prompted the provincial police force to warn about what it describes as a recent trend.

Ontario Provincial Police didn’t disclose how many municipalities had been temporarily crippled by the incidents known as ransomware attacks, but at least two recently had their systems compromised and the mayor of one of them said he’s heard of multiple other cases.

In an advisory issued Friday, the OPP said it wanted communities to be aware of the spate of incidents.

“In recent months there have been several ransomware (hack/virus) attacks on businesses and municipal government offices within Ontario,” wrote the force, which did not respond to requests for further comment.

“The OPP does not support paying ransomware attackers, as it only encourages further criminal activity, and there is no guarantee that payment will restore the encrypted data.”

Police described a ransomware attack as one where a computer or network is infected with malware software intended to damage or disable _ that encrypts data on those systems. Those behind the attack then reveal that the information can only be retrieved with an encryption key, which commonly is only released upon the payment of a ransom.

The OPP said most such attacks are launched either through direct hacking into a vulnerable system or through phishing emails that urge users to click on files or links that then install the malware. Payment is usually demanded in Bitcoin or some other form of cryptocurrency, the OPP said.

That exact scenario played out earlier this month in Midland, Ont., according to Mayor Gord McKay.

On Sept. 1, officials discovered that many of the town’s servers had been compromised and locked down. McKay did not disclose exactly how much ransom was paid through an insurance company to the hackers, and said the cyberattack remains under investigation.

McKay said the attack crippled Midland’s financial systems, but said it was not as devastating as it may have been had it happened three months ago.

At that time, another ransomware attack on the nearby town of Wasaga Beach, Ont., prompted Midland’s officials to take out insurance to protect against such an incident, he said.

“We took a good regard as to what happened over there and said, ‘ok, no reason why it shouldn’t happen here … so let’s start taking precautionary measures,” he said.

The town managed to isolate online systems related to fire, police, water and waste-water services before the hackers struck, the mayor said. There’s also no evidence to suggest information on taxation, human resources and other affected systems was disseminated anywhere after the attack, he added.

Officials in Wasaga Beach did not respond to request for comment on the attack they experienced.

McKay said the decision to purchase insurance has proven beneficial and has helped the municipality recover faster than it might have otherwise. Access to the hacked systems has been provided over time, he said, and all the town’s systems are expected to be fully functional by next week.

The town’s experience suggests an emerging industry around cyberattacks has taken root, McKay said, adding he’s heard from municipalities both inside and outside of Ontario who’ve gone through a similar ordeal.

“It’s happening a fair bit out there, but obviously people don’t like to talk about it,” he said.  “There’s an industry being built up about it, both on the bad guys’ side and also on the recovery side.”

Atty Mashatan, an information technology professor at Ryerson University, said worldwide malware attacks involving everything from hospitals to transit systems have given rise to a burgeoning industry.

She said there are numerous insurance offerings available to both businesses and individuals seeking protection from cybercrime. Like with standard insurance policies, she said packages vary considerably, adding the most comprehensive could cover the cost of legal fees incurred by potential lawsuits associated with security breaches.

But Mashatan stressed that the best insurance is sound security, adding both individuals and companies should cover off basics such as installing strong anti-malware and anti-virus protection as well as maintaining thorough offline backups of key information.

Common sense also has a role to play, she said.

“It has to do with the awareness of the individuals in your organization or in your household,” she said. “Don’t click on a link if you don’t trust it.”

McKay said the town of Midland had no choice but to pay the ransom demanded to reclaim its data, but such an approach finds little favour with Mashatan and the OPP.

The force urged victims of such cyberattacks to go to local police but also noted that ultimately it was up to those targeted to decide how to proceed.

“Companies and individual victims should address threats based upon the nature and severity of the threat and only after carefully considering the best interests of the individual or company’s employees, stakeholders and shareholders,” the force said.

Cyber insurance market sees steady growth as awareness increases

By Modestus Anaesoronye | Business Day

Cyber attacks were once again in the spotlight in 2017, with increasing frequency and severity, offering plentiful opportunities for growth of insurance, especially in small and medium-sized companies, according to A.M Best report.

The WannaCry and NotPetya ransomware attacks and the Equifax data breach received significant media attention and affected millions of people and businesses. The NotPetya attack in particular highlights the growing business interruption exposure associated with cyber risks. Also, in October 2017, Yahoo! updated its 2013 data breach tally from one billion to three billion of its accounts, potentially making this the most substantial, most extensive cyber breach ever recorded.

These events highlight the vital need for cyber insurance, but the market is bifurcated. On the one hand, national accounts and Fortune 500 companies seem to be embracing the need to partner with insurers and brokers as a way to counter cyber risks.

Financial institutions and healthcare companies are acutely aware of their cyber exposures and are increasing their coverage. Average policy limits are rising, with some of the largest companies’ coverage towers above the half-billion dollar mark.

On the other hand, the take-up rate for small to medium-sized enterprises (SMEs) remains in the low teens, presenting an area where insurers would like to see growth.

In 2017, cyber packaged policies in force increased 28 per cent, some of which was due to the addition of affirmative cyber coverage to packaged policies. This increase is significant, but this is still something of a fledgeling business, and an increase of this magnitude, while material, does minimal to close the protection gap. However, interest from SMEs does seem to be gaining traction, and capacity from insurers is ample.

In the short term, despite the inherent challenges in managing aggregations and pricing, we believe the cyber insurance market presents a favourable opportunity for insurers. Demand is expected to grow due to the accelerating adoption of technology and the increasing awareness of cyber risks, especially among SMEs. Given the abundant supply of capital and the cautious growth strategies of insurers, we expect the overall exposure of the property and casualty industry.

However, as insurers expand their cyber offerings, they will need to be prudent in establishing underwriting standards and limits, and exercise appropriate risk management and mitigation measures to ensure that these exposures remain aligned with the company’s risk tolerances and appetites.

The extent to which an insurer grows its cyber business should also lend to a broader understanding of this relatively new risk and a company’s ability to aggregate, monitor, and manage its exposure in various scenarios. Data quality is a crucial factor when insurers provide information to regulators, other stakeholders.

Overall, cyber insurance take-up remains low, as SMEs remain complacent about these risks, under two assumptions: that hackers target only more prominent businesses such as Target or Home Depot or that they already have coverage under another policy when they might not. However, this sentiment and tepid interest in cyber insurance among SMEs may be changing, in light of the near daily reminders of cyber-threats, attacks, and breaches feeding social media.

Pricing is another factor, as more business owners see the cost benefits and also realize their vulnerabilities due to their interconnectivity with vendors, suppliers, and customers.

A data breach is only one factor in cyber risk, however many SMEs may be underestimating business interruption risks, and the impact on smaller enterprises of business interruption could be much higher, as they may not be as resilient or diverse as national account clients.

Source: Business Day By Modestus Anaesoronye
Edited for ILSTV

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest