Canadian insurance firm targeted in ransomware attack

Adam Ward |CTVNews.ca 

TORONTO — Andrew Agencies Ltd., an insurance firm that operates in the Prairies, was recently targeted in a ransomware attack but says no personal information was taken.

Dave Schioler, the executive vice president and general counsel for Andrew Agencies, confirmed the security breach in an email statement to CTVNews.ca on Wednesday.

“We have uncovered no evidence of sensitive personal information or data being stolen or otherwise compromised,” he said in the statement. “We can advise that the incident has had minimal impact on our operations.”

Andrew Agencies, a full-service insurance and financial services firm, operates 18 locations in Alberta, Manitoba and Saskatchewan.

A hacker group known as Maze has taken credit for the attack online. The group was reportedly behind a ransomware attack that recently targeted the City of Pensacola, Fla.

Schioler said that Andrew Agencies did not pay a “ransom as part of the recovery effort.”

“We have taken this matter very seriously and have expended considerable resources in the investigation and remediation of this incident, including the use of third parties with expertise in similar incidents,” the statement reads.

ARE THESE TYPES OF ATTACKS ON THE RISE?

News of the security breach at Andrew Agencies comes one day after LifeLabs, one of Canada’s largest medical laboratories, announced it was hit by hackers.

In LifeLabs’ case, an estimated 15 million customers are believed to have been affected, with passwords, birthdays, health card numbers and even lab results potentially being accessed.

Brett Callow, a threat analyst with anti-virus software company Emsisoft, says while many of these types of attacks go unreported, it’s very likely there has been an increase.

“Most ransomware attacks are not specifically targeted and, as there’s been an increase in attacks on the public sector, it would seem inevitable that there has been an increase in attacks on smaller businesses too,” he said in an email statement to CTVNews.ca.

According to a report released this week by Emsisoft, at least 948 government agencies, educational institutes, and health-care providers were impacted by ransomware attacks in the U.S. in 2019. Emsisoft didn’t have information on the number of these types of attacks in Canada.

Callow says that in about 90 per cent of these cases, hackers are perpetrating these attacks through “email attachments or improperly secured remote access solutions.”

So how can companies and municipalities protect themselves from these types of attacks? Well, Callow says a good starting point is email filtering and training staff how to spot potentially hazardous emails.

“The fact that ransomware groups are now stealing data as well as encrypting it makes prevention and detection more critical than ever,” Callow says.

SHOULD COMPANIES PAY A HACKER’S RANSOM?

In short, no, says Callow, because there’s a lot of unknowns.

“There is no guarantee that the decryption tool supplied by the cybercriminals will work or that they’ll even supply one.”

Callow added that every time a company pays for their data back, they incentivize these types of cyberattacks. However, he admits that some companies have no choice and have to take the risk because it may be the only option.

“For as long as companies pay ransoms, ransomware attacks will continue. The only way to stop the attacks is to make them unprofitable.”

Source: CTV News

Marsh Enhances Cyber Risk Consulting Capabilities

Clients to Gain Greater Insight into the Effectiveness of Cybersecurity Investments

Marsh, the world’s leading insurance broker and risk adviser, announced the launch of an enhanced suite of cyber risk quantification consulting capabilities that offer clients new insight into the impact of their cybersecurity investments.

The enhanced consulting capabilities are powered by Blue[i] Cyber, a new cyber risk analytics engine that integrates Marsh’s market-leading cyber risk quantification models with X-Analytics, Secure Systems Innovation Corporation (SSIC)’s patented cyber risk model for which Marsh is the exclusive insurance broker and risk consulting provider.

With these enhanced cyber risk consulting capabilities, Marsh clients for the first time will be able to quickly and easily:

  • Evaluate the effectiveness of cybersecurity controls and prioritize risk mitigation accordingly.
  • Engage in data-driven “what-if” scenarios to evaluate existing and future cyber investments.
  • Evolve cybersecurity from technical jargon to a board-level conversation.
  • Meet cyber risk disclosures and reporting requirements more easily.

Use financial analysis of cyber risk exposure to inform their risk management strategies, including risk mitigation and risk transfer decisions.

“Although cyber often ranks high on risk agendas, many organizations struggle to understand how their cybersecurity strategy impacts their financial exposure to cyber risk,” said Reid Sawyer, US Cyber Risk Consulting Practice Leader, Marsh. “With Marsh’s enhanced quantification consulting capabilities, clients will be able to gain greater clarity into the impact their cybersecurity investments have on risk reduction and make more informed cyber risk capital allocation decisions.”

The enhanced cyber risk quantification consulting capabilities powered by Blue[i] Cyber are immediately available in the US, Canada, and Europe.

About Marsh

Marsh is the world’s leading insurance broker and risk adviser. With over 35,000 colleagues operating in more than 130 countries, Marsh serves commercial and individual clients with data driven risk solutions and advisory services. Marsh is a business of Marsh & McLennan Companies (NYSE: MMC), the leading global professional services firm in the areas of risk, strategy and people. With annual revenue approaching US$17 billion and 76,000 colleagues worldwide, MMC helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter, Mercer, and Oliver Wyman. Follow Marsh on Twitter @MarshGlobal; LinkedIn; Facebook; and YouTube, or subscribe to BRINK.

4 scams to watch out for this holiday season

Frauds, scams spike this time of year, says RCMP

CBC News

As shoppers gear up for the holiday season, police say fraudsters are also preparing to take advantage of those who aren’t careful.

The holidays are ripe for fraudulent activity, with various types of scams appearing around this time of year, according to Jeff Thomson, a senior intelligence analyst with the RCMP’s fraud unit.

Here are some of the most common scams Thomson said people should watch out for.

SIM swapping

Thomson said the RCMP has seen a recent spike in identity theft through what’s known as SIM swapping.

Fraudsters will send a phishing email, which appears to be from your service provider, offering you free data or something similar — and a link for you to claim your “prize.”

The link asks for personal information to update your cellular account profile. Fraudsters will then contact your service provider and, using that information, gain access to your phone.

“If you have your bank accounts, your social media accounts, email accounts — they can now start to gain access to the accounts you have on your mobile device,” Thomson said.

If you receive an email from your service provider with an offer, Thomson recommends calling them to verify it’s real.

Evolving phone scams

This one might sound familiar: someone allegedly calls from the Canada Revenue Agency (CRA) and demands payment for back taxes while threatening the victim with arrest.

Thomson said the RCMP are seeing a spike in these kinds of scams, but instead of the CRA, the fraudsters claim to be from Service Canada.

“The Service Canada scam I’m seeing as the evolution of the CRA scam,” Thomson said.

Fraudsters tell victims their social insurance number (SIN) is compromised and then attempt a two-part scam.

First, they’ll attempt to coax your name, date of birth, SIN and other personal information from you.

Then they’ll say police or investigators need to follow up, which later turns into a demand for cash. Thomson said that usually takes the form of fraudsters telling victims to move money into a “safe account.”

Like with the CRA scam, Thomson said Canadian agencies wouldn’t call and ask for personal information.

Online shopping scams

As more and more shoppers turn to the internet to find that perfect holiday gift, fraudsters are taking notice.

Thomson said one scam comes in the form of an unbelievable offer for a wish-list item — but often it’s counterfeit or of an inferior quality.

To avoid being duped, Thomson recommends only shopping at well-known websites, reading reviews on lesser-known ones first, and using payment programs that have credit card protection.

“If a deal seems too good to be true, it probably is,” he said.

Loan scams

This scam typically preys on victims looking for extra cash during the holidays.

Fraudsters offer loans, Thomson said, and then either take personal information or begin to demand payments.

Thomson advises people to be cautious and only seek loans from credible providers.

CBC News

 

New Geneva Association & IFTRIP task force to address emerging cyber terror risks

The Geneva Association is launching a joint task force on cyber terrorism and cyber warfare with the International Forum of Terrorism Risk Reinsurance and Insurance Pools (IFTRIP). The special-purpose task force aims to conduct research on cyber terrorism risks across the re/insurance industry. Its initial findings will be published in mid-2020.

The launch of this new task force was announced at the IFTRIP 2019 International Conference in Brussels, Belgium. It will be led by Rachel Anne Carter, the Geneva Association’s Director of Cyber, supported by Julian Enoizi, CEO of Pool Re and Christopher Wallace, CEO of Australian Reinsurance Pool Corporation and president of IFTRIP.

Read the press release

Why Cybersecurity Should Matter To Your Small Business

Huffpost Canada

In an increasingly demanding economy where time and efficiency are crucial, it’s incumbent on small business owners to ensure their proverbial ducks are in a row. Perhaps none of those ducks are more important than security, namely cybersecurity. Having e-commerce protection for both consumers and owners is essential to ensure your business doesn’t suffer from potential privacy breaches. In partnership with Intact Insurance, we’ve identified five reasons why cybersecurity should be top priority for your business.

1. Protect your business from phishing schemes

One of the biggest online foes for small businesses are phishing schemes. According to this 2019 US report, one in every 99 emails is a phishing scheme. This is when a scammer pretends to be a legitimate company or individual in the hopes of receiving your personal, banking or credit card information. Opening these emails can open up a Pandora’s box of problems. It’s important that business owners and employees recognize certain characteristics of these emails to avoid being a victim. If you don’t recognize the company or name of the sender, don’t open on the email. If you’re still unsure, try calling the company directly to verify the authenticity of the email.

“Invest in the ongoing training of your employees and managers to be able to recognize phishing scams,” recommends Yan Lacoursière, Senior Loss Prevention Consultant at Intact Insurance. Scammers use the human aspect to trick you (lack of knowledge and kindness, for example). “Remember, when in doubt, don’t click on anything and don’t give away any sensitive information,” he says.

2. Protect your business from denial of service attacks

Cybersecurity has also grown in stature due to the fact that phones and tablets can do everything traditional computers can. However, it also opens other avenues for risks from outside computers including a DDoS, or distributed denial of service attack. It’s a malicious attempt to crash one’s server by flooding the website with too much traffic. A strong preventive measure would be to use a cloud-based DDoS mitigation service – it’s what keeps a website running during an attack. Offloading server functionality to a cloud platform allows it to filter through malicious traffic before it reaches you.

3. Protect your business from online hackers

No matter the size of the company or its location, the looming threat of hackers stealing sensitive information is very real. According to the Insurance Bureau of Canada, nearly one in five small businesses (18%) have been affected by a cyber attack or data breach in the last two years. This not only applies to your company’s website but all social media and email accounts, too. Avoid the online threat by changing passwords regularly (quarterly is recommended) and disabling auto-fill forms. Store data in a virtual data room and hide admin pages from search engines, so hackers can’t find it easily. Above all else, keep your operating system and antivirus programs up to date to stay protected from malware.

4. Protect your business from wi-fi eavesdropping

By default, wi-fi is not secure. Hotspots don’t use encryption, providing no protection at all when on a public network. So, if you’re working remotely, the best way to secure data is to connect to a Virtual Private Network (VPN). By doing this, every activity on your or your employees’ computers is sent through an encrypted tunnel, making it extremely hard for anyone to eavesdrop and capture any passwords, emails and file transfers.

5. Have the right insurance when all else fails

The cost of repairing a breach and covering legal expenses could set you and your company back. Contact your broker to learn how privacy breach coveragecan manage the impact caused by theft, loss, or unauthorized access to your customers’ or employees’ personal information. Running a small business online can be both overwhelming and exciting. By staying informed and taking the right steps, you can ensure the safety of your business, employees and clients’ data. Not only that, you’ll be able to watch your business grow and fulfill your dreams.

 

 

Cyber Insurance And D&O Liability

Last Updated: September 19 2019

Article by Deepshikha Dutt

Introduction

In the past decade, there have been several reports of cybersecurity attacks and data breaches to large corporations.1 In many cases, those affected by the breach want to hold the directors and officers accountable, as they feel the corporation failed to implement the proper security measures to prevent a breach from happening or did not effectively handle the aftermath of the breach. However, directors and officers generally enjoy limited personal liability subject to a few exceptions.2 Nevertheless, as more specific guidance emerges for directors and officers handling cybersecurity issues, the scope of this liability may widen.3 Thus, directors and officers should not take comfort in the substantial barriers that prevent them from being held liable for issues relating to the organization.4 In fact, despite these substantial barriers, shareholders continue to pursue derivative actions against directors and officers.

This article will discuss the scope of personal liability directors and officers face relating to cybersecurity breaches, and recent actions pursued against directors and officers in Canada and the US. Following the article, key takeaways will be provided.

Scope of liability

Cybersecurity poses a significant threat to directors and officers as cyber threats continue to emerge, and the rules and regulations that guide cybersecurity continue to evolve. Directors and officers may be held liable in the event of a cybersecurity attack if they are found to have breached their duty of care or have failed to comply with any disclosure requirements. Moreover, directors and officers can be personally liable where a company fails to comply with Canada’s Anti-Spam Legislation (CASL).5

Directors and officers have a duty to exercise reasonable care and diligence, both at common law6 and under corporate statutes.7 Failure to oversee the company’s cybersecurity measures adequately, before and after a breach occurs, could be considered a breach of this duty.8 Moreover, failure to comply with federal and provincial disclosure requirements after a breach could lead to liability for secondary market misrepresentation.9

Therefore, having an appropriate response or compliance plan, and effective security measures to protect the company against future cyber threats is essential. This will help support any claim by a director or officer that all requisite care and diligence was met, and all regulations were complied with.10

Lastly, directors and officers can be held personally liable and receive fines where the company has violated CASL. Penalties for non-compliance with CASL carries a maximum fine of CA$1 million for individuals and CA$10 million for organizations.11 Moreover, directors and officers can be vicariously liable for non-compliance of an organization even where the regulator, Canadian Radio-television and Telecommunications Commission (CRTC), does not pursue the organization. In fact, the CRTC has made a public statement that directors and officers cannot hide behind their company’s structure or online entities to avoid liability.

Derivative actions in Canada and the US

Currently, there have not been any attempts at a lawsuit against directors and officers in relation to cybersecurity in Canada.12 However, given the amount of derivatives actions commenced in the US, it is possible that it could give rise to such claims in Canada. The US has seen several derivative action suits against directors and officers relating to cybersecurity over the past few years.13 All but one have been unsuccessful, largely due to technical and procedural reasons. However, in January 2019, a derivative action lawsuit settled for US$29 million, compensating the plaintiffs significantly.14 This is the first time shareholders have been awarded monetary damages for a breach-related derivative lawsuit. This settlement could spark the beginning of successful derivative action lawsuits, and inspire others to pursue civil actions against directors and officers for cybersecurity breaches. Moreover, this settlement can be used as a benchmark for future civil actions to compare to when deciding on the amount to be awarded. Effectively, this settlement may not only effect civil actions in the US, but also allow derivative actions to gain traction in Canada.

Penalties for violation of Canada’s Anti-Spam Legislation

More recently, the CTRC has held directors and officers personally liable for a company’s violation of CASL. On April 23, 2019, the CTRC found that a coupon marketing company, nCrowd, had violated CASL, and found the former CEO of the company to be personally liable.15 As a result, he received a CA$100,000 fine. Further, a different company that was also part of this scheme with nCrowd, had also violated CASL, and CRTC held this company’s CEO vicariously liable for the violation. As a result, he received a fine of CA$10,000. Ultimately, liability under CASL can extend beyond the corporation if the person authorized, acquiesced or participated in the commission of the violation.

Key takeaways

  • Directors and officers should familiarize themselves with all regulatory guidelines to protect the company from a data breach and to avoid being personally liable for the breach;
  • D&O liability insurance does not always offer protection for cyber-related incidents or threats. It is important to confirm whether this is protected and the scope of protection provided. Not having proper protection could expose directors and officers to liability and significant payouts;
  • There have been no derivative action attempts relating to cybersecurity breaches in Canada, but given the current climate in the US, it is possible this will encourage such claims to occur in Canada; and
  • Directors and officers can be held either personally or vicariously liable for a company’s violation of CASL if that individual played some role in the commission of the violation.

Conclusion

Cybersecurity attacks and data breaches are inevitable and can happen to any organization, thus remaining a significant threat to corporate governance. While a cybersecurity attack is a crime, directors and officers may still be held liable for a breach if they failed to oversee the company’s security measures prior to the breach, or failed to take the necessary course of action after the breach occurred. Ultimately, boards of organizations must recognize the current cybersecurity environment that exists, and assemble a reasonable response plan to respond to these threats when and if they occur. Our final article will provide key takeaways and best practices for both insureds and insurers in relation to cybersecurity risks.

A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.

About Dentons

Dentons is the world’s first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world’s largest law firm, Dentons’ global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest