Cyber in 2020: The threats and the solutions

Cyber in 2020: The threats and the solutions

This interview is part of a special report published by Insurance Business Canada.

You can read the full report here.

 

In a discussion with Insurance Business Canada, Trisura’s assistant vice-president of professional solutions, Michael Kalakauskas, weighed in on some of the biggest cyber concerns facing brokers in 2020.

IB | How is the cyber insurance market shaping up in 2020?
Michael Kalakauskas HeadshotMK | 
The cyber market has been very volatile for most of 2020. We have seen pricing increases range around 10% to 50%, as well as a substantial increase in deductibles. Furthermore, most markets are reducing their capacity, with limits being greatly lowered on both third-party and first-party coverages. While some markets have pulled back, others have increased their appetite and capabilities. It’s a very interesting time in the cyber insurance world.

From a cybersecurity trend standpoint, the sheer volume of cyberattacks and compromised personal information on a worldwide level is at an all-time high and will only continue to grow with the expansion of things like company interconnectivity, the Internet of Things, the use of cloud services, artificial intelligence and machine learning, automation, and small to medium-sized business vulnerability. These trends point to the need for all organizations to increase their security and awareness in protecting themselves against cyberattacks and data breaches. Cybercriminals and attacks are only getting more sophisticated, so as an industry, we need to keep up with and respond to emerging threats.

Another important trend is the evolving landscape of international data privacy laws and government/regulatory body involvement. These new or updated laws – for example, GDPR in Europe or PIPEDA here in Canada – are making companies move from a reactive approach to a proactive approach towards cybersecurity. We’re now seeing a greater focus on system security and the ability to safely store and use personal information.

In terms of cyber coverage, brokers need to be aware that third-party liability coverage for data breaches is only one piece of the overall cyber insurance puzzle. The trends from a coverage standpoint – and the most causes of current cyber claims, in our experience – are ransomware, social engineering and business interruption. Not all businesses carry large amounts of personal data that may be targeted in data breaches; however, all businesses are dependent on computers, cell phones and the internet – things that ultimately make them vulnerable to different types of cyberattacks. The one thing that all companies do hold is employee data, which exposes all companies, regardless of size, to a potential data breach.

It is easier to target small and mid-sized companies, as they may not have adequate security measures and resources in place to protect themselves. To safeguard against today’s cyberattacks, small companies must reassess their security position and ensure adequate measures and controls are implemented, including the purchase of cyber insurance coverage and speaking with a true insurance professional.

IB | How has the COVID-19 pandemic – and the accompanying increase in remote work – impacted the cyber insurance market?
MK | COVID-19 remains a challenge for the insurance world. The cyber insurance market should be very concerned with heightened cyber exposures while people work from home with lesser security, employee awareness and procedures. This is the perfect time for cybercriminals to make their move, and we’re already seeing phishing attacks and viruses on the rise in every sector. Also, when working from home, it’s harder to react and deploy an incident response plan or disaster recovery plan, which may result in more frequent and possibly more severe attacks.

It’s a time of great stress and worry, and people are paying less attention. Things that might impact cybersecurity during COVID include older/out-of-date computer software and antivirus software/firewalls, a lack of cybersecurity procedures/policies, a lack of encryption protocols, infrequent password changes, audits not being performed, general misuse of computers and emails, and employees not on high alert. We must all stay vigilant.

IB | Which client groups should be the target markets for cyber insurance this year?
MK |
All businesses – small, medium and large – have cyber exposures, and each company should be having conversations with their insurance broker about adequate cyber insurance coverage and risk transfer options. That said, I would prioritize some of the industries that have not previously bought cyber insurance on a widespread basis. Industries including finance, banking, healthcare, retail and hospitality – all well known for holding and using personal information – have already been exposed to cyber insurance and the risk of data breaches. Industries like construction, transportation and manufacturing, as well as smaller professional offices, however, are slowly being exposed to cybersecurity needs and do need more awareness in this space.

At Trisura, we are trying to increase the exposure of cyber insurance with all of our small to medium-size business clients, regardless of industry type. As mentioned, it is easier to target small and mid-size companies, as they may not have adequate security measures and resources in place to protect themselves. Trisura has a large surety book that comprises clients of all sizes in the construction industry – for example, builders, developers and contractors – and with them being more reliant on technology and computers, it is imperative that we offer cyber solutions as part of their overall insurance and surety bonding package. Likewise, we insure many small to medium-sized professional offices for errors & omissions insurance and directors & officers liability, and we are currently trying to target them for cyber coverage as part of their insurance portfolio.

IB | What features should brokers look for in a cyber policy today?
MK |
Overall, good cyber insurance provides coverage for both an insured’s first-party and third-party losses associated with a network security breach, as well as the loss, theft, or unauthorized disclosure of personal information or confidential corporate information. The coverage should include expenses related to breach notification, extortion threats, public relations, credit monitoring, forensic investigation, defence costs, the costs of judgments or settlements, regulatory claims, business interruption and media liability, among other things. The reality is, every business has an exposure and should be protected accordingly. Exposures come in the form of employee information, customer information, internet access, electronic and network activities, and the overall use of technology.

Specifically, the most important element of any good cyber insurance policy is the claims handling service and response team associated with it. A cyber insurance policy should give clients access to experts in all fields of cybersecurity and make them feel comfortable throughout the whole process, whether it’s a full-blown claim, a possible breach or a system hack. The response team should be quick, flexible and able to handle any type of scenario. A good response team should include law firms and breach coaches; forensics and investigation professionals; public relations and communication specialists; and breach notification, identity repair and credit monitoring firms.

Legal experts can help minimize the risk of litigation and fines in the wake of a breach. They can provide legal advice based on your specific incident, such as determining how to notify affected individuals, government agencies, third parties and others who may be impacted. The law firms and breach coaches can also manage breach response teams and oversee all aspects of the response.

Forensic and investigative providers can advise your organization on how to stop the current data loss, prevent further harm and secure evidence as necessary. They can also determine where, when and how the breach or hack occurred, analyze data sources to determine what information has been compromised, and assist in data restoration.

Public relations providers can help develop both the internal and external communications needed during an incident, as well as oversee crisis management services. They can also provide advice on how to best position the incident to key audiences, update social media and help manage media questions related to the issue. Breach notification providers can help in the form of credit monitoring, credit reports, call centre services and direct mailing campaigns.

IB | If brokers are looking to sell cyber insurance to a client for the first time, what key points should they stress?
MK | All businesses, regardless of size and industry type, have cyber exposure. Regardless of whether they hold or store their customers’ or suppliers’ personal data or corporate information, these businesses have data on all of their employees and stakeholders that is at risk. Furthermore, all companies are reliant on computers, cell phones and the internet and therefore are susceptible to loss in the event of a cyberattack like ransomware, a hack, data loss, payment diversion or phishing, malware, and software or hardware failure.

Cyberattacks are indiscriminate and could come from anywhere. Even if it’s not from an attacker, one of the biggest forms of cyber exposure is the error of an employee clicking the wrong link, sending an email to the wrong person or leaving an unencrypted laptop or cell phone at a public place. Giving a tiny window of access to someone is all it takes. Cyber exposure could come from anywhere, and if it were to happen, it could give rise to significant financial loss.

My rule of thumb is to advise businesses that cyberattacks are not a matter of if but more of a when, and whether the company is able to withstand the financial impact of such an attack or loss. If it is not, or the business would like some additional protection, then cyber insurance is a key to their risk management process, no matter their size of business.

 

Keeping up with Technology: The Importance of Cyber Insurance

Keeping up with Technology: The Importance of Cyber Insurance

By Sara Ametrano

 

The more we rely on technology in both our professional and personal lives, the more at risk we, as individuals and companies, are to be targeted by hackers.

Cyber-attacks can come in a variety of forms and steal all kinds of information if successful. Through panel discussions and presentations, April’s NetDiligence conference explored what the evolving nature of cyber can mean for the specialty insurance industry.

A peril:

When cyber coverage first emerged, it centered around liability. As time passed, the cyber risk area expanded, and it included possible scenarios such as social engineering and extortion. And today, clients are at a higher risk than ever before.

Where property and casualty policies are created based on hundreds of years’ worth of information, cyber threats are new in comparison. Creating a sustainable cyber policy plan is proving to be a challenge for underwriters today due to the lack of data available and the ever-evolving nature of the industry.

Ransomware:

One of the cyber areas seeing an increase in attack frequency and severity is ransomware. Beazley Breach Response Services reported that, in 2018, average ransomware demands were $116,000, compared to $15,000 just the year before. The report also revealed that the main targets of ransomware attacks are small to medium-sized business, absorbing 71% of the crimes.

These numbers stress the importance of the need of expertise in the field. Hackers have sharpened their skills to learn their target’s financial position so that they may determine the sum they will demand.

Silent cyber:

Where standalone cyber coverage does not exist, cyber and data breaches may fall under other policies, unbeknownst to insurers. This is what the industry refers to as “silent cyber.” Companies might not take these types of exposures into consideration, which can potentially expose their other policies that do not specifically exclude cyber/data breaches. At a glance, only 10% of silent cyber situations are clearly priced and defined, 40% have definitions but are not priced and the remaining 50% are neither defined nor priced.

So, now what?

The growing nature of technology and lack of data surrounding cyber makes it difficult to create a plan in the event an attack occurs. The conference provided tips on how to mitigate risk and minimize the confusion non-affirmative risk management can bring:

  • Analyze policy language and claims;
  • Collaborate with ethical hackers (the good guys) to better understand the motives behind these attacks and how they might appear in different scenarios;
  • Continue to update policy wording as need be.

 

 

If you have any questions or would like to request a quote, please contact Trisura’s underwriting specialists.

Is your business protected against fraud?

Is your business protected against fraud?

By Sara Ametrano

 

Fraud isn’t a crime that only targets individuals. Some scammers set their sights on businesses. Is yours prepared for a potential attack?

Is your business protected against fraud?As technology continues to evolve and our reliance on it grows, so does our vulnerability to being hacked. In fact, the FBI reports that there are roughly 4000 cyber-attack attempts in the US every day.

On a global scale, 2018 saw the creation of 245 million new viruses, with over 680,000 created each day. The Ponemom Institute reported that 54 per cent of companies experienced one or more successful attack last year. The year before, the Canadian economy took a hit of 3.1 billion, as recorded by the Canadian Chamber of Commerce.

To truly grasp the magnitude of cyber fraud, Trisura Guarantee spoke with IT Weapons’ director of marketing and communications, Jeremy MacBean.

We asked MacBean what the most common error leading to these costly attacks is. “It’s in between the keyboard and chair – the people,” he revealed. “User awareness is the primary threat vector. That represents the biggest risks. It’s safe to say the majority of cyber-attacks begin with people clicking things they shouldn’t.”

Let’s take a look at some of the main types of scams that can impact businesses:

 

CEO scams:

Who’s at risk? Employees who work closely with a CEO or whose jobs include financial responsibilities are most at risk.

In this type of scam, someone is impersonating the CEO through email. These messages typically have a sense of urgency to them and are labelled “confidential.”

A CEO scam can cost businesses anywhere from tens of thousands to millions of dollars.

 

Business scams:

Who’s at risk? Company size doesn’t matter; any organization can find itself on the receiving end of a potential scam.

For these scams, there are a few different approaches the fraudster can take.

Directory: Here, the attacker sends your company a proposal for an advertising opportunity. First, the fraudster gathers the details needed to execute the crime. Then, he or she sends an invoice to the accounting department, who are unaware that the service was never approved.

Health and safety products: In this type of scam, you may receive a telephone call from the scammer. He or she impersonates a government official, informing you to quickly update your first-aid kits and health and safety training.

Office supplies: For this scam, the attacker will send over items the company didn’t order and then bill the business for them.

 

Phishing and smishing scams:

Who’s at risk? All employees. Phishing emails and smishing text messages appear to be sent from an authorized organization. They often use a similar tone and the logo of organizations you trust to trick you into providing personal information.

Fraud is an ongoing issue with new cyber viruses created and spreading daily, and different angles for attack. MacBean offers some helpful tips for individuals and businesses to protect themselves and their company as much as possible:

 

Individual:
  • Identifying the sender of an email is critical. To do this, hover your mouse over an email or URL to see what it links to;
  • Think before you click;
  • Do not click any attachments;
  • Installing antivirus and antimalware can help pre-scan.
Businesses:
  • Regular user awareness training;
  • Regularly reminding staff to be vigilant;
  • Regular training and possibly issuing a test phishing email quarterly or bi-annually.

 

To learn more about protecting your business against cyber fraud, click here.