As the frequency of targeted attacks continues to rise, there might be a misplaced confidence in IT departments to be able to protect businesses against cyber attacks.
“I suspect that if you were to survey businesses that had made a decision not to either put their mind to the risk exposure, try to quantify it and try to manage it, or as part of that analysis purchase insurance, a large number of them would suggest that the reason they haven’t done so is they have confidence in their IT,” Mario Fiorino, senior counsel with Insurance Bureau of Canada, said. “They have confidence that their IT controls are robust enough and that they are not vulnerable to penetration or to being attacked. I think there is a confidence, maybe a misplaced confidence or overconfidence, in their IT controls.”
But, the evidence has shown, no matter how robust IT security is, there are still vulnerabilities that can result in a loss, Kevin Kalinich, global practice leader for cyber insurance with Aon Risk Solutions, said.
There was a 42 per cent surge last year alone in targeted attacks as compared to 2011, according to Symantec Corp.’s Internet Security Threat Report, Volume 18. A whopping 31 per cent of these attacks were on small businesses with fewer than 250 employees – a sector that may feel immune to targeted attacks, Symantec reports. Symantec has established comprehensive sources of internet threat data through the Symantec Global Intelligence Network, which is comprised of roughly 69 million attack sensors and records thousands of events per second. The network monitors threat activity in more than 157 countries and territories.
Small businesses seem to assume that they are immune to attacks, based on surveys conducted by Symantec. However, this is not the case. Any business, no matter the size, is a potential target for attackers. “Money stolen from a small business is as easy to spend as money stolen from a large business,” Symantec writes in its report. “And while small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank. While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefenses. Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with small business.”
In fact, the threat caused by a small business’ lack of adequate security practices affects everyone. Hackers who can’t breach the defenses of a larger business will attack a smaller business that has a relationship with the real target, using it as a way to get into the larger one, Symantec reports.
Interestingly, while many would assume that the financial and government sectors would be the most targeted for a cyber attack, it is, in fact, the manufacturing sector, according to Symantec. In 2012, the manufacturing sector saw 24 per cent of all targeted attacks, up from 15 per cent in 2011. The government and public sector organizations saw a drop in attacks in 2012, from 25 per cent in 2011, to 12 per cent last year.
“The targets of cyber risk really include everyone – the attacks are, more often than not, indiscriminating and random,” Pat Van Bakel, COO at Crawford & Company (Canada) Inc., said. “The methods of attack are dynamic and evolving and therefore the mitigation and defense strategies need to keep pace.”
While it is imperative to have multiple layers and multiple walls, and to have confidence in a company’s IT system, the reality of it is, just like a burglary, if someone is determined to get in, they are going to get in, there is no way to completely prevent that, Dale Avis, CIO, Crawford & Company (Canada) Inc. said. The key is to ensure that in the event of a breach, there is a plan in place to handle that.
Available insurance coverage
“Cyber insurance is probably the fastest growing area of availability of insurance coverage in Canada and North America, if not the world,” Mike Petersen, communications, media and technology practice leader with Marsh Canada Ltd., said. “What began as an offering with a small number of underwriters in 1999-2000 in and around Y2K has reached the point where here in Canada there are in excess of 25 underwriters with a stated theoretical capacity of over $300 million for Canadian admitted paper.”
Coverage is available in the Canadian marketplace in varying degrees. Some markets have produced separate standalone cyber policies covering a wide range of exposures, such as privacy or data breach consulting services, notification expense reimbursement, forensic investigation expenses, crisis management services, etc., Dave MacDonald, assistant vice president, ProFin, global specialty lines with RSA, said. Many other markets created cyber endorsements, which provide a more limited scope of cyber coverage, attaching it to a D&O and/or an E&O policy.
As global awareness of cyber risks becomes more evident, Canadian markets are gearing up in establishing their coverage solutions to meet their client’s local and foreign needs.
Petersen notes that at his firm, they break network security and privacy into seven different items:
1. privacy liability
2. network security liability
3. cyber extortion
4. regulatory defense
5. crisis management
6. property loss
7. business interruption
Typically the coverage includes various first party losses, including the loss of a business’ own data or a business interruption loss, and third party liability.
The difficulty, however, is that there is no uniformity in the wording or in the coverage, because it is such an emerging area. “Consumers will have to be very careful working with their respected advisors to make sure that they have the appropriate coverage,” Fiorino said.
Cyber exposures are, at best, not well understood by most people, MacDonald said. “There very well could be an understanding or misunderstanding that they’re fully protected from cyber attacks within their other insurance policies, such as CGL, D&O, and E&O,” he added. “To some extent, certain cyber exposures could be partially protected through these other liability policies, depending on the cyber circumstances and the actual coverage within these other policies. But for sure they would not be fully covered for all types of cyber issues.”
While Sean Forgie, executive general adjuster, national director of casualty/liability with the commercial risk division at Cunningham Lindsey, hasn’t handled a large volume of cyber claims, he says he has dealt with a number of claims on a CGL-type basis, where the gap in coverage is exposed. “Something has happened, information has gotten out there, and you are realizing there isn’t coverage for this under the normal insurance program.
“These claims can be very complex to handle, and if you don’t have underlying coverage under your general liability policy, paying the appropriate experts to handle this could be as large as the potential exposure of the claim,” Forgie addes.
Because many entities had the mistaken belief they had coverage under their property or general liability policies, there was little take-up on cyber insurance.
“What happens is the legacy policies might not have specifically excluded the coverage for cyber exposures, but they didn’t specifically include it, because they just didn’t think about it,” Kalinich said. “We didn’t have social media, we didn’t have mobile devices, we didn’t have ‘bring your own device to work,’ we didn’t have cloud computing, we didn’t have big data just five or 10 years ago, so we didn’t have those exposures accounted for in the policies.”
Despite the increase in cyber attacks, many companies still feel they are immun
“Some companies are going to take the approach that our internal security is good enough, that we don’t feel that we have a risk there that we are willing to pay the cost to the insurance,” Avis said. “Other ones are going to say that there is a huge potential risk there, that if there is a breach we need some coverage. You can get into a strategy where a business would only insure a high end, like an excess liability type coverage, then self-insure the smaller stuff. Then, if there was a huge breach, a business would have the high end covered off through insurance and transferring of risk strategy, especially around the low frequency, high severity and impact type claims.”
Large international companies, especially those with US exposures, are more apt to consider buying a cyber policy for their company, MacDonald points out. “They understand they’re exposed to many kinds of cyber attacks which could decimate their brand/image and financially destroy their company,” he said. The dilemma in Canada is that there are only a handful of high profile cases hitting the various media venues, which truly suppresses the need to protect a company and its employees with a cyber policy. “Corporate executives, for the most part, do agree that their companies are exposed to various forms of cyber attack, but until they, or their corporate neighbours, encounter an actual cyber intrusion, many businesses are resisting and taking their chances using the old cliché ‘it’ll never happen to us’,” he added.
As the threat to Canadian business increases, the appetite for risk management solutions, including insurance, will increase, John Proctor, vice president of security services with CGI, said. “Generally, Canada lags slightly compared to other countries, but this is true across the whole cyber security/risk mitigation portfolio.” Those companies most at risk, such as those with valuable IP, financial data, ecommerce requirement, etc are likely to have great interest in the cyber security product.
“Most Canadian companies simply don’t see the need to spend their limited insurance budget dollars on cyber insurance,” MacDonald said. “Unfortunately, most of these companies will experience some form of cyber attack within the near future, but will be uninsured. It will be a serious wake-up call.”
As with any new product, it takes some time for enough policies to be in force to actually result in any significant volume of claims. “The exposures are certainly real and are occurring virtually every day,” Van Bakel said. “It ranges from malicious attacks like phishing, malware and spyware that can bring an entire company to its knees in an instant, to more unintentional events like an employee losing a mobile device or a memory stick.”
The risks are two-fold: First party and third party. First party exposures are reputational risk, business continuity, customer retention, as well as direct costs of computer forensics, legal and public relations. Mass data breaches would also create exposure to class action litigation. Third party risks are, for the most part, a result of data breaches, but there are certainly other exposures, such as contract fulfillment and, depending on the nature of the business, could even be property damage and supply chain risks.
There are a number of different ways a company can be targeted in a cyber risk claim. The most common is denial of service, where a hacker will, basically, take possession of hundreds of thousands of computers across the world and attempt to access the same website at the same time. This shuts the website down, because too many people are trying to access it at once, John Valeriote, executive general adjuster at Granite Claims Solutions, said. This results in a loss of income, because the business is relying on the website to generate income. There are also viruses, where a hacker will break into a computer and place a virus, which will allow them to break in and steal information. They might steal information and sell it or hold a business hostage for ransom. Finally there is theft of information, where it might not be actual theft of a business’ information, but the client’s information, including credit card information, transaction numbers, etc. “These are the types of risk that the policies are contemplating,” Valeriote said, “and those are the claims that are evolving out of this.”
One of the key changes is coming to understand the complexity of the risk in a non-traditional insurance area. Actually processing the claim usually requires technical support and advice for the claimant and then deep technical support to assess the reality and the impact of the incident, Proctor said. The challenge in conducting the technical forensics and assessing the claim is not only discovering what happened and what was lost, but assessing the intangibles, such as brand and reputation value, future value of IP, financial impact of a data breach or e-commerce outage. At the same time, the process used for the forensics analysis may have to be legally defensible requiring the technical team to understand chain of evidence and chain of custody requirements.
When adjusting a claim, Valeriote and his team would immediately bring in a law firm to deal with legal issues relating to any stolen information. A public relations firm is brought in to handle any dialogue with the media, which helps clients to feel secure. Finally, an IT firm is brought in to figure out what exactly transpired. “We don’t use the insureds IT people, because they may be in on it,” he said. “When I communicate initially, I never communicate by email, I always call, because I don’t know who has access to the system now; it’s clearly been breached.” The IT firm is brought in to determine how someone was able to access the system, what they did and ultimately assess the damage and determine the best way to repair the breach. Then another IT firm is brought it to actually handle the repair, to ensure that a company is not over-paying for the repair. Throughout the entire process, the independent adjusters would be overseeing all the activity and, at the same time, determining what coverage is available and what would be indemnified to the policyholder.
As an adjuster, be aware that you have to plan very early on what you are going to look for as to the cause of the damage and what you are going to do about, Valeriote warns. If a company’s own internal staff starts trying to fix the issue, you are never going to find out the answer. It is not dissimilar from a fire claim, where the location is sealed off and nobody is allowed in until the expert determines a cause. But, most people understand why they cannot enter the location of a fire; they do not always appreciate why they can’t begin rebuilding immediately after a cyber attack. All they recognize is that their business has been compromised and they want to get it back up and running, which could mean deleting files, checking discs, stopping entry. “What I really need to say is ‘don’t do anything for a minute, let me have my expert come in and see everything and save it and freeze that moment in time to see what has happened’,” Valeriote said. “That communication between you and the insured is vital to explain this has to happen before you continue doing what you are doing because they might delete everything that shows there was a breach, in which case there is no coverage.”
“I think we will see consumers becoming aware of this issue, both because of the increase in frequency and severity as being reported by the media, and secondly the necessity of the availability of the coverage and its foreseeable consequences will drive brokers to counsel their clients about this particular exposure,” Fiorino said.
Those businesses that do suffer a cyber incident are most likely uninsured and are now very motivated to purchase some form of cyber insurance protection, MacDonald said. Companies that thought they were insulated from cyber attack or simply didn’t have an ex
posure, are coming to the realization how widespread cyber risk truly is. “Virtually every company and business is exposed to some for of cyber attack,” he said.
Brokers need to be well armed with what cyber products and coverages exist in Canada in order to better serve their clients, MacDonald stressed. “Clients, with the assistance of their insurance broker, need to better identify where they may be exposed to cyber liabilities and how they can transfer those risks to insurance companies through purchasing a cyber insurance product which meets their needs.”
Like many risk strategies, sometimes the best model is a blended solution, Proctor said. In assessing the required protection, it will be important for the insurance provider to be able to understand the risks associated with cyber coverage, what a reasonable amount of security the insured should have and the constantly changing threat of the cyber environment.