SPECIAL REPORT
CYBER INSURANCE The biggest cyber threats for 2020 – and the solutions that can help clients tackle them
00_Insert OFC IFC IBC OBC-SUBBED.indd 1
16/09/2020 3:09:43 am
Click bait – don’t get phished in! …But if you do, we can help.
Trisura provides the first line of defence in privacy breach preparation, damage control and resolution. Learn about our cyber solutions at www.trisura.com.
a step above
Trisura Guarantee Insurance Company is a Canadian-owned and operated Property and Casualty insurance company specializing in niche insurance and surety products. We are a proud supporter of the Insurance Brokers Association of Canada.
00_Insert OFC IFC IBC OBC-SUBBED.indd 2
16/09/2020 3:09:45 am
SPECIAL REPORT
CYBER INSURANCE
CYBER INSURANCE REPORT 2020 IBC caught up with four cyber insurance experts to uncover the answers to brokers’ most pressing cyber queries CYBER HAS officially staked its claim as a central player on the global risk stage. In 2020, it’s no longer a matter of if a cyber incident will happen; it’s a question of when. Almost every organization and every person with access to the internet is exposed. Awareness of cyber risk has grown significantly in the last decade, thanks in part to some extremely high-profile cyber events. Five years ago, a top concern for cyber insurers was the protection and security of payment card industry (PCI) data. This was due partly to the infamous Target breach in 2013, in which the retail giant lost 40 million payment card credentials and 70 million customer records at the height of the holiday shopping season. That incident was followed by an even bigger breach at Home Depot in 2014, whereby hackers infiltrated the retailer’s point-of-sale system and stole more than 50 million customer credit card numbers and 53 million email addresses. Once risk managers, cybersecurity experts and insurers got to grips with the PCI data breach dilemma, hackers changed their course and started plaguing businesses with ransomware – a quick and easy way for cybercriminals to make money by extorting vulnerable individuals or corporations by encrypting important files and demanding payment for de-encryption. Ransomware made its mark on the cyber risk map in 2017, when a group of elite hackers leaked highly classified hacking tools from the US National Security Agency
on the dark web, including one that used malicious software called WannaCry, which had the ability to exploit the SMB communication protocol in Microsoft Windows. In May 2017, cybercriminals used the leaked tool to hack more than 200,000 computers across 150 countries, resulting in billions of dollars in losses. Since then, cybersecurity has advanced to meet the threat of ransomware, but cybercriminals have also upped the sophistication of their campaigns. A few years ago, hackers preferred remote desktop protocol (RDP) brute-force attacks, looking for unsecured RDP services to exploit and encrypt with ransomware, but now they’re moving laterally within systems, turning off antivirus software and creating domain controller accounts to gain complete access and cause a lot more damage. Every business in every sector is vulnerable to cyberattacks and non-malicious cyber incidents. So far in 2020, the CRA has been forced to temporarily suspend online services following what officials described as two “credential stuffing” schemes, malicious actors have leaked allegedly stolen data from Canada’s Royal Military College, tech firm Canon has fallen prey to a ransomware attack, and social media giant Twitter has suffered a sophisticated social engineering attack in which the accounts of celebrities and high-profile individuals were used to trick people into sending Bitcoin to criminal accounts. And these are just some of the
challenges present. While contending with cybercriminals, businesses are also under pressure to shore up their data privacy and protection practices, with the threat of increasingly punitive regulation should they slip up and expose personally identifiable information (PII). And cyber challenges have only grown more extreme in the context of the COVID-19 pandemic, which has forced many businesses to adopt remote working practices. With more employees working from home and accessing business networks remotely, commercial and personal cyber risk has grown exponentially. Insurance Business Canada’s latest Cyber Insurance Report takes a deep dive into the complex and ever-changing cyber risk landscape and corresponding insurance market. The cyber experts IBC interviewed tackle seven key questions, from how the COVID-19 pandemic has impacted the cyber insurance market to what brokers should say to clients to help them understand the importance of purchasing cyber coverage. Through the insight provided on the following pages, IBC hopes to provide brokers with an enhanced understanding of the current state of the market and what they should be looking for in a cyber insurance policy. Bethan Moorcraft Editor Insurance Business Canada
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 1
1
16/09/2020 4:13:48 am
SPECIAL REPORT
CYBER INSURANCE How is the cyber insurance market shaping up in 2020? Lindsey Nelson: We were one of the first markets to ever write a cyber policy back in 1999, and never has there been as much change in the cyber landscape as we’ve seen in the last year. Clients have more choice than they’ve ever had before in where they place their cyber policy, which has meant increasingly broadened coverage at increasingly competitive prices, particularly from players new to the game. And yet the size of the Canadian cyber market is still relatively small – meaning it takes only one or two significant losses for cyber insurers to react and readjust for what has previously been a soft market relative to other lines of insurance. The cyber market has evolved more in 20 years than the property market has in
the last 200 as we adapt to new threat landscapes, and with the increase in frequency and severity of cyber claims happening for Canadian businesses, cyber insurers are yet again refining what their product should do for clients. Cyber providers like ourselves are now getting ahead of claims before they even happen, which ultimately provides something much more tangible for the client in helping to understand what value
their cyber policy brings. At CFC, we continue to expand and make investments in our cyber claims infrastructure. By way of our acquisition of ThreatInformer last year, we have a very well-established data enterprise division that works collaboratively with our underwriting and incident response teams in providing complementary risk management services upfront to clients.
“Given the cyber insurance market is attempting to hit critical mass in Canada, we don’t foresee a major rate reaction this year, but we predict we will see some tightening continue” Greg Markell, Ridge Canada Cyber Solutions
PANEL OF EXPERTS Lindsey Nelson Cyber development leader CFC Underwriting
As CFC Underwriting’s cyber development leader, Lindsey Nelson oversees the global business development strategy across CFC’s cyber portfolio and is responsible for key account management, participation in industry events and providing in-depth education within the business line. Nelson has nearly a decade of experience underwriting cyber and technology risks, first at Chubb and then as head of CFC’s international cyber team, and she continues to play an active role in underwriting. Her expertise in cyber has put her in demand for a range of conferences across North America and Europe, where she is a soughtafter speaker on cyber insurance and a vocal champion for women and young brokers in insurance.
2
Greg Markell President and CEO Ridge Canada Cyber Solutions
As head of Ridge Canada Cyber Solutions, an MGA focused on providing insurance solutions for clients’ cyber and privacy needs, Greg Markell provides wholesale solutions to retail brokers, along with consulting on cyber and privacy insurance programs. Markell began his career underwriting for a large national insurer, starting in property & casualty before quickly moving into executive and professional risks, with a focus on D&O. He then moved to a national brokerage, where he focused on specialty insurance products for financial services companies, including D&O and cyber liability. He eventually became a partner in the firm before moving on to join a top 10 global broker as the practice leader for cyber and privacy liability.
Jacqueline Detablan Vice-president, specialty insurance CNA Canada Jacqueline Detablan is responsible for CNA Canada’s specialty insurance operations across management liability, financial institutions, professional liability, cyber and healthcare lines. She is charged with aligning branch strategy and ensuring underwriting integrity for CNA’s specialty business in order to drive profitable growth. Prior to joining CNA in 2017, Detablan worked for AIG for 15 years, holding various positions of increasing responsibility, including vice-president of the complex financial lines portfolio, where she was also responsible for professional liability and cyber product leadership for Canada. Detablan began her career in RSA’s commercial underwriting department.
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 2
16/09/2020 4:13:51 am
Michael Kalakauskas AVP and product manager, professional and cyber liability Trisura Guarantee Insurance Company As the national E&O and cyber product manager at Trisura Guarantee Insurance Company, Michael Kalakauskas is responsible for product development, strategy, training, reinsurance placement, marketing and broker relationships in Canada. His product expertise includes miscellaneous and technology E&O, media liability and cyber liability. Prior to joining Trisura Guarantee, Kalakauskas held several account manager roles at various national and international insurance brokerages. Having held insurance positions in Halifax, Montreal and Toronto during his 13 years in the industry, Kalakauskas understands the diverse insurance and risk landscapes and enjoys collaborating with brokers across the country.
One of the most exciting developments to our cyber suite this year is the major upgrade that we recently rolled out to our award-winning cyber incident response app. Leveraging our proprietary data enrichment platform and threat intelligence feeds, along with insights from active cyber claims, the app now notifies policyholders of critical, time-sensitive threats and vulnerabilities in real time, helping our customers to protect themselves from incidents before they happen and prevent potential losses. As well as providing them with direct access to our CFC Response team to instantly notify an incident, the app also now enables policyholders to access our specialist technical team for help with their cyber risk mitigation and general cybersecurity questions. This upgrade has been done in the spirit of taking risk management to the next level and to bolster our commitment to being a stable, long-term cyber partner for our Canadian clients. Greg Markell: Overall, the cyber market in Canada has grown in 2020, and we expect continued growth. We’ve seen several new market entrants this year, and capacity continues to be available. We’ve seen a slight tightening on certain coverages as loss ratios continue to mature
globally. Given cyber is a ubiquitous risk that knows no geographic bounds, it’s important to look at both the macro development of attack vectors across the globe, as well as focusing on micro patterns developing within our borders that affect Canadian companies. In terms of rates, the insurance market in general is seeing rate increases, and we would anticipate that treaty renewals are going to continue to see rate being pushed into 2021. Again, looking at things financially, from a macro perspective, supply of capital amongst traditional lines continues to be a challenge. Low interest rates continue to affect reinsurers, which puts a greater focus on underwriting profitability at the insurer level. Couple low rates with lack of returns in traditional fixed income, and this is going to create headwinds for the industry in general. Given the cyber insurance market is attempting to hit critical mass in Canada, we don’t foresee a major rate reaction this year, but we predict we will see some tightening continue. Further, we expect to see the traditional P&C coverages zero in on cyber exclusionary language as the market continues to harden. Conversely, the cyber market continues to be split on having crime coverages exist on cyber policies. While we do not anticipate this changing over the course of the next year, we continue to monitor supply of capacity for coverages directly impacting dollars, as opposed to data. Despite incredibly challenging market conditions for our broker partners, Ridge Canada continues to see an opportunity. Broker investment in cyber is paying off, and we’re seeing customer sales life cycles shorten considerably. So, in the most challenging market in 20 years, with insurance costs surging on existing lines of business, we are seeing brokers continue to do a fantastic job in addressing clients’ risk transfer needs. Coming full circle, with the increased demand for cyber coverage, the overall supply continues to be able to satisfy market demand. Market maturation and losses in Canada mean rate reductions should not be
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 3
3
16/09/2020 4:13:57 am
SPECIAL REPORT
CYBER INSURANCE AVERAGE COST OF A DATA BREACH
$3.86 million Global average cost of a data breach in 2020
$8.64 million
Highest average cost of a data breach by country (in the US)
$7.13 million
Highest industry average cost of a data breach (for healthcare)
$150
Highest average cost per record (for personal consumer data) Source: Cost of a Data Breach Report 2020, IBM Security; all figures in US$
expected; however, there is still enough competition in Canada to keep things stable in comparison to the traditional lines of business, with only moderate rate increases where warranted. At Ridge Canada, given how nimble we can be, we feel we’re in a very good position heading into 2021. Jacqueline Detablan: Rates are increasing modestly, and I anticipate this will continue, given the rise in frequency and severity of events, coupled with the higher reinsurance costs. Although there is tightening of capacity with traditional carriers, new capacity is entering the market in the form of fintechs that have recently launched. It remains to be seen what role these firms will play in the Canadian cyber insurance market. Michael Kalakauskas: The cyber market has been very volatile for most of 2020. We have seen pricing increases range around 10% to 50%, as well as a substantial increase in deductibles. Furthermore, most
4
markets are reducing their capacity, with limits being greatly lowered on both thirdparty and first-party coverages. While some markets have pulled back, others have increased their appetite and capabilities. It’s a very interesting time in the cyber insurance world. From a cybersecurity trend standpoint, the sheer volume of cyberattacks and compromised personal information on a worldwide level is at an all-time high and will only continue to grow with the expansion of things like company interconnectivity, the Internet of Things, the use of cloud services, artificial intelligence and machine learning, automation, and small to medium-sized business vulnerability. These trends point to the need for all organizations to increase their security and awareness in protecting themselves against cyberattacks and data breaches. Cybercriminals and attacks are only getting more sophisticated, so as an industry, we need to keep up with and respond to emerging threats. Another important trend is the evolving landscape of international data privacy laws and government/regulatory body involvement. These new or updated laws – for example, GDPR in Europe or PIPEDA here in Canada – are making companies move from a reactive approach to a proactive approach towards cybersecurity. We’re now seeing a greater focus on system security and the ability to safely store and use personal information. In terms of cyber coverage, brokers need to be aware that third-party liability coverage for data breaches is only one piece of the overall cyber insurance puzzle. The trends from a coverage standpoint – and the most causes of current cyber claims, in our experience – are ransomware, social engineering and business interruption. Not all businesses carry large amounts of personal data that may be targeted in data breaches; however, all businesses are dependent on computers, cell phones and the internet – things that ultimately make them vulnerable to different types of cyberattacks. The one thing that all companies do hold is employee data, which exposes all companies, regardless of size, to a
potential data breach. It is easier to target small and mid-sized companies, as they may not have adequate security measures and resources in place to protect themselves. To safeguard against today’s cyberattacks, small companies must reassess their security position and ensure adequate measures and controls are implemented, including the purchase of cyber insurance coverage and speaking with a true insurance professional.
How has the COVID-19 pandemic – and the accompanying increase in remote work – impacted the cyber insurance market? Greg Markell: In a single word: awareness. This doesn’t just apply to the insurance industry, but to all business owners. Those of us who are in cyber all day, every day might take for granted how reliant businesses can be on their networks, but the beginning of the pandemic, I believe,
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 4
16/09/2020 4:13:58 am
opened a lot of eyes to the three pillars of a cyber/privacy claim: people, process and technology. Businesses don’t operate anymore without a combination of all three. COVID has exposed vulnerabilities in each of said pillars. Whether it be a lack of training permeating throughout the organization – boards/management can be just as vulnerable as front-line staff if there is no training or cyber-awareness culture – or
shifting operations to be away from the business, or legacy systems/technology that threat actors are able to exploit, COVID has had an impact. Insurers that are not able to synthesize their data quickly enough will likely be faced with more frequency-related losses as a result of COVID. However, and this cannot be stated enough: If not handled properly or ignored, frequency will migrate into severity.
“The rapid increase in cyber claims is by no means just a COVID-19 issue – claims were already well on the rise prior to the current landscape, and we expect this trend to continue as businesses become increasingly reliant on their intangible assets” Lindsey Nelson, CFC Underwriting
Consider that the migration to work from home in March saw an increase in business email compromise [BEC] issues. BEC is still one of the main attack vectors leading into social engineering or crime losses, which are the fastest way for threat actors to monetize. It’s the equivalent of ‘smash and grab,’ if we’re correlating to tangible loss. Those same vulnerabilities that gave impatient threat actors the opportunity to pull off ‘smash and grab’ at the beginning of COVID will have resulted in some of the more organized and patient threat actors getting access to corporate systems. Essentially, those criminals are currently ‘casing’ company networks. Average dwell time for malware, depending on who you want to cite, is between three and six months. The industry has been dealing with its own scourge for several years now in ransomware. At the beginning of COVID, threat groups shifted their own strategies to capitalize on low-hanging fruit as it relates to revenue-generating opportunities. It’s cheaper, quicker and easier to exploit people using programs where most organizations don’t turn on security due to fear of inconvenience than it is to spend their own time, money and resources scoping out those same vulnerable companies and gathering intel to plot their attack/extortion against all three pillars. From a coverage perspective, we continue to provide best-in-class language to our broker partners for their clients. Remote work, bring your own devices [BYOD] and asset identification were all items that we had contemplated pre-COVID, so we haven’t needed to reinvent the wheel to continue to ensure that we’re addressing broker/client needs related to our products. What we’re finding is that we have more of an opportunity to have beneficial risk management discussions with our brokers to help drive value down to the client. Increased awareness at all levels is something that we feel is going to continue to drive the cyber insurance market forward. Lindsey Nelson: While the massive influx of remote working has woken many businesses up to their cyber risk and the
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 5
5
16/09/2020 4:14:03 am
SPECIAL REPORT
CYBER INSURANCE TOP CYBERSECURITY TIPS FOR WORKING REMOTELY Keep in close contact with your employer Use what’s in your company’s tech toolbox Control the impulse to improvise Stay current on software updates and patches Keep your VPN turned on Beware of coronavirus-themed phishing emails Develop a new routine Source: Emerging Threats 2020, Norton
fact that they can actually transfer the risk of their systems being down to a cyber policy, it’s equally creating more opportunity for cybercriminals – in fact, this new era of remote or even partially remote working couldn’t be a better situation for them. Employees are working on potentially insecure devices, working through RDP without multi-factor authentication implemented, and businesses may not have implemented any additional training to help them spot potential scams. With that in mind, there are three main areas that brokers should look to cover when speaking to clients about cyber during this time: remote login capabilities and security, like multi-factor authentication; employee training on spotting phishing scams; and incident preparedness. A few questions might be: Was the client able to switch to working remotely with minimal disruption, or were they having to implement new and untested methods to access the office remotely? Are most software and services being used
6
cloud-based, or are they having to look at a potential migration? Do they still have any legacy systems in the office? Do they have an incident response or business continuity plan, and have they discussed how they would carry out that plan remotely? If there’s anything to take away from this for clients, it’s that the rapid increase in cyber claims is by no means just a COVID-19 issue – claims were already well on the rise prior to the current landscape, and we expect this trend to continue as businesses become increasingly reliant on their intangible assets. There’s often an assumption that COVID has led to a significant increase in the frequency of cyberattacks – and while we may be in a period of calm before the storm while many businesses still aren’t fully operational to have discovered an incident just yet, what our cyber claims team has noted is that the severity of cyberattacks is much more impactful than what we were experiencing pre-COVID-19. The likelihood of companies falling victim to these scams in a vulnerable and remote-working scenario are greater, and getting back up and running after a crippling cyber event becomes all the more complicated. Jacqueline Detablan: The COVID-19 pandemic has increased the profile of cyber risk, given the reliance we have as a society on connectivity. Additional underwriting information is often being requested, including how a firm has been able to adapt during this pandemic. Additionally, at times we are looking to determine whether this has resulted in any changes in priorities for firms from an IT security perspective, given that there is always a finite number of resources. For any business, an interruption to normal operations can have far-reaching effects. As businesses manage through COVID-19, CNA has resources that can help to reduce exposures and keep organizations moving forward. Michael Kalakauskas: COVID-19 remains a challenge for the insurance world. The cyber insurance market should be very concerned with heightened cyber exposures while people work from home with lesser security, employee awareness and proced-
ures. This is the perfect time for cyber criminals to make their move, and we’re already seeing phishing attacks and viruses on the rise in every sector. Also, when working from home, it’s harder to react and deploy an incident response plan or disaster recovery plan, which may result in more frequent and possibly more severe attacks. It’s a time of great stress and worry, and people are paying less attention. Things that might impact cybersecurity during COVID include older/out-of-date computer software and antivirus software/firewalls, a lack of cybersecurity procedures/policies, a lack of encryption protocols, infrequent password changes, audits not being performed, general misuse of computers and emails, and employees not on high alert. We must all stay vigilant.
What are the most common causes of cyber claims, and how can brokers help companies prevent and mitigate these risks? Lindsey Nelson: Ransomware shows no sign of abating, making up 31% of the total claims CFC managed globally last year and accounting for almost half those handled for Canadian businesses. However, 2020 is showing us the emergence of one worrying trend when it comes to these attacks: We’re increasingly seeing criminals steal confidential information and then threaten to release it if ransomware demands aren’t paid. They’re also conducting more due diligence to determine the maximum amount an organization can afford to pay to determine how much they try to extort. So where ransomware was typically associated as being a business interruption or system damage concern, it’s now increasingly becoming a privacy concern, triggering notification obligations to customers and key stakeholders. At the same time, we shouldn’t let the latest ransomware attacks distract us from the fact that run-of-the-mill phishing attacks, leading to business email compromise and wire transfer fraud, still make up a large percentage of claims across the globe, including for our Canadian policyholders and accounts. And
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 6
16/09/2020 4:14:09 am
As cyberattacks increase, every business is at risk. There is no one-size-fits-all approach. With CNA’s pre-breach cyber risk services, companies can take an individual and holistic approach to cyber threats, helping combat cyber losses with minimal controlled and predictable costs.
Learn more at cnacanada.ca “CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved. 20200910 1169-MKTG
01-16_Cyber Report 2020-SUBBED.indd 7
16/09/2020 4:14:12 am
SPECIAL REPORT
CYBER INSURANCE
TOP CAUSES OF DATA BREACHES 60% 50% 40% 30% 20% 10% 0%
52%
19%
19%
13%
Malicious attacks
Compromised credentials
Cloud misconfigurations
Nation state attackers Source: Cost of a Data Breach Report 2020, IBM Security
in the context of COVID, many businesses are spending thousands out of their own personal expenses to reopen, so the last thing they need is to lose their personal funds to a fraudulent third party. Brokers play a crucial role in helping their clients mitigate against cyberattacks, the least of which is communicating to their clients that coverage is available by way of an affirmative, stand-alone cyber policy. Although businesses understand the value of a cyber policy and are purchasing at a far faster rate than they ever have been before, we’re still in a position where clients in Canada are non-buyers, with just over 10% of businesses purchasing a cyber policy.
8
Education is a very powerful tool to help change that, and brokers are the bestpositioned individuals to help companies realize that the value of their intangible assets has now far outstripped their tangible ones. Regular communication is essential, using educational tools such as the cyber claims case studies we publish and the advisories we issue about the latest threats to help these companies better understand the very real risks that they face and how to avoid them. Jacqueline Detablan: Ransomware continues to lead the pack for the causes of cyber losses for the industry. A report from Kaspersky estimates that ransomware could
“No preventative measures are foolproof, but employee education, having appropriate backups, and knowing what data you have and where it is stored are key” Jacqueline Detablan, CNA Canada cost organizations $1 million on average and, in severe cases, more than $5 million. At CNA, we are seeing an increased number of business interruption claims following these events. [The Kaspersky] report also acknowledges that the longterm consequences following a ransomware attack can be far more devastating when considering the disruption to essential corporate networks and the costs associated with rebuilding. Knowing how to respond to ransomware attacks is valuable, as threats are at an all-time high.
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 8
16/09/2020 4:14:14 am
No preventative measures are foolproof, but employee education, having appropriate backups, and knowing what data you have and where it is stored are key, as well as ensuring that the resources from a security perspective are adequate. With respect to mitigating losses, having an incident response plan that is known and tested within an organization is very important. Carriers like CNA Canada are equipped with risk control advisors to help businesses manage risks and increase efficiencies. In our recent blog, we explore cybersecurity risks when managing a remote workforce and how to protect employees and businesses. The Canadian Centre for Cybersecurity also has several best practices to help shield businesses. Greg Markell: Attack vectors remain relatively unchanged through the pandemic. There was the increase in BEC at the beginning, and we predict that ransomware is going to continue to affect businesses of all sizes. Employee training has been a big help, considering that the majority of unauthorized access occurs with people clicking links or opening attachments unknowingly. Organizations should be patching known vulnerabilities in their software, especially their monitoring software, and upgrading unsupported hardware, as these two items make it really easy for the bad folks to break in. If the organization doesn’t have the budget for that sort of expense, they should be disconnecting those machines or programs from internet access. One security item that is majorly preventative is multi-factor authentication. This is free to turn on if you’re running Google or Microsoft email services and can really help prevent BEC. Additionally, the best mitigation techniques for ransomware remain relatively consistent from before COVID: backups being segregated from networks (and if all of your data automatically goes into the cloud, don’t assume you’re fine), testing your backups, and next-generation endpoint threat protection – think antivirus on steroids. While attack vectors and exploitation
of vulnerabilities remain somewhat consistent, there are a few developments that should be concerning to businesses. Ransomware historically was just “pay us and we’ll unlock your files” and didn’t carry as much of a privacy risk. Now threat groups are recognizing that taking organizational data and extorting businesses is much more lucrative than simply locking it up and asking for funds. As regulations continue to mature, layering the privacy element to the second quickest monetization strategy for threat groups can help give them leverage. Whereas before, a company might decide not to pay the ransom and simply restore from backups – if they are lucky, which most are not – they still might have to alert customers and regulators, and situations can take longer and cost more if companies have not planned for the risk.
Which client groups should be the target markets for cyber insurance this year? Greg Markell: All of them. Jokes aside, point to an industry that doesn’t have their revenue-generating activities impacted by
an element of technology, and I’ll point you to an industry that doesn’t have some sort of cyber exposure. I think it’s more about how we support our brokers in their conversations with clients about their aversion to risk and identifying what clients don’t want impacting their balance sheets and income statements. This is truly one of the valueadds that Ridge Canada brings to the table for our broker partners. Jacqueline Detablan: The answer is simple: everyone. This year is demonstrating more than ever that nobody is immune to cyber risk with the increased virtual work environment. Many operations that were able to continue to function during these times now realize that vulnerability in their security could shut them down completely. Brokers should have conversations with their clients and educate them on the importance of cyber risk. If a client chooses not to buy, they need to be comfortable with the possible stress on their balance sheet, as well as how to respond to these events independently. Insurers have relationships with vendors who are experts in dealing with these situations.
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 9
9
16/09/2020 4:14:18 am
SPECIAL REPORT
CYBER INSURANCE CNA Canada’s cyber proposition reflects the continued changing risk environment. Technology adoption creates new exposures, and cybercriminals are becoming more sophisticated. Our pre-breach services are designed to enhance our cyber solutions to help policyholders combat cyber losses with minimal controlled and predictable costs. The more prepared a business is to handle a cyberattack, the faster it can identify the problem and get back on its feet. Michael Kalakauskas: All businesses – small, medium and large – have cyber exposures, and each company should be having conversations with their insurance broker about adequate cyber insurance coverage and risk transfer options. That said, I would prioritize some of the industries that have not previously bought cyber
insurance on a widespread basis. Industries including finance, banking, healthcare, retail and hospitality – all well known for holding and using personal information – have already been exposed to cyber insurance and the risk of data breaches. Industries like construction, transportation and manufacturing, as well as smaller professional offices, however, are slowly being exposed to cybersecurity needs and do need more awareness in this space. At Trisura, we are trying to increase the exposure of cyber insurance with all of our small to medium-size business clients, regardless of industry type. As mentioned, it is easier to target small and mid-size companies, as they may not have adequate security measures and resources in place to protect themselves. Trisura has a large surety book that comprises clients of all
“Ironically, the businesses that are probably most at risk are those that don’t think they have an exposure because they think they are too small, too secure or too unlikely a target” Lindsey Nelson, CFC Underwriting AVERAGE COST OF A CYBER INCIDENT BY BUSINESS SIZE Large businesses
SMEs
$178,000 Data breach
$5.6 million
$181,000 Legal
$112,000 Crisis services
Data breach
$3.8 million Crisis services
$2.2 million Legal
Source: Cyber Claims Study 2019, Diligence; all figures in US$
10
sizes in the construction industry – for example, builders, developers and contractors – and with them being more reliant on technology and computers, it is imperative that we offer cyber solutions as part of their overall insurance and surety bonding package. Likewise, we insure many small to medium-sized professional offices for errors & omissions insurance and directors & officers liability, and we are currently trying to target them for cyber coverage as part of their insurance portfolio. Lindsey Nelson: Cyber risk was, for a long time, synonymous with privacy risk; this class of insurance grew in large part as a way of managing the risk associated with growing privacy legislation. However, while privacy is still an important part of cyber policies today, it would be misleading to say that only companies with a privacy exposure have a need for cyber. In fact, the nearly ubiquitous use of technology to run businesses today – whether using wire transfers when dealing with suppliers, storing valuable IP on computer systems or using technology to fulfill business-critical functions – means that nearly all businesses in all industries have some form of cyber exposure and therefore a need for affirmative coverage. Ironically, the businesses that are probably most at risk are those that don’t think they have an exposure because they think they are too small, too secure or too unlikely a target. A good example of this is the construction industry, which is one of the industries that thinks they’re the least likely exposed, yet is one of the industries that has the highest source of claims activity by frequency at CFC. Regardless of whether you hold any data or not, almost all businesses make and receive payment using wire transfers. These businesses are also less likely to have adequate security or train their employees. They generally lack an incident response division and are likely to still be collateral damage in large-scale cyberattacks where they’ve outsourced their IT services to big-name providers, who are increasingly the target of attacks impacting thousands of businesses globally. Collect-
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 10
16/09/2020 4:14:21 am
ively, this makes businesses a prime target for cybercriminals on the lookout for low-hanging fruit.
What features should brokers look for in a cyber policy today? Jacqueline Detablan: I would always recommend assessing an insurer’s ability to manage claims. Cyber claims are unique in that they are almost always an ‘all hands on deck’ process with claims, brokers, breach coaches, forensic firms and the insured working together to resolve breaches as quickly as possible. Prevention, communication and trust are key. At CNA, we encourage policyholders to meet with these individuals before there is an incident so that they have the foundation for effective communication. Lindsey Nelson: Cyber wordings are incredibly broad across the market right now and are becoming more uniform over time. More recently, however, brokers have started to switch from comparing and contrasting wording technicalities between carriers to emphasizing the credibility of the claims solution that sits behind it instead – and it’s worked to their advantage, with clients understanding that the policy, in essence, works as a service
without losing sight of the overall message. This means that the real differentiator in this class in terms of strength of the product and longevity of a cyber insurer is quickly becoming the claims service behind the policy. One of the common objections we hear clients say is that they’ve invested in their IT infrastructure and therefore don’t need to purchase a cyber policy. Very few, however, realize the value that a set of cyber experts brings and that this expertise comes free with a policy. If we’ve learned anything from handling previous claims, it’s that IT departments are very different from incident response teams – and incident response can complement what IT already does very well from a different angle or, for smaller businesses, provide the full end-to-end solution in the absence of a CISO or IT division. A well-staffed, in-house cyber incident team with ample experience dealing with these threats is therefore a must. These will be the experts on the other end of a call who bring a well-rounded wealth of expertise, from technical to legal assistance, and who will know the most about ransomware variants and ransom demands, recovery from compromised business email
accounts, and privacy obligations. And this knowledge and experience from a technically led approach ultimately leads to quicker recovery and less material impact to the business. When trying to find out whether a cyber insurer has the capability to handle the wide range of cyber threats now emerging, here are a few questions you can ask: Is the insurer established in the class, and do they have global reach? Does the insurer have internal cyber claims capabilities, or is everything outsourced to a third-party vendor or law firm to triage? Is cryptocurrency kept on hand in order to ensure a timely ransom can be paid if the insured has made that decision? What process do you have in place for checking sanctions to determine whether the insured is paying a sanctioned entity? Greg Markell: This can vary client by client. However, there are a few things that brokers should have their eyes out for. For tangible contract elements, this includes robustness of first-party/expense coverages (are they full limits?), extortion language (how does your client want the claim handled?), breadth of business interruption language (how is it addressed, and what are the potential limitations?), conditions precedent language (brokers, beware) and exclusionary elements related to each client (review the exclusions for carvebacks and the definitions for carve-outs). In terms of intangible contract elements, who is handling claims? Are Canadian vendors identified? Is there a breach coach who is a lawyer available to the client? Are there any additional services available for clients? With that in mind, I think one of the more important things to note is that cyber extensions off package offerings might not be adequate for clients. I would caution brokers from falling into the trap of, “We have the extension, so the client has $50k– $100k of coverage, and that’s all they need.” There may be an element of coverage, but it really doesn’t address the bulk of client exposures to large elements of remediation for BEC as well as ransomware. Michael Kalakauskas: Overall, good cyber insurance provides coverage for both
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 11
11
16/09/2020 4:14:25 am
SPECIAL REPORT
CYBER INSURANCE an insured’s first-party and third-party losses associated with a network security breach, as well as the loss, theft, or unauthorized disclosure of personal information or confidential corporate information. The coverage should include expenses related to breach notification, extortion threats, public relations, credit monitoring, forensic investigation, defence costs, the costs of judgments or settlements, regulatory claims, business interruption and media liability, among other things. The reality is, every business has an exposure and should be protected accordingly. Exposures come in the form of employee information, customer information, internet access, electronic and network activities, and the overall use of technology. Specifically, the most important element of any good cyber insurance policy is the claims handling service and response team associated with it. A cyber insurance policy
others who may be impacted. The law firms and breach coaches can also manage breach response teams and oversee all aspects of the response. Forensic and investigative providers can advise your organization on how to stop the current data loss, prevent further harm and secure evidence as necessary. They can also determine where, when and how the breach or hack occurred, analyze data sources to determine what information has been compromised, and assist in data restoration. Public relations providers can help develop both the internal and external communications needed during an incident, as well as oversee crisis management services. They can also provide advice on how to best position the incident to key audiences, update social media and help manage media questions related to the issue. Breach notification providers can
“A cyber insurance policy should give clients access to experts in all fields of cybersecurity and make them feel comfortable throughout the whole process” Michael Kalakauskas, Trisura Guarantee Insurance Company should give clients access to experts in all fields of cybersecurity and make them feel comfortable throughout the whole process, whether it’s a full-blown claim, a possible breach or a system hack. The response team should be quick, flexible and able to handle any type of scenario. A good response team should include law firms and breach coaches; forensics and investigation professionals; public relations and communication specialists; and breach notification, identity repair and credit monitoring firms. Legal experts can help minimize the risk of litigation and fines in the wake of a breach. They can provide legal advice based on your specific incident, such as determining how to notify affected individuals, government agencies, third parties and
12
help in the form of credit monitoring, credit reports, call centre services and direct mailing campaigns.
If brokers are looking to sell cyber insurance to a client for the first time, what key points should they stress? Jacqueline Detablan: No one is immune. The human element, for one, plays a central role in increasing a company’s cyber risk. I would encourage brokers to speak openly about the exposures without using traditional scare tactics. In the current environment, cyber insurance has become a valuable risk transfer and risk mitigation tool for companies across the board. Even over the past few years, there has been a continued evolution
TOP CYBERSECURITY THREATS FOR SMALL BUSINESSES 1
Phishing attacks
2
Malware attacks
3
Ransomware
4
Weak passwords
5
Insider threats Source: Expert Insights, 2020
in the cyber insurance space, from continued expansions of coverage for business interruption and system failure resulting from cyberattacks to a heightened focus on silent cyber. There is also continued discussion around the topic of cyber as a peril – rather than covering all exposures related to cyber under a cyber policy, consideration needs to be given to treating cyber as a peril that needs to be addressed under multiple coverage lines. In addition, an insurance policy with a reputable carrier gives an insured access to top response firms should they experience a cyber-related incident. Not all insureds have the ability or resources to deal with these situations. Lindsey Nelson: Our experience has taught us that before any specific coverage is discussed, clients first need to understand that they have a real exposure, and it needs to make sense for their business, as these exposures vary by industry. For example, if they hold a lot of sensitive data, then the conversation might focus on their privacy obligations; if they send or receive a lot of wire transfer payments, the conversation might centre around cybercrime; if computer systems are critical to their day-to-day operations, then brokers should be talking about business interruption. Our broker partners who are actively using our Connect cyber platform – where, in addition to quotations, we provide industry-specific claims profiles based on their client’s industry sector – are quickly seeing success in selling the coverage.
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 12
16/09/2020 4:14:31 am
Y OUR T RUS TE D C Y BER I NSURA N C E S P EC IA L IST S
LEADERSHIP | INTEGRITY | EXPERIENCE
_____________________________________________________ ridgecanada.insure
01-16_Cyber Report 2020-SUBBED.indd 13
16/09/2020 4:14:35 am
SPECIAL REPORT
CYBER INSURANCE
“I would encourage brokers to speak openly about the exposures without using traditional scare tactics” Jacqueline Detablan, CNA Canada When moving on to discussing the coverage that is available to address these risks, it’s also useful to relate cyber to lines of insurance that novice buyers are more familiar with. With kidnap & ransom policies, for example, you’re buying access to someone with expert negotiation skills who will get on the phone to negotiate a ransom – and cyber policies operate the same way, only it’s your computer systems held hostage, so you want to make sure the person picking up the phone is best-in-class. There are also several parallels with traditional crime policies. Extorting companies, stealing data and socially engineering employees into handing over money are all various forms of crime and really serve as an example that crime has just shifted from the physical to the electronic. Greg Markell: I would stress that no industry vertical, size of client, nor level of
14
protection makes them immune. Neither does buying an insurance policy – insurance isn’t going to solve their cyber issues for them. In fact, there are a lot of clients that probably aren’t ready to buy a cyber insurance policy. This is where I think the brokerage community in Canada is doing such an awesome job. We’ve seen deeper conversations around security being a major focus throughout 2020. These conversations are happening at all levels, which is positive for Canadian businesses. In fact, we’re hearing that a lot of clients are actually asking about cyber coverage. For brokers who are selling a policy for the first time, there are a few basics to look for. The easiest way to think about the policy is that there are expense/first-party coverages – where Canadian companies are seeing most of the losses – in place to help
mitigate a liability claim. As I’ve mentioned, looking a little deeper at the first-party/ expense coverages is an exercise that should be undertaken. Fulsome cyber insurance policies will have extortion; business interruption; event management expenses, which can be broken down into many different parts and are called something different market by market; payment card industry coverage; and regulatory coverage in addition to the liability coverages for privacy breach and network security liability. Top-quality policies will also include things like contingent business interruption, reputational harm, bricking, crime coverages and really strong language in the general terms and conditions. Having been a broker for a number of years, one of the early drivers of cyber purchases was the expense coverages for businesses. This is still a reality today. However, there was not a single conversation that didn’t end up focusing on an element of business interruption. We didn’t need a crystal ball to predict that ransomware/extortion losses had the potential to impact business operations amongst Canadian companies. The business interruption coverage found in a property policy
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 14
16/09/2020 4:14:37 am
is not going to help your client in the event of a cyberattack. Basically, no fire, no water, no wind: no coverage. As a result, my advice to brokers would be to understand what your options are for your clients and look at the policies to ensure you know what to expect should something happen to your client. Spend a little more time on the items affecting business email compromise/unauthorized access and how that can affect other coverage elements: the event management expenses, network security and privacy liability coverages, the crime coverages, and the business interruption loss coverages. For ransomware, look closely at the extortion insuring agreement and how other elements of the policy would support once the situation is under control. We hear all the time that the cyber policy is really complex. We hear you; it is. We’re here to support our brokers to navigate these complexities. We have one of the largest dedicated cyber underwriting teams in the country and are here to answer questions, no matter how large or small the opportunity is. Michael Kalakauskas: All businesses, regardless of size and industry type, have cyber exposure. Regardless of whether they hold or store their customers’ or suppliers’ personal data or corporate information, these businesses have data on all of their employees and stakeholders that is at risk. Furthermore, all companies are reliant on computers, cell phones and the internet and therefore are susceptible to loss in the event of a cyberattack like ransomware, a hack, data loss, payment diversion or phishing, malware, and software or hardware failure. Cyberattacks are indiscriminate and could come from anywhere. Even if it’s not from an attacker, one of the biggest forms of cyber exposure is the error of an employee clicking the wrong link, sending an email to the wrong person or leaving an unencrypted laptop or cell phone at a public place. Giving a tiny window of access to someone is all it takes. Cyber exposure could come from anywhere, and if it were to happen, it could give rise to significant financial loss.
My rule of thumb is to advise businesses that cyberattacks are not a matter of if but more of a when, and whether the company is able to withstand the financial impact of such an attack or loss. If it is not, or the business would like some additional protection, then cyber insurance is a key to their risk management process, no matter their size of business.
How have data privacy laws like PIPEDA and GDPR impacted cyber exposure? Have there been many claims? Are companies well protected? Lindsey Nelson: Both PIPEDA and GDPR certainly brought about an increase in the awareness of cyber policies as a method of risk transfer for businesses; however, with regulatory fines very few and far between – particularly for businesses that don’t hold any significant PII, like manufacturers or construction – there hasn’t been any meaningful claims activity for the everyday Canadian business. In fact, less than 4% of the cyber claims we see at CFC are as a result of any third-party or regulatory action being brought forth, and that figure rings true even for our neighbours south of the border, which arguably has a much more litigious class action culture. What is interesting to note in recent months, however, is how privacy laws have interacted with newer variants of ransomware that exfiltrate sensitive data to entice companies to pay their demands. Ransomware was always considered a severity-driven event long before data exfiltration, and it’s easy to see why when you add up the business interruption costs for loss of profits per day and re-creating potentially sophisticated and complex networks completely from scratch – not to mention paying the demand itself, which some companies have little choice but to do without appropriate backups. Now, with confidential data at stake, it’s brought in implications for having to conduct due diligence to determine whether data was viewed or exfiltrated by the criminals. As a result, businesses could have to bring in
PIPEDA AT A GLANCE
Organizations covered by Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) must obtain an individual’s consent when they collect, use or disclose that individual’s personal information
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual
Personal information must be protected by appropriate safeguards
People have the right to access their personal information held by an organization and to challenge its accuracy
Personal information can only be used for the purposes for which it was collected. If an organization wants to use it for another purpose, it must obtain consent again Source: Office of the Privacy Commissioner of Canada
costly legal services to draft and issue appropriate notification to customers in accordance with privacy guidelines. The impact we’re seeing on policyholders as a result is very rarely fines and
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 15
15
16/09/2020 4:14:40 am
SPECIAL REPORT
CYBER INSURANCE penalties, if ever – but very much so the reputational damage from their customers no longer wanting to do business with them as a result of the notification, something that cyber insurance policies are able to provide a solution for. Greg Markell: It’s important to note that Canada was one of the first countries in the world to have federal legislation on mandatory notification for cyber/privacy breaches. That legislation gained royal assent in June 2015 under a Conservative government and took effect on November 1, 2018, under a Liberal government. We’ve now had these laws in place for nearly two years, and we are already lagging behind other countries. GDPR is very protective of EU citizens’ data privacy rights, and corporations can face major fines – up to 4% of global revenue – if they aren’t careful. Under PIPEDA, the Office of the Privacy Commissioner [OPC] can apply fines and penalties of up to $100k for a failure to report the circumstance in the event that it involves information that could cause a ‘real risk of significant harm’ to the affected individuals. So, our mandatory reporting gives guidance on when organizations need to report and what they need to do after a breach. Since our legislation really doesn’t provide guidance on what companies should do at a minimum, there really isn’t a minimum standard for Canadian companies to follow. As a result, there is still a fair amount of cyber apathy in the Canadian context. Our broker partners hear it all the time: “I’m too small to be a target,” “Our IT folks have it under control” and “That will never happen to us.” The reality is that smaller organizations don’t have the same budget to spend on advanced security controls. The bulk of Canadian businesses are small – 97.9%, according to the latest census data. With little guidance on what acceptable protective measures to take are, small businesses in Canada take on a lot more risk – arguably, unknowingly – when they provide those answers. Further, the way our legislation addresses the regulatory fines and penal-
16
“The way our legislation addresses the regulatory fines and penalties can have a much greater impact on a small business than even a mid-sized business” Greg Markell, Ridge Canada Cyber Solutions ties, up to $100k, can have a much greater impact on a small business than even a mid-sized business. A fine of $100k for a 12-person manufacturing business is going to have a much more material impact to the solvency of that business than a $100k fine against a Facebook, Google or Apple. So, small businesses in Canada should be aware that this legislation is really suggesting that they take this seriously or face the consequences. Again, insurance isn’t a solution to security problems. Many organizations might not be ready to buy a policy. However, a major selling point for SMEs with respect to insurance is that a policy can really help crystallize and organize a company’s response to an incident. What a company
does out of the gate can make a real difference in terms of how they appear in front of the regulator. What they do before from a best-efforts perspective related to data security is going to also be a major determinant. A cyber application can be a nice – and free – benchmarking exercise for an organization. These incidents happen every day to Canadian companies. A quick check on the provincial OPC websites can provide some insight into how frequently these issues arise. So, yes, the legislation has had an impact in a similar way that COVID has – awareness is up. Ridge Canada is here to help in having meaningful cyber risk management conversations with our broker partners about risks of all sizes.
www.insurancebusiness.ca
01-16_Cyber Report 2020-SUBBED.indd 16
16/09/2020 4:14:48 am
Stay ahead of the hackers From threat alerts to superfast incident response, CFC’s upgraded mobile app does it all
! Be better prepared with critical, time-sensitive security alerts pertaining specifically to your business
Notify claims instantly
Get expert advice
by submitting your incident type, triggering an immediate call-back from our experienced team
through ‘Ask the Expert’, where you can ask our team specific questions about risk mitigation, best practices and more
Free to all CFC cyber policyholders, the app is available on the App Store or Google Play
00_Insert OFC IFC IBC OBC-SUBBED.indd 3
16/09/2020 3:09:52 am
The world is going digital even faster than most had thought. BOXX provides best-in class coverage and insights to ensure your business clients can respond and recover from a cyber attack. While our cutting-edge technologies enable you to price and bind coverage simply and speedily.
TM
outsmarting cyber risk together. Learn more at www.boxxinsurance.com Cyberboxx™ is a product and brand name provided by the underwriting division of Boxx Insurance Inc. ‘ Think Outside The Boxx’ and ‘Outsmarting cyber risk together’. are trademarks of Boxx Insurance Inc.
00_Insert OFC IFC IBC OBC-SUBBED.indd 4
16/09/2020 3:09:56 am