Smaller cyber breaches also of concern: NICC speakers

While large-profile cyber breaches tend to dominate the news headlines, sometimes it’s the smaller ones that are being overlooked, panellists suggested on Thursday at the National Insurance Conference of Canada in Montreal.

Although people tend to look at the large, high profile breaches, “smaller companies are actually having incidents,” said Phil Baker, president of Creechurch International Underwriters during a session titled Cyber Risk – Insurance Considerations, adding that his own company was even the target of a “CEO scam” where attackers try to get victims to wire transfer money.

Baker used the example of one company who had three CryptoLocker incidents, costing the company $10,000 each. “Somehow malicious software gets into a network and starts encrypting data,” he explained. “Then you get a ransom note. It’s $10,000 – nobody gets too worked up about it.”

Alice Underwood, EVP, Head of Analytics North America, Willis Re agreed that most of the cyber breaches that are occurring “are really pretty small. There are a few thousand records, not millions like with the China breach,” she said, referring to June incident at the United States’ Office of Personnel Management that affected more than 21 million people. “Although there’s been more headline losses, what we have seen in the data is not a major trend in the overall frequency in terms of the breaches occurring,” she said.

Sometimes, it’s not all about identifiable events, Baker added. Rather than an employee stealing one million dollars, “it’s an employee stealing a million dollars over ten years.”

The panel’s moderator, Gary Miller, director, Global Cyber with IT consulting group CGI, said that over the years, hackers were “tolerable because they were looking to create a nuisance to a certain degree.” Cybercriminals were also “tolerable” because organizations could quantify the loss and insure against it. “Now you introduce that next level of threat.”

Miller, who said he’s been in more board-level meetings in the last six months than he has in his entire cybercsecurity career, notes that “it is more than ever a global issue of executive concern. The traditional enterprise doesn’t exist anymore. We are in a boundary-less organization.”

Although he said that this was his speculation, Miller believes that “somewhere along the line the government will have a role in protecting organizations that are under attack… such that you’ve got very specialized warfare type capabilities being launched by appropriate agencies to respond to these larger, more sophisticated harmful events.”

While he said that he’s “confident that governments across the world, including Canada, are having very advanced conversations about how to elevate their ability to respond to logical attacks,” the piece that’s missing really is the legislation. “Do they have the right to do so?” Miller asked. “If you are a large oil company and you are under attack beyond your means and you have no ability to defend yourself and that has broad implications on critical infrastructure of that sector, does the government have the mandate to step in and provide the appropriate response? I don’t know that anybody’s solved that right now.”

More coverage of the 2015 National Insurance Conference of Canada

Personal property insurance regulation not inevitable, but possible in foreseeable future: former FSCO CEO

Canadian economy to grow in Q3, Q4 and next year, predicts Swiss Re’s chief economist

Insurers must react to cyber, emerging risks: NICC speakers