Some businesses still do not believe they will be/could be a cyber target: panel

A persistent hurdle to getting businesses in Canada to buy cyber insurance and truly understand the protection that coverage can provide revolves around denial, particularly for smaller firms, Andrew Bourne, a partner and forensic accountant with BDO Canada, suggested during a panel discussion in Toronto Monday.

“When you go to a manufacturing client or you go to a smaller-time client that’s not a Target or a Home Depot, they look at you and say, ‘It’s not going to happen to me.’ I’m not dealing with millions and millions and millions of credit cards on a daily basis,” Bourne said at the 3rd annual Insurance-Canada.ca executive forum.

“One of the issues in the industry, in my view, is it is going to happen to them. It’s not just about the Targets and the Home Depots,” he told attendees.

Eileen Greene, vice president and partner for Hub International, agreed clients need more convincing. “The challenges that I’m seeing with our clients is understanding that it is an exposure and it’s real,” Greene emphasized.

Bourne presented a hypothetical example of a company whose stock took a big hit, whose board members were sued and that, ultimately, had to shut down after the CEO company made some ill-advised comments that attracted a hacker attack. Many costs were incurred, including around detection and remediation.

In the real world, though, costs and apprehensiveness are likely to be part of the mix following a cyber breach. “From an IT perspective, when you have a cyber breach, they actually have to go in and figure out the problem. They don’t walk into a basement that’s five feet full of water; they look at a server and say, ‘Where is it?’ They have to detect it and they have to remediate it,” he said.

“From a cyber breach perspective, I go into work, I log into my email, and I don’t know whether that worm is still there or not. It costs a significant amount of money upfront in professional fees,” Bourne told forum attendees.

Cyber potential is transforming risks, he suggested. For example, in mining where autonomous or remote-controlled vehicles are already being used, what happens if a hacker steals or hijacks the vehicle and wreaks havoc on the facility? “It’s interesting to think about the emerging trends of how we’re doing business, and how we’re managing manufacturing [that] is leading to bigger risks on the cyber side,” Bourne noted.

He also pointed to the recent study detailing the effects of a hypothetical attack on the U.S. electrical grid – released jointly by the Cambridge Centre for Risk Studies and Lloyd’s of London – which found the worst-case scenario could result in a US$1 trillion hit to the U.S. economy.

“This is a new risk that we haven’t been thinking about in the last couple of years, Bourne noted at the forum. While something like a hurricane can certainly be costly on all levels, he said it is fairly localized. As in the electrical grid study, a cyber breach that affects 15 states is “a whole other risk that people have to be aware of that will impact all sorts of different companies, all sorts of different organizations, all sorts of geography.”

And with regard to health care claims in the U.S., Greene noted one of the bigger carriers reported that just 7% of its client base currently purchases cyber insurance. “And of that 7%, there are three claims a day in the U.S.,” she said.

Overall, some of the resistance may stem from the fact that cyber is still a moving target, Greene suggested to attendees. And although there does seem to be more uptake recently and things are evolving, she added that cyber insurance is still a tough sell and has required a change in tack.

If brokers talk about Sony or Target, “they just look at us and day, ‘Well, it’s not us,’” she pointed out. The idea is to bring real-life examples of costs to clients, Greene said, adding that “a lot of these targets are mid-size businesses.”

The “never-going-to-happen-to-me mentality” keeps Greene up at night, she told attendees. As an industry, however, it continues to be challenged “in trying to quantify that and getting them to really recognize that it is real.”

That said, Greene noted there are positive signs. “We’re seeing a lot more calls on it, people are asking about it, we’re presenting to CIOs, CFOs,” she said. “We’re finally getting some Canadian data released, which is making it more meaningful when we are presenting on certain cases,” she said.

“Where we’re getting a lot of uptake is we’re taking it directly to the board,” Greene told forum attendees, suggesting the issue is “right up there with health and safety as a board member.”

Bourne noted it is important for clients to know what a claim might look like and how the insurance is going to work. “That’s a really important way of trying to sell this coverage is making it tangible, because it’s so difficult for a lot of people to understand what this coverage is about and how it will react,” he said.

The worst thing that could happen is a company takes a leap of faith, buys some new coverage, an incident occurs and the insurer informs the client that the breach is not covered, Bourne told attendees.

True, not everything will be covered, he said, “but if they know that in advance, then it’s so much easier to deal with from a claims perspective.”

It is also important to take account of the human element and not think that every breach is the result of a targeted attack, Greene suggested. Citing that about 70% of claims have been linked to human error, she noted that educating companies on how to educate and prevent that human error is important.

“There’s a lot of companies coming out with great services to actually come in and help educate,” she said. “I think that’s something that we should be doing as an industry,” she noted, to ensure being out front before an event even happens.

At her company, for example, it is putting together pre-breach teams so that clients, wherever they are located, understand “from broker to the lawyer to forensics, what has to happen,” Greene said. “The best that we can do is to put in place all of those pieces, so it’s simple and that they know exactly what to do.”

More coverage of the Insurance-Canada.ca Executive Forum

Autonomous vehicle regulation in Ontario will ‘come to fruition,’ MTO official says