July 18, 2018 by Brooke Smith
In September, Equifax was the latest victim caught in a net of global cyberattacks over the past year. As of press time, the Atlanta-based credit reporting agency is indicating that approximately 145.5 million Americans had their data, including Social Security numbers and birthdates, compromised. The company has also said that some 209,000 Americans had their credit card information exposed.
In the U.K., fewer than 400,000 were affected by the breach, according to early reports.
Things were a bit more muddled in Canada, where it was first estimated that as many as 100,000 people had been impacted. Following a forensic investigation of the breach, it was revealed on Oct. 2 than only 8,000 Canadians had had their personal information—which may have included credit card numbers—compromised.
Hackers gained access to Equifax’s files through Apache Struts 2, an open-source framework used for developing Java applications.
In March of this year, the United States Computer Emergency Readiness Team reported a vulnerability in Apache Struts 2, but it was later revealed that Equifax failed to patch the system. As a result, hackers were able to access Equifax’s files between May and July.
It wasn’t until July 29 that Equifax’s security team noticed unusual traffic on one of its networks. The Apache Struts software was taken offline on July 30, but by then, of course, the damage had long since been done.
Equifax didn’t disclose the hack until Sept. 7. Less than two weeks later, the company’s shares in the U.S. had fallen by more than 30 per cent. Multiple class action lawsuits were filed, and Richard Smith stepped down as CEO.
“When you’re handling data, you have an exposure. Simple as that,” says Michael Molloy, senior associate broker at Dan Lawrie Insurance Brokers in Hamilton, Ont. “People don’t think they have an exposure because it’s on somebody else’s server or it’s backed up or it’s encrypted. That’s not necessarily true.”
The Equifax breach follows closely on the heels of multiple ransomware (see sidebar) attacks this spring and summer: Petya, which mostly affected systems in the Ukraine; NotPetya, which masqueraded as the Petya ransomware; and WannaCry, which was reported to have infected more than 230,000 computers, including those belonging to the U.K.’s National Health Service.
According to U.K. insurer CFC Underwriting, another attack of WannaCry or Petya—or a combination of both—could cost cyber insurers about $2.5 billion. It’s no wonder, then, that cyber security was one of the top risks for insurers in KPMG’s 2016 Canadian Insurance Industry Opportunities & Risks Survey.
While ransomware such as WannaCry and Petya may be a hot topic these days, Molloy says where people are really losing money is through social engineering fraud.
“We’ve seen losses as high as $100,000 where people have transferred money to the wrong account because they got a notification that their supplier’s banking had changed,” he says.
But cyber security isn’t just about exercising caution. The Equifax case has proven that even the largest of companies can be victimized by massive security breaches, which makes cyber insurance all the more crucial, according to Lindsey Nelson, international cyber team leader with CFC Underwriting in London, England.
“We’re really trying to educate the broker community in terms of recognizing that cyber security is really a two-pronged approach,” Nelson says. “While you may have cyber security risk management practices in place, having an insurance policy will give clients a level of comfort if the worst were to occur,” she says.
However, cyber insurance can be a hard sell. Some companies just aren’t interested in coverage.
“If I used all my efforts in the world to educate the client and said, ‘I recommend this,’ they still don’t have to buy it,” says Chris Bevan, partner with Kennedy Insurance in North Bay, Ont.
Others companies are simply reactive when it comes to cyber threats.
“My experience is it’s not something people think about until it happens to them. They don’t appreciate it,” says Chris Westrop, commercial department manager with Park Insurance in Burnaby, B.C.
“They think, ‘I’ve got anti-virus software. I don’t open weird emails,’ ” Westrop continues. “The scary thing about the Internet is you click on one link and you’re going down a rabbit hole and you don’t necessarily know where it’s going to end up.”
Cost can also be a deterrent. The pricing of cyber insurance may be prohibitive to some clients, Bevan adds, noting that a stand-alone cyber liability quote could be marginally less or about the same price as a business’s other insurance.
“[Clients] start doing the mental math [and think] I’m paying the same premium for a ‘what if ’ on my business,” he says.
Some businesses, however, are more knowledgeable about the risk of breaches.
“They’re right on top of it. And they’re very concerned about it,” says Bevan, who has received an influx of emails about the Equifax breach. “Those clients that are tuned in will always communicate with you about it because they realize this a growing exposure.”
“The physical risks to a business often pale in comparison to the monetary loss resulting from the reputational and legal risks associated with a cyber breach.”
In 2016, CFC had 450 incidents of cyber crime reported. As of September of this year, the firm has already had 25% to 35% more incidents reported, compared to this time last year.
For its part, specialist insurer Beazley has managed almost 7,000 data incidents of all types and natures across all business sectors. In 2016, the company saw a 300% increase in ransomware attacks from previous years, according to Katherine Keefe, global focus group leader for breach response services with Beazley. She adds that the 2017 numbers will be even higher.
Unfortunately, what was once a “what if” is now more like a question of when.
“A cyber breach is just a matter of when it’s going to happen,” says Cathy Su, assistant department commercial manager with Park Insurance. And size isn’t a factor. “A lot of these hackers now target smaller businesses because they know they don’t necessarily have the resources or the knowledge to prevent it.”
Even insurers aren’t immune. Two years ago, Westrop tried to download an application for an insurance company; his computer contracted a ransomware virus. “[The insurer was] a little embarrassed,” he says. “They had no idea it was there until I told them.”
Education, then, is key. Brokers need to tell their clients and prospective clients about what these viruses can do to them, and their vendors, says Keefe.
“That’s how many of our companies got stung by NotPetya,” she says. “It was a common vendor that many of them used in the healthcare industry that created the exposure.”
In fact, Keefe says, according to Beazley statistics, about 35% of all the data breaches the company manages are executed at the vendor level.
Beazley offers alerts and conducts a number of webinars on cyber crime trends and on the incidents they hear about from clients.
“As much as we hear in the press about the large breaches, the vast majority of incidents and breaches we manage are perpetrated at the employee level,” Keefe says.
“Large entities like Equifax have spent a ton of money on cyber security and are still able to be breached because they’re the big targets.”
That’s where companies can take action and raise awareness through employee training.
“We have a lot of training resources available on our portal,” she continues. “Companies can teach their employees how to spot that phishing email, how to properly dispose of sensitive information, or how to use remote devices in ways that are secure.”
Risk also needs to be top of mind in the discussions brokers have with their clients.
“The physical risks to a business often pale in comparison to the monetary loss resulting from the reputational and legal risks associated with a cyber breach,” Molloy says.
If there’s anything brokers need to emphasize, it’s that no one’s safe.
“Large entities like Equifax have spent a ton of money on cyber security and are still able to be breached because they’re the big targets,” says Bevan. “If you’re a small mom-and-pop shop, or an SME that even has $50 million in revenue…you’re never going to be safe. As a small or medium business, there’s no way that a sophisticated hacker couldn’t find a way, because now the methods are out there.”
Copyright © 2017 Transcontinental Media G.P. This article first appeared in the October 2017 edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.