One of the only certainties when talking about cyber attacks is that they are increasing in frequency and severity.
For many businesses, it’s rapidly becoming a situation of when-not if-a breach that releases the private data of customers or causes a loss of business will happen to them.
Yet, most cyber risks are not insured.
Emily Atkins, Editor
The threats, risks and responses are still largely unexplored territory for Canadian businesses-insurers and potential targets alike-creating plenty of opportunity-and danger-as the environment evolves and knowledge grows.
While cyber attacks are becoming more and more frequent, and high-profile breaches-like Yahoo’s recent revelation that one billion of its users’ data was compromised, or the malicious hack of the cheaters’ website, Ashley Madison (see Sidebar: Recent High Profile Cyber Breaches), gain immediate media attention, these are just the tip of the iceberg.
For every major breach, there are many minor ones that go under the radar, says Jennifer Drake, VP and Legal Consultant in the Legal and Research Practice Group at Aon Canada. “It’s very significant.”
Globally, forecasts say cyber crime costs are going to quadruple between 2015 and 2019. Juniper research has suggested that data breaches will cost US$2.1 trillion by that date, which, it notes, is 2.2 percent of the world’s expected GDP for that year.
The average cost to organizations in Canada was $5.32 million, according to the 2015 Cost of Data Breach Study: Canada by IBM and the Ponemon Institute. They found in their sample of 21 Canadian companies in 11 industry sectors, which had reported a breach of protected personal data and had notified victims, that the average cost per compromised record was $250. The companies in the study lost between 5,199 and 74,550 records, with an average of 20,456.
The largest cost to the breached companies was lost business at an average of $1.99 million per breach, while the cost of notification was the least, at an average of $0.12 million.
And the potential harms don’t stop there. Data breaches can cause business interruption, data and system loss, reputational harm, and loss of the personal data of clients.
Breaches are created by threat actors, which can be anything from a mouse chewing a wire and shorting out a computer system, to the most sophisticated hacking organization.
While a breach can be caused inadvertently by employee error-losing a USB key, or failing to secure passwords for example-it’s becoming more common to face malicious hackers who deliberately attempt to shut companies down, and steal data or money. And it’s the malicious breaches that cost the most.
Getting ahead of the criminals is often very challenging, says Ryan Duquette, Founder and Partner at HEXIGENT Consulting, cyber forensic investigation specialists in Oakville, Ontario.
“They are not some individual hacker sitting in his parent’s basement,” he says. “They are an enterprise. They have HR departments, they have a research and development department, they have customer service department. They run like a business.”
In fact, it’s sometimes not even a criminal organization but a nation state committing the hacks. Ben Ogunleye, Executive General Adjuster, Major & Complex Loss, Canada Cunningham Lindsey, recounts how a client received a knock on the door from CSIS (the Canadian Security Intelligence Service) informing them that their data had been breached by a “foreign actor.” Duquette agrees that this is becoming more common.
The evolution towards more criminal involvement is also upping the ante in terms of the type of attack. “The biggest trend is people coming up with new, diverse routes to get to corporate data,” Duquette says.
Ransom or extortion breaches are rapidly gaining in popularity. Alex Cameron, a partner at Fasken Martineau in Toronto notes thousands of new variants of ransomware have emerged this year alone. “A year ago ransomware was largely assumed to not constitute a privacy breach, simply because the ransomware itself only locked up data. It didn’t access or take any data,” he says. “But the new variants have sometimes got built-in functionality to access and take data.”
“It’s quite easy for a threat actor to either draft up an email with a malicious PDF or do a little bit of social engineering and pretend to be somebody else in the organization and spread ransomware through the organization,” Duquette adds. “It can be very, very lucrative.”
And companies are tempted to pay, which unleashes a whole additional realm of issues.
When a breach occurs
An organization often only learns there’s been a cyber breach when systems stop working. In the case of ransomware or extortion it’s often a message from the hacker that alerts the victim to the loss.
While any cyber breach is an urgent matter, when there’s a loss of personally identifiable data in that breach, action needs to be taken immediately.
As a lawyer, Cameron is often one of the first called in when a breach occurs. “The objective is always to have the call coming to us, if not immediately-which would be the perfect world-then as soon as possible for privilege reasons,” he says. This is to prevent clients from saying or doing anything that might create legal or potential reputational risks.
Canadian legislation does not yet require automatic notification that personal data has been breached, except in health care and Alberta. However, the new Digital Privacy Act (which passed into law in June 2015, amending provisions of the Personal Information Protection and Electronic Documents Act – PIPEDA) is expected to be brought into force in 2017. It will require organizations, as soon as possible, to notify individuals and report to the privacy commissioner any breach that likely creates risk of significant harm to the individual.
Although not mandated, many companies are opting for the notification option, as was the case in the recent hacking incident that affected Ontario’s Casino Rama Resort (see sidebar for details).
With or without the need for notification, a major breach will require a team to respond-there are a lot of bases to be covered-quickly. Lawyers are frequently taking on the role of ‘breach coach’ in these incidents. As Cameron notes, because they are the first to know, it’s logical for them to gather the experts needed to manage the process. These can include other lawyers, outside forensic experts, crisis communications experts, and depending on the circumstances, identity theft and credit monitoring services, and call centre services and notification service providers, if it’s a large incident.
The adjuster’s role
While he sees why the legal profession has staked out this territory, Paul Hancock, Vice President GTS Canada and Toronto Branch Manager with Crawford & Company (Canada) Inc., thinks this is a logical role for independent adjusters as the cyber claims process evolves. “The legal community certainly has a huge role in cyber breaches, and certainly from a privilege standpoint in the investigation of material that comes out of it,” he says. “They can’t be excluded, they are critical to it.”
But at Crawford, Hancock says, the belief is that the independent can do it for a lower rate, because “that’s what we do for a living-we react instantly, we do after hours, we manage large, complex losses, we manage vendors to assist with us, and it’s vendors that you’re going to be dealing with whether it’s the legal community, credit monitoring, IT firms to do the investigation, forensic accounting, all that stuff-it’s managing vendors and that’s what we do for a living.”
Duquette says there will need to be a high level of expertise brought to bear investigating claims. “We’re dealing with digital world where there isn’t always obvious evidence,” he says, noting that investigators will have to be able to not only find the evidence but also contextualize it. “There’s no matrix or checklist that would definitively say ‘here’s what happened, therefore these are the losses or the insurance payout that we’re going to put forward’.”
Like Hancock, he sees the adjusters’ role as one of overseeing the technical experts.
But Cunningham Lindsey’s Ogunleye believes it should be an adjuster’s job. “Any adjuster can do this. I don’t want to make it sound like you have to be a rocket scientist to do cyber claims, I don’t think it’s complicated,” he says. “You just need the right mind to review the policy, and when you investigate to ask the right questions; just go where the evidence leads you.”
An evolving market
But at the moment, adjusters are not getting particularly involved because the claims just aren’t there yet. As Hancock notes, Crawford, in Canada, has handled perhaps 15 or 20 cyber claims in total.
Canada is not alone. At the moment, global premiums for cyber coverage are less than one-half of one percent of the estimated cost of cyber crime. By contrast, auto insurance premiums worldwide exceed international estimates of vehicle collision damage, says Cyber Risks Implications for the Insurance Industry in Canada, a study by The Insurance Institute of Canada.
“The volume is not there yet,” says Ogunleye. “I think you can correlate that to lack of understanding of the product, both from the consumer and brokerage perspective.”
He says that the markets do not yet see the need, and feel that insurers are just trying to sell them something they don’t require. Brokers, he believes, need to gain a better understanding of the product as well: “Communicating to the market is a challenge, because if you really can’t explain it, I don’t think you can sell it,” he adds.
“I would suggest part of it is the coverage aspect,” Hancock says. “The coverage is changing, the limits have been very low, the coverages have been minimal, not broad enough, probably, and both of those factors have a play in how many claims are out there.”
But things are set for a rapid change. In its Global State of Information Security Survey 2016 PwC says the global cyber insurance market will climb to US$7.5 billion in annual sales by 2020, up from $2.5 billion this year.
In Canada, Aon’s Jennifer Drake says more and more companies in all industries and of all sizes are expressing an interest in cyber insurance.
“We’ve seen a huge growth in that area, probably the fastest growing area in insurance right now,” she says. “Growth in our book is more than doubling year over year, in terms of the number of clients purchasing it.”
This is partly due to the growing awareness of cyber breaches, thanks to the high profile incidents that seem to be making the news on a regular basis (see sidebar: Recent High Profile Breaches). It’s also because the industry is adjusting its offerings to match the evolution of cyber crime.
Drake points out that until recently limits were lower, but now insurers are offering full limits on cyber policies. She also points out that, so far, payouts have been primarily (70 percent) for first party costs-the immediate expenses related to recovering from a breach. Third party costs, to cover damages caused by personal data breaches have not caught up, at least partly because courts have frequently denied claims.
Identifying the risk
But as limits continue to rise, Drake says it raises the thorny issue of how to gauge the risk. Looking at the number of employees, location, number of data records, existing security systems don’t really give an accurate picture of the potential for loss.
“The two greatest causes that we see in cyber breaches are the things that it’s hardest for anybody to predict and control, which are the ever-increasing sophistication of hackers and then the human element,” she says. “I think it will take some larger losses in Canada to predict changes in pricing.”
In spite of their growing prevalence and the mounting costs associated with mitigating the damage they cause, cyber breaches still constitute a risk that the industry is trying to come to grips with.
“The question remains,” Drake says. “What are we ultimately underwriting in terms of the potential for loss? That’s the hardest part-to quantify that.”