Fiscal Responsibility

Looking for commercial clients who need cyber insurance?

Try contacting asset managers or companies that manage people’s money.

Asset management firms have “highly sensitive, private and proprietary financial information” on their customers, says Thomas Davies, associate partner for cyber security at EY Canada.

This makes asset managers particularly susceptible to various forms of cyber-attacks, including a method known as “spear-phishing.”

Sunny Mann, a legal counsel and compliance officer of 18 Asset Management, notes an example of spear-phishing in a recent blog. She reports talking to a compliance officer whose asset management firm received an email from a client requesting a transfer of a large amount of cash into another investment opportunity. As a precaution, the firm’s compliance officer called the client to inquire about the email. It turned out the investment opportunity was fictitious, and the client had not requested that money be withdrawn from his account.

The client’s email account had been hacked.

The issue of cyber-security for asset managers is on KPMG Canada’s radar. In a recent survey of asset managers, KPMG asked respondents (including those who worked for mutual fund companies) how they plan to address cyber security. Survey participants were asked to select from eight different answers, one of which was buying cyber insurance.

More than half (55%) of respondents told KPMG that they planned to buy cyber insurance.

Several cyber incidents over the past year, including some in Canada, have been well-publicized, says James Loewen, KPMG Canada’s national sector leader for asset management. A 2016 cyber security report by Accenture found that financial services firms each face an average of 85 data breaches per year.
Managers at asset management firms “are very worried about reputation,” Loewen says.

EY’s Davies makes similar observations about asset management firms. “The risks they face if data is breached can be devastating. They leave lasting reputational damage if not addressed proactively, continuously and transparently, with buy-in and support from the most senior executives of the organization.”
With a cyber breach, an organization faces liability risk. Not only could they be sued by someone whose privacy was compromised, but they could also face fines and penalties.

“There is an obligation on the organization to mitigate not only potential damages or harm to themselves, but also those whose information was compromised,” privacy lawyer Imran Ahmad, a Toronto-based partner with Miller Thomson LLP, says. “Simply offering credit monitoring, although a good step, is typically not sufficient. What you need is some level of urgency in communicating with those affected individuals.”

This became even more important on Nov. 1, when Canada’s mandatory breach notification regulations took effect. The Digital Privacy Act, passed into law in 2015, requires companies to report data breaches if there is a “real risk of significant harm.”

Harm could include identity theft, damage to reputation or relationships and even humiliation, as law firm Fasken Martineau notes. Breaches will have to be reported both to the federal privacy commissioner and to the affected individuals, unless it is prohibited by law.

Ryan Berger, who heads Norton Rose Fulbright’s Canadian privacy and cyber security team, told the Canadian Press that a major motivation for businesses to obtain cyber cover is the risk of being sued by those harmed by a privacy breach. Two of Canada’s largest banks were the targets of cyber-attacks earlier this year. Both the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii online banking arm warned this past May that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers. Simplii was known as PC Financial until 2017, when Loblaw Companies Ltd. (which owns the President’s Choice brand) ended its consumer banking relationship with CIBC.

Mandatory breach notification will likely result in a “significant increase in litigation” Ahmad says. “You see what happens in the U.S. Anyone can go on the Attorney General’s website of any state. They will see the breach that’s occurred – and class action lawyers, media, and other people see that notice – and it just leads to litigation right away. I expect you are going to see more of that in Canada.”

The new breach notifications required under the Personal Information Protection and Electronic Documents Act (PIPEDA) will raise awareness, but “a lot of organizations in Canada don’t realize that these new rules are going to apply to them,” Berger told CP.

Canada’s large banks “have certainly engaged in seeking cyber insurance and are actively reviewing if they have adequately transferred some of the financial impact,” Davies says. “The rest of the financial services industry is largely still adding a cyber component to their overall insurance policy.”