May 1, 2015 by Peter Hohman, President and Chief Executive Officer, Insurance Institute of Canada
Cyberspace is a risky place to be right now – a breeding ground for identity thieves, extortionists and fraudsters to steal valuable information from people and companies and sell it for profit.
Media headlines are near-daily reminders that managing cyber risk has emerged as a major issue for Canadian property and casualty insurance companies and the clients they protect. But the exposures are not fully known and change very quickly.
What can the Canadian p&c insurance industry do to bolster its resilience to cyber attacks? How can insurance organizations make sure that their clients are protected?
The Insurance Institute of Canada’s seminal report on cyber risk – the research was prepared by Paul Kovacs, founder and executive director of the Institute for Catastrophic Loss Reduction, and president and chief executive officer of the Property and Casualty Insurance Compensation Corporation – makes a number of recommendations specifically targeting Canadian p&c insurance organizations.
Cyber Risks: Implications for the Insurance Industry in Canada surveys the most common forms of cyber attacks, who the criminals are and what they are after, the type and scope of cyber losses, and why the losses are expected to get worse, including catastrophic scenarios in which criminals knock out the power grid via cyberspace.
The report provides a number of specific recommendations to help Canadian p&c insurance organizations bolster their resilience to cyber attacks, including encouraging organizations to do the following:
• appoint a senior executive to develop and implement a comprehensive plan to manage and reduce the long-term consequences of cyber risks;
• identify the consumer information and corporate knowledge that matters most, and then direct the highest protection effort to shield these critical assets; and
• build a corporate culture of cyber security that includes actions to address technological threats and security training for employees.
PROTECTING THE INDUSTRY
“I think the research report is absolutely needed,” says Serge Solski, vice president of business development at Watsec, which provides consulting services to insurance and other businesses on cyber risk.
“The more people who can talk about this, the better. When people say things like, ‘I’m too small, or ‘I’m in a small town, they are not going to look for me,’ well, we’re in one big town and it’s called the Internet,” Solski advises.
“It doesn’t matter what size you are, cyber criminals don’t care. This is a global problem. No one is safe from it based on geography,” he contends.
“About one in five small businesses will be hit. We focus on small and medium-sized business for this reason: 60% of them who are hit won’t be around after six months. They will be bankrupt or in financial ruin. That’s a pretty severe risk to be taking with your eyes closed,” Solski cautions.
Offering a brief history of how Canadian p&c insurance organizations have shifted their approach to cyber security over time, the report notes that in the early days, for example, “information technology professionals managed the detection, response and threat of cyber attacks,” adding that “technology experts managed the threat that technology might disrupt corporate activity.”
But the characteristics of cyber threats changed, as did the way Canadian insurance organizations managed the risk. Casual hackers sending infectious worms and viruses gave way to more sophisticated security attacks by cyber criminals seeking to steal or destroy personal data and corporate information. In response, the report notes p&c insurance companies “developed an approach that combined the expertise of security specialists and information technology experts.”
The emergence of enterprise risk management (ERM) means several insurance organizations no longer manage cyber risk in a vacuum. Cyber risks are assessed in relation to all of the other risks facing the p&c organization. “This integration supports a better evaluation of the resources that should be devoted to detecting and mitigating the consequences of attacks,” the report states.
RESOURCES TO PROTECT INSURANCE ORGANIZATIONS
The report lists a variety of resources to help Canadian p&c insurance organizations assess their exposure to cyber threats, including the Cyber Security Self-Assessment Guidance, issued in October 2013 by the Office of the Superintendent of Financial Institutions (OSFI).
OSFI’s guidance includes 89 questions that probe whether or not Canadian p&c organizations have an adequate cyber security framework. The self-assessment template lists desirable properties and characteristics of cyber security practices that could be considered by insurance and other financial institutions when assessing the adequacy of their own cyber security frameworks.
It encourages organizations to assess if their structures are capable of managing cyber risk not just from IT, technical or risk control points of view, but also from a broader ERM perspective.
All federally regulated financial institutions “are encouraged to reflect the current state of cyber security practices in their assessments rather than their target state, and consider cyber security practices on an enterprise-wide basis,” OSFI points out.
“Attackers realize that technology is very, very difficult to crack now, so now everything is just coming through social engineering,” explains Solski, who observed that a cyber attack on Target was not an IT issue, but rather the business practice of giving external contractors privileged access to the company’s network where sensitive financial information was being stored. A broader risk management approach would have highlighted the situation as a potential exposure, he contends.
“If you’re not addressing your people problem, you’re not addressing cyber risk,” Solski argues. “People are your number 1 exposure. They’re the ones that cannot be patched by technology.”
PROTECTING CLIENTS AGAINST RISK
“There is considerable scope for insurance to penetrate into new fields of cyber security,” the report states. The global cost of cyber crime in 2013 was between $375 billion and $575 billion, comparable to the worldwide damage resulting from vehicle collisions ($518 billion), the report adds.
But whereas global auto insurance premiums exceed international estimates of vehicle collision damage, global cyber insurance premiums are less than one half of one per cent of the estimated cost of cyber crime.
Cyber risk can be seen as a business opportunity for insurers, since many cyber risks are not insured.
As the report notes, insurers have been very successful in breach and identity theft coverage, but barriers remain to expanding coverage into other areas, such as the theft of trade secrets and accumulated risk associated with a catastrophic cyber incident.
The report explores what needs to be done to remove these barriers so that protection for clients can be comprehensive in scope.
A Risk Education
Cyber Risks: Implications for the Insurance Industry in Canada makes several recommendations to help Canadian property and casualty insurance organizations provide solutions for cyber risks in Canada. Among them, it proposes that the industry engage in future public policy discussions about cyber security.
Participating in public discussions about emerging risks requires that risk professionals be educated and well-informed about different aspects of insurance and risk transfer.
To this end, the Insurance Institute is introducing a number of new measures to keep insurance professionals’ knowledge of emerging risks current and relevant, including a new series of Emerging Issues Research Reports (of which the cyber report is the first to be released) and a new, three-course Risk
Management Certificate, meant to provide industry professionals with the tools and knowledge they need to help create comprehensive risk management strategies for their clients.
Successful completion of the three courses – Risk Management Principles and Practices, Risk Assessment and Treatment, and Risk Financing – will qualify individuals to take the exams leading to the Canadian Risk Management (CRM) designation.