Sight on Cyber

If one is in the Canadian property and casualty insurance industry, it seems there is no getting away from talk of flood – or cyber.

And while some encouraging, concrete developments are unfolding with regard to the former – insurers starting to offer “overland” flood cover and modelling improvements – progress on the latter seems more sedate.

Everyone agrees cyber risk is a potentially very bad (and costly) deal for companies that fall victim. But while flood offers a clear example of harm that can be done – making it more about how to offer coverage – cyber is still a moving target.

A recent report from PwC Canada notes that while 88% of private companies polled agreed or strongly agreed cyber security is an important issue for their organizations, their companies are in the dark about what they need to do and where their vulnerabilities lie. “Investing in cyber security will pale in comparison to the costs associated with being in the middle of a large-scale breach,” David Craig, leader of PwC’s Risk Assurance Services Cyber Security and Privacy Practice, said at the time.

The moving target makes it difficult to get a sight on the “true” risk and makes it even more difficult to persuade customers and clients that current cover, if available, will do what is expected.

Not knowing also makes it tough to build a mindset of protection beyond initial knee-jerk responses.

Trustwave notes in a new report that 86 days was the median length it took to detect a breach, and the median length of a breach (from intrusion to containment) was 111 days.

That sounds bad and, frankly, it is. A lot of harm can be done while no one is watching. On the plus side, the median has dropped by three days from 2013.

But how long it takes to identify a problem is a big part of the losses that could result. Ponemon Institute recently reported the average consolidated total cost of a data breach in Canada, based on costs incurred by 21 Canadian companies from 11 different industry sectors, was $5.32 million.

The study identified three major reasons why costs keep climbing: cyber attacks are increasing both in frequency and the cost required to resolve the issues; the financial consequences of losing customers in the aftermath of a breach; and more companies are incurring higher costs in forensic and investigative activities, assessments and crisis team management.

Despite the numbers, some mind-boggling things are continuing. For example, the Trustwave survey found 28% of breaches resulted from weak passwords and another 28% from weak remote access security. These are things that can be addressed with just a bit of care – and education – and should be considered a bare minimum.

“The key to successfully mitigating the impact of a cyber breach – or even preventing one in the first place – is knowledge,” says Rick Roberts, president of RIMS, the risk management society.

Learning is continuing, true, but has a way to go. A new RIMS survey of risk professionals in the United States shows 74% of those polled who do not have cyber insurance are considering buying it within two years to help protect their organizations. The survey found just 51% of respondents purchased stand-alone cyber insurance policies, with 58% carrying less than US$20 million in cyber coverage.

The need for education is also necessary when it comes to financial commitment.

A survey at this year’s RIMS annual conference by The Hartford Steam Boiler Inspection and Insurance Company, part of Munich Re, found that 55% of the 102 respondents did not believe their company is dedicating enough money or trained and experienced personnel to combatting the latest hacking techniques. Almost 70% of businesses polled had been hacked in the last year.

“Businesses are on high alert, but they can do a lot better. Simply reacting to new threats is not enough. Businesses of all sizes need to anticipate hacking trends and deploy the resources necessary to protect their private or sensitive information,” said Eric Cernak, cyber practice leader for Munich Re.