Managing cyber risks more than just IT: p&c conference

Managing cyber risk in brokerages is really about managing people, not just IT issues, said two speakers at Insurance Canada’s 13th Annual P&C Insurance Technology Conference in downtown Toronto on Monday.

“Cyber risk is an IT risk – this is a myth,” said Jad McGregor, president of Abex Insurance, during the Brokers and Cyber Risk session. Noting that a firm’s IT department is sometimes solely responsible for cyber risk without any oversight, McGregor said that cyber risk is “not an IT risk, it’s an enterprise risk. It involves people and technology.”

Any firm that uses the Internet to conduct business has cyber risk exposure. For brokerages, online banking and wire transfers are major exposure risks.

If a brokerage is not addressing people in its cyber risk management plan, it is ignoring one of the firm’s largest and most fluid exposures, added Serge Solski, director of security awareness programs at Waterloo Security Ltd. McGregor agreed, using the example of an employee who clicks on a fake email from Canada Post stating that a package has being delayed and instead opens up a virus inside the company’s firewall.

More from the P&C Insurance Technology Conference 

Enterprise mobility management requires individualized approach: Telus

Workflow tools should be embraced, but customer experience must remain top of mind

How ‘fear and mistrust’ prompted one Calgary insurance broker to launch telematics

“One of the critical elements in developing a sound cyber strategy for clients is, what is the education platform for your people?” McGregor asked, adding that employees are often “the ones that create the real vulnerability. It’s about educating people to not click on that stuff.”

Related: Cyber attacks and data loss key concerns for supply chain relationships

Part of the problem, Solski added, is that people sometimes don’t understand cyber risks, despite the fact that everybody is using the same Internet and exposed to the same online threats. “Imagine what your reputation is as a risk manager, or somebody who is there to help clients manage their risk, and you’re victimized by that,” he said. “What’s your business going to look like post-breach? What’s your reputation going to be if there is a breach and it becomes aware that you were the source of a breach or you’re offline and can’t take requests from clients?”

Consider the massive data breach involving Target in December 2013, which was caused by a small plumbing contractor. “They were named as the cause of the Target breach,” McGregor said. “So here’s a company that had nothing to do with the business operations of Target, but they were connected to them because they were a vendor. That’s where the vulnerability existed.”

To counter cyber risks, Solski recommended that brokerages — which can collect driver licence information or health card information if dealing with bodily injury claims — hire a professional to talk to staff about how similar businesses are being affected. “Then that lightbulb comes on. When your client’s lightbulb comes on, you’re the one that actually helped turn it on and they’re going to come to you for information. You want to be the person to handle that phone call, because someone else will,” he warned.

“Effective cyber risk management is an insurance,” Solski concluded. “How do you quantify future loss when your reputation is in tatters?”

In order to address the #cyber challenge, brokers must become ERM advisors to their SMB customers. #ICTC2015

— Pawel Stefanski@IBM (@PawelAtIBM) March 9, 2015

Debunking cyber myths at #ICTC2015: it is NOT only a “big business” problem, it is NOT only about PII, it is NOT only about IT

— Pawel Stefanski@IBM (@PawelAtIBM) March 9, 2015