Top cyber concerns for Canadian business leaders

Business leaders in Canada are concerned about cyber extortion and social engineering fraud, such as business email compromise (BEC) and email account compromise (EAC), Aon reported.

“The last year has seen a tremendous increase in cyber-related claims in Canada,” said Brian Rosenbaum, national cyber leader at Aon in Canada. “The majority of these claims are cyber fraud claims, which include business email compromise, push payment fraud, and cyber extortion.

“In speaking with clients and prospects, cyber risks have become very real,” Rosenbaum said. “There are very few who have not experienced an attempted cyber crime of some nature. Organizations are taking these risks seriously, which has made risk mitigation and risk transfer discussions easier.”

Rosenbaum made his comments last week, when Aon plc released its 2020 Cyber Security Risk Report, Solving the Cyber Puzzle: The Unexpected Ways Cyber Risk Impacts Your Business. This year’s report focused on six “less-appreciated” and often-overlooked areas:

• Intellectual property
• Mergers and acquisitions
• Retirement plans
• Executives
• Computer crime
• The corporation itself.

In Canada, business leaders are concerned about many of the same risks as outlined in the report, particularly cyber extortion and social engineering fraud, Aon said.

Risk transfer via insurance is available, yet it can be a challenge to know which coverage is intended to indemnify for what type of digital loss, the commercial brokerage noted. Generally, crime covers theft of money or securities and can be expanded to cover BEC/EAC financial loss via a social engineering endorsement. Cyber insurance is available to cover breach-related expenses arising out of a cyber extortion, including the ransom demand, computer forensics costs and associated costs of that as well (such as liability costs, regulatory fines and penalties where insurable, as well as the costs of notification, public relations and credit monitoring).

For Canadian companies, cyber extortion continues to be a major concern, Aon said, noting that globally ransomware is one of the fastest growing forms of cybercrime. “In the last year, ransomware attacks have impacted both publicly traded and private companies of all sizes and across all sectors, resulting in losses in the millions. These types of attacks will not only undoubtedly continue, but will also evolve in terms of sophistication and level of maliciousness,” the report said.

Social engineering has also become an area of growing worry. Increasingly sophisticated and widespread social engineering schemes represent a significant risk for organizations and directors and officers. Any type of corporation can be the target of these types of scams, ranging from large corporations and tech companies to small businesses and non-profit organizations, often with their C-level executives being a specific focus. Losses from such schemes are costly and have created a demand for insurance solutions that can effectively mitigate the risk.

Related: How cyber threats grew from afterthought to top global concern

Insurance is available to help executives mitigate the impact of identity theft, BEC losses and ransomware attacks. While cyber insurance is available to protect the corporation against liability and financial loss arising out of a breach of corporate networks, executives may want to add a layer of personal cyber insurance protection outside the corporate veil, the report recommended. Personal cybersecurity insurance coverage continues to be an evolving area that companies should contemplate for their board, executives and employees, Aon said.

To help identify vulnerabilities and provide a path to pinpointing an organization’s risk, the brokerage recommends a proactive cyber security and fraud risk assessment, combined with a gap analysis. Aon recommends “painstakingly” exploring the following questions:

• Does the organization have a procedure in place to verify new customers prior to initiating any financial transaction?
• How are fund transfer instructions accepted? (phone, fax, email, text, or other similar method)
• For vendors, how does the organization confirm requested changes to contracts or banking details? Are change confirmations sent, and if so, to whom and via what method?