Canadian companies continue to be hit by ransomware attacks, according to the Canadian Internet Registration Authority. About one in five of the 2,000 businesses and institutions surveyed by CIRA reported being infected with ransomware in 2017.
For CFC Underwriting, which has been writing cyber since 1999, claims tied to the malicious software are the most frequent incidents the MGA sees and the most extreme, in terms of costs incurred by insureds.
“That is a result not of the actual extortion demands that are paid out to clients, but the resulting business interruption for every time somebody has a day where they can’t generate profit because their systems aren’t able to work and they’re not able to access certain files,” said Lindsey Nelson, international cyber team leader at CFC. “From a severity perspective, that’s one that can go into the hundreds of thousands of dollars and upwards in terms of costs.
“It’s no longer about [having] the best IT systems in place and it’s no longer about waiting for a third party claim to come forth. It’s more about the ransomware incidents, which effectively do the opposite of a cyberattack or a privacy breach. Instead of disclosing a client’s information, it’s encrypting it within their own systems and not allowing any access to it.”
Not to say that other cyber risks have gone away. Social engineering and phishing scams, two other common cyberattacks, are also increasing because of how easy it is to send an email containing a suspicious link that people wilfully click on, or one directing the receiver to transfer a payment into a cyber thief’s account.
“For our policyholders, we’re starting to see a lot of clients that weren’t previously purchasing cyber start to convert into actually purchasing specifically for that coverage because in a lot of cases, it’s not clients that can necessarily hold large amounts of data and that won’t be their concern, like the traditional retail and health care buyers that you see in insurance,” said Nelson. “But, it will be your professional firms and people that are actually dealing with a large amount of cash transactions on a daily basis. This is where the coverage becomes more applicable to them.”
Though the cyber environment is full of risks, it’s not always easy to sell insurance to clients. Nelson recommends insurers focus on the human error aspect, rather than gaps in IT systems, so as not to ruffle any feathers.
“We get a lot of objections from clients who say, we have the best IT systems in place, we don’t actually need a cyber policy, and you can get quite a hostile reaction from a CISO or somebody in the IT department that you’re trying to sell a cyber policy to because it’s effectively saying, the IT department isn’t good enough and here’s a cyber policy to help mitigate some of your exposures,” she explained. “It’s really helpful playing on the human error element of cyber versus whether the IT systems are good or bad.”
After all, even by implementing cyber policies, it’s hard to control for the stray employee who might leave a laptop where it shouldn’t be, or transfers funds because they’ve been manipulated by an email.
Regulations, such as GDPR in the UK, have tried to patch up some of the holes in companies that expose them to cyber risk, but, in Canada, there’s some room for improvement for regulations to get in line with what the rest of the world is doing.
“There was a bill, S-4, that was enacted in June of 2015. We’re still waiting for that to be enforced and hopefully that’s by the end of this year, but until that’s in place, there’s no blanket federal mandatory notification in place in the event that certain information becomes compromised,” said Nelson.
“We shouldn’t wait for that legislation to come into place for insureds to make sure that they’re doing their due diligence and letting their customers know ahead of time that a potential incident has occurred and offering any services that might help mitigate a third-party claim coming forth with that.”