The menace of cyber incidents didn’t let up in 2018, with data breaches exposing the personal information of 50 million Facebook users, 500,000 Google+ user profiles, and 20,000 Air Canada mobile app users, alongside notable hacks of the Federation of Sovereign Indigenous Nations, a Canadian cryptocurrency exchange, and the town of Midland, Ontario. Nonetheless, 2018 was also a year of regulations, as GDPR in the EU and the Canadian mandatory breach notification rules came into effect, the former of which makes Facebook’s disclosure of the massive breach that much more significant.
“The Facebook breach is pretty large in the amount of individuals that were impacted, and the interesting component of it is it’s a post-GDPR breach, so therefore it’s getting quite a bit of notoriety and not only because of the size of the event, but also because this is one of the events that it will be tested on from the regulatory perspective,” said Adam Cottini, managing director of Gallagher’s cyber liability practice, though the other social media breach was also noteworthy. “[For] the Google event, there were a lot fewer impacted individuals, but one of the interesting items about that event is that it seems to have been something that wasn’t timely notified out [to users], so a lot of individuals are at risk of identity theft.”
The nature of social media profiles means that they provide personally identifiable information about each user, in addition to the geo-locations of individuals and information on their networks of friends. The entire profile of an individual can be used against them if a hacker has a chance to see that profile and threatens to display information on a public forum unless a ransom isn’t paid, Cottini underscored as one of the most notable fears.
Social media is also a critical point of customer contact and marketing for small businesses, which stand to be impacted by these types of breaches.
“The small business community relies on that social media communication to drive their businesses, so if they have used those mechanisms, not only to use the Facebook platform but to other apps that they use, there could be another level of extortion,” said Cottini. “It’s not uncommon for a small business [owner] to use the same password that they’re using at home and putting information on sites – maybe even Salesforce, as a good example of a cloud-based application where that small business is putting a lot of detail. There might be trade secrets within that, there might be all kinds of corporate confidential information that if you used an application that linked itself to Facebook, could in fact expose that small business owner’s trade secrets or intellectual capital to the hacker.”
Back home, the direct cost of breaches in Canada – or expenses associated with hiring forensics teams, law firms, or offering identity protection services to victims – is the highest globally at $81 per compromised record, according to IBM’s “2018 Cost of a Data Breach Study,” conducted by the Ponemon Institute. In 2017 alone, Statistics Canada reported that more than one in five of the over 2,500 Canadian businesses surveyed were hit by a cyberattack, and the size of the business doesn’t protect them from being targeted.
“One of the things that we’ve found is that ransomware is rampant and it’s indiscriminate so it’s affecting a lot more businesses than just the big folks,” said Greg Markell, president and CEO of Ridge Canada Cyber Solutions. “As we saw from the NotPetya and the WannaCry incidents, they can have devastating effects on supply chains and have a lasting impact in terms of how they affect businesses. Because it can happen to anyone, it’s one of those things that both large and small businesses need to be aware of, and aware of how they’re going to deal with it.”
No one sector is safe either, though manufacturing continues to be targeted from a social engineering perspective while healthcare companies have to combat privacy-related issues because of the type of personal information they hold, added Markell.
“That said, we’re seeing [cyber insurance] purchasing habits uptick in a number of different sectors – education, healthcare, manufacturing, and professional services. There’s a lot more conversation around those sectors that we’re having [and are] starting to see it translate into an increase in purchasing,” he told Insurance Business. “These attacks are far more visible now and people are actually seeing the impacts that they have. On top of that, with the new legislation bringing in mandatory notification, I think a lot more clients or prospective clients are taking a more serious look at it because of the regulatory pressure that they’re going to be faced with in the event that something does happen.”
Ridge Canada’s broker partners are hearing a lot of questions from clients on how to handle and protect against ransomware and extortion demands, and business interruption costs, which is driving purchasing as well.
“What brokers are starting to realize, too, is that they’re digging into the actual language, so the extensions of coverage are being looked at and they’re being seen to actually provide very little value,” said Markell. “Now, we’re getting into the weeds a little bit more and recognizing that there’s less value because it’s not covering some of the major exposures that clients are asking for.”
Meanwhile, technology adoption, such as the extensive use of IoT devices and automation, goes hand in hand with increased exposure to cyber incidents. In light of this and the mounting bills associated with remedying cyberattacks, Markell outlined some of the key trends brokers need to watch out for as their clients navigate the cyber risk landscape in 2019.
“We’re seeing an uptick in email system compromise, which can be potentially quite devastating and costly to fix,” he said, adding that even if one person’s email gets hacked, it takes time to comb through all of their emails and attachments to find out what can be deemed benign versus sensitive information. “When you look at that and the fact that forensics costs are more expensive than legal on an hourly basis, it can add up very quickly. We’re seeing those types of issues cost more money, and then when you add in the reporting regime that it now accompanies and the potential audit functionality that you’re going to have to comply with – and then to have everything prepared for the Office of the Privacy Commissioner and having to report as soon as possible – I think the cost of the incidents starts to go up.”
Whether it’s a business that’s active on a social media channel or has employees using a business email, it’s clear that commercial insureds and their brokers have to be increasingly savvy on cyber in the coming year.
“The takeaway is that you have to be vigilant on how you use and deploy technology within this business landscape, but then on top of that, the ability to encourage use of insurance is really the outcome of these events,” said Cottini.