Quarterly Review July 2022

By Naomi Grosman    |    16-minute read

In this issue we are looking at how the p&c insurance community is anticipating, reacting to, and planning for cyber threats targeting their organizations and their clientele.

Cyber Protection

Safety First

A company is deep in contract negotiations. Email exchanges lead to an agreed upon sum of money and a $1.6 million transfer is made to pay for a product.

Thirty days after the payment was made, the seller contacts the buyer claiming the payment was incomplete: “You didn’t pay.”

The buyer responds: “Yes we did.”

Unbeknownst to the two companies a threat actor infiltrated the contract negotiations by sneaking into the email inboxes of the individuals involved — completely undetected.

“All decisions we’ve made have been rooted in how we can look after employees, who are looking after policyholders and brokers.’” - Ady Sharma, Aon

As the emails were sent back and forth the threat actor changed banking details, blocked the seller from sending the proper contract, and managed to get the final, tampered contract signed by both parties.

This is a real-life example of how two companies fell victim to a social engineering cyber breach — the largest social engineering claim Neal Jardine, Global Cyber Risk Intelligence and Claims Director at Boxx Insurance, has dealt with.

“This is how the threat actor received a $1.6 million payment, which wasn’t discovered until 30 days later,” said Jardine. “That’s a very high payout for a social engineering breach but most of them are that simple — the threat actor changes the invoicing details and contacts the victim saying: ‘Don’t forget to pay us.’”

Under the Radar

Some cyber breaches make headlines but the vast majority fly under the radar and are a large risk to small to medium-sized businesses.

Ady Sharma is VP of National Cyber Sales Operations and Ontario BD Leader at Aon. He has worked in the cyber space for nearly a decade.

He said the two most common types of cyber breaches are social engineering, the wrongful transfer of funds due to a change in wiring instructions, and ransomware attacks, where a bad actor infiltrates a company’s IT infrastructure, encrypts data and refuses to give it back until a ransom is paid, often through cryptocurrency like Bitcoin.

And recent data suggest that companies at highest risk of ransomware attacks are much smaller than the headline-grabbing breaches.

“Organizations with under 1,000 employees account for up to 77% of ransomware attacks,” Sharma said, citing data from Covware, a ransomware-case data aggregator.

He said there are two reasons cyber criminals have moved away from high profile targets and toward small and medium sized enterprises.

And they are equally important.

Firstly, small to medium sized enterprises’ cyber security is often lacking, generally due to lack of resources and expertise.

“This makes it easier for bad actors to infiltrate systems,” Sharma said. “It’s not the same payout but it's easier and requires a far lower time investment.”

Secondly, cyber attacks on small to medium sized businesses tend not to attract public attention.

“News outlets want to cover ‘sexy’ breaches like Equifax and Marriott hotel because that’s what people want to read,” Sharma said. “Also, attacking large organizations can in some cases create geopolitical upheaval and criminals realize it’s not worth doing.”

For example, arrests of cybercriminals connected to the Colonial Pipeline ransomware attack of 2021 showed how high profile these cyberattacks can get, he said. The pipeline cyber attack led U.S. President Joe Biden to crack down on cyber security and put pressure on Russia, where the alleged hackers were located.

Getting caught is not in their best interest, he added. These are not just smart criminals, they are business men and women who are ultimately trying to make money, Sharma said. Cyber crime is a very well-operated machine.

Imran Ahmad, Partner at law firm Norton Rose Fulbright Canada, Head of the firm’s Technology practice, and Co-Head of Information Governance, Privacy and Cyber Security, said that in the past, smaller companies without consumer-facing business didn’t see how cyber risk could affect their business operations.

“Companies were lulled into the perception that there was no real risk,” Ahmad said. “Small to medium sized businesses said to themselves ‘Why would I ever get hacked?”

Now with the pervasiveness of cyber attacks it’s clear that a cyber breach can grind businesses to a halt, impacting their ability to operate, he said.

And hackers are constantly changing their technique, Ahmad pointed out.

Social Engineering

In his practice he sees ransomware as the most common mode of attack. But he also sees business email compromise, diverging funds through social engineering.

Boxx Insurance’s Jardine said social engineering breaches are starting to outpace ransomware attacks. While social engineering yields lower payouts than ransomware attacks, social engineering is higher frequency and not as technologically complex — even for people who aren’t tech savvy.

“Social engineering is a growing segment because cyber criminals need smaller, quick turn and burn attacks,” he said. “It is overtaking ransomware, which is high cost, lower frequency. Social engineering is low cost, high frequency.”

He said ransomware payouts can be large, up to $1 million. Social engineering payouts usually range from $100,000 to $150,000. But the payout frequency brings it up to a similar pay off.

It’s just a matter of time until companies see the usefulness of proper cyber security investment.

Regardless of the type of cyber crime being committed, this is big business and companies of all sizes and industries are racing to manage cyber risk , said Imran Ahmad.

In his 20 years of practicing law, he has been focused on cyber and privacy for about 10 years, and is the author of Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management, Canada’s first legal incident preparation and response handbook.

“Over the last 10 years, (cyber security and risk management) used to be an area of interest for companies and breaches may have happened to a few companies,” said Ahmad. “This is now a mainstream issue that everyone is focused on and the investment in cybersecurity, governance and legal has increased in tandem.”

He notes a significant proliferation of laws related to cyber security as well.

Just this past June, the Federal Government introduced bill C-27 which, if passed, will reform Canadian privacy law and replace the Personal Information Protection and Electronic Documents Act (PIPEDA) with the Consumer Privacy Protection Act, among other things.

“This will update privacy laws, including notifying people when there is a breach,” Ahmad said. “These laws bring new powers and higher fines.” He said PIPEDA’s mandatory breach notification did not have significant fines. If passed, this new law could bring fines of percentage of businesses’ global turnover.

Ahmad said with the changing legal environment comes an increased appetite for cyber insurance, and a growth in legal activity.

“Ten years ago, there were maybe three lawyers working in cyber law in my practice,” he said. “At the firm now we have 22 lawyers doing this full-time — practices don’t typically grow that quickly.”

Preparing for Breaches

The majority of Ahmad’s work is in breach coaching. It is less about defending corporations in litigation and more about helping businesses respond effectively when a breach happens, he said.

“Cyber insurance policies give corporations access to expert vendors, including breach coaches, so they are in a much better position to respond to a breach as opposed to figuring it out on their own,” Ahmad said.

He said without access to experts a company can mismanage breaches at great cost, including:
  • Reporting a breach to authorities too soon.
  • Not reporting it soon enough.
  • Responding to a hacker directly — a mistake that can result in further harm.
  • Deleting hacked data and replacing with backups, which can lead to double-extortion because the original vulnerability was never discovered.

“Companies that don’t have the expertise and preparation tend to just ‘wing it,’” Ahmad said. “Companies that have insurance and are prepared are able to respond more effectively.”

He said companies are more aware of the seriousness of cyber risk but they struggle to know what to do with that awareness.

And the cyber insurance market is hardening, making it more difficult for companies to secure proper coverage.

Westland Insurance’s Derek Faulconer said insurers are raising deductibles and premiums and lowering limits.

“Going back 15 years…there was no real concern about cyber risk in the public domain,” he said. “Cyber insurance was a new line of business and didn’t have traction — real hard sell, no real uptake.”

He said over the course of the years it became the fastest selling line of commercial insurance and brokers now tell their clients: a cyber breach is not a matter of “if” but “when.” And businesses are better aware of the risk.

“Over the last two to three insurance cycles we’ve been seeing dramatic (price) increases because there are so many attacks and much larger (ransom) payouts — hackers are getting bolder,” Faulconer said. “Insurers were losing money so now renewals are coming with up to 30 per cent increases.”

Even without a change to their risk profile, insureds can still expect an increase in premium, he said.

Aon’s Ady Sharma said the hard market could impact an organization's ability to get insurance coverage.

He said the policy language isn’t changing, the backbone of cyber policies — which tend to be the same across the market, including first party costs covering out of pocket costs as a result of a cyber attack, and a liability section that will defend against lawsuits or regulatory action — will remain the same.

Cyber insurance availability, however, is shrinking.

“Insurers are focused on companies’ risk profiles, which wasn’t the case before,” Sharma said. “This new behavior will ensure long term sustainability of the cyber insurance product and that was missing before.”

He said while the product price might correct itself, the need for cybersecurity hygiene won’t change.

And there have been some changes to insurers’ cyber security requirements.

“Multi-factor authentication is something that has come up heavily recently which wasn’t a requirement before,” Sharma said. “It’s an added layer of protection when you are logging into a sensitive environment.”

Multi-factor authentication is when users log in to an online account and receive a prompt requiring confirmation that they were attempting a login, often via a unique code.

Sharma said insurance companies also want to see some form of an end point detection and response tool, a type of cyber insurance technology that continually monitors against cyber threats, and are also requesting to see incident response plans, and user awareness training to guard against human error.

Investment Benefits

Neal Jardine of Boxx Insurance said: “You won’t get proper auto insurance if you drive without winter tires — the same goes if you don’t have proper cyber security measures in place.”

He said the reason small to mid-sized businesses don’t have the best security systems is because they are blinded to the investment benefits.

“It’s not enticing to invest in security,” Jardine said. “Companies don’t see the vulnerability and just want to transfer the risk without taking action, but insurers won’t accept that without loss controls.”

He said proper cyber security hygiene includes multi-factor authentication, data backups stored separately and off site, patching old security systems, and firewalls and antivirus.

“Multi-factor authentication is a new standard,” Jardine said. “Companies will need that to secure insurance coverage.”

He said it’s just a matter of time until companies see the usefulness of proper cyber security investment.

“People used to not want to use a seatbelt until its effectiveness was clear,” Jardine said. “The same can be said about cyber security today. Small to mid-sized companies are not seeing its effectiveness — yet.”

He said it is unlikely that the Rogers Communications’ Canada-wide telecommunications outage on July 8, 2022, will influence businesses’ opinions or buying habits of cyber insurance because the company is not declaring it a cyber event.

Rogers said the outage occurred as a result of a “network system failure following a maintenance update” in its core networks.

“It’s bad PR for Rogers to say it was a cyber-related event because people would be concerned about their personal data,” he said. “Because they haven’t declared it a cyber event, businesses' cyber policy for business interruption is unlikely to be triggered.”

Even if it was a cyber event — which would only be a speculation — if no identifiable personal information was hacked, Rogers would not be obligated to notify the public, he added.

“Hypothetically, if all that was stolen was a name and address, that’s information you can find in a phonebook.”

The outage occurred early morning July 8 and wasn’t fully resolved until the following day. There was disruption to emergency services, debit payments, and London-based global internet monitor organization NetBlocks reported that Canadian national connectivity was operating at 75% of its ordinary levels.

Since the event, the Canadian Radio-television and Telecommunications Commission (CRTC) has ordered Rogers to explain in detail what caused last week’s network outage but it remains uncertain whether those findings will be made public, the CBC reported.

Cyber threat for individuals

Cyber Risk -— It’s personal

Canadians are connected.

Ninety-seven per cent of Canadian adults aged 25 to 44 have a smartphone. For a majority, the phone is the last thing they check before going to sleep.

Common household devices can be controlled via smartphones and the internet (often referred to as the Internet of Things (IoT)). Seventy per cent of Canadians aged 18 to 64 own entertainment devices that are controlled via the internet, and 26 per cent of that same cohort owns a smart home device for electricity and lighting.

Individual Canadians lost over $43 million Canadian dollars related to cyber crime in 2019.

Maria Messina, Vice President, Manager, Chubb Canada Personal Risk Services based in Montreal, said people are more dependent on data and its accessibility than ever before.

“Each household has an average of 10 connected devices such as tablets, smart phones, TVs, media players…that number is expected to grow (and) most people store their entire lives on their computers,” she said.

The ubiquity of connectedness has rendered individuals exposed to cyber crimes.

Protection for Connection

“Anyone that uses the internet, computers, or digital media is susceptible to cybercrime,” Messina added.

According to the Canadian Anti-Fraud Centre, individual Canadians lost over $43 million Canadian dollars related to cyber crime in 2019. And that is only from reported cases.

The insurance industry is responding to this personal cyber risk exposure.

“A fully dedicated cyber policy in personal insurance is as new as it can be,” said Jessica Visser, Partnerships and Programs Manager at Boxx Insurance, a Toronto-based Managing General Agent specializing in cyber insurance.

She said many major insurers include cyber endorsements on homeowners insurance. These are common, well-established and widely considered as personal cyber insurance, but it’s missing coverage for key personal cyber risks.

“It doesn’t provide any coverage for the types of cyber events that we see covered in commercial insurance policies that can just as easily happen to an individual,” Visser said.

Commercial cyber policies will generally cover financial losses and third-party liability costs related to a cyber breach.

A cyber endorsement on a home insurance policy generally only covers legal expenses related to identity theft and insureds get access to a lawyer to clear credit issues, get new documents and manage what is needed in the aftermath of identity theft, she said.

Unlike the commonly used endorsements, personal cyber insurance is a dedicated policy that responds to more than just identity theft and legal expenses, she said.

“It truly addresses the risk that everyone now takes when going online.”

And the risks are numerous and impact victims financially and psychologically.

She said, generally speaking, a personal cyber event can result in cost to repair, replace or restore home devices. It can result in direct financial loss caused by identity theft and cyber extortion — someone locking a computer and holding its contents ransom.

She said data can be stolen and corrupted. And then there is cyber bullying — which, depending on the policy, personal cyber insurance addresses by covering potential psychological assessments or services, and in some cases school transfers.

“This is good if you are a parent because kids who do not have life experience tend to emotionally invest in their online status,” Visser said. “Also, the value of personal cyber insurance for seniors is high because our aging population is also more vulnerable to electronic identity theft.”

She said cyber risk exposure is higher for homes using entertainment devices that are controlled via the internet, and smart home devices for electricity and lighting provide unprotected access to home networks. Risk exposure can range from device deactivation on a home security system, camera access and recording, and personal information theft.

Working From Home

According to Statistics Canada between 2016 and 2021 the at-home workforce grew from 5% to 32%. With the rise of work-from-home culture, the distinction between commercial and personal cyber risk is somewhat blurred.

With the rise of work-from-home culture, the distinction between commercial and personal cyber risk is somewhat blurred.

“In working from home, there is a mutual conflict of interest — the personal versus corporate,” Visser said. “Every policy is different, but instinct tells me that personal cyber exposure…on a computer owned by a business but used for personal matters…would not be covered. You would need personal cyber coverage to address a loss of that nature.”

Visser said it’s best practice to not use work computers or phones for personal activity.

But using work electronics for personal matters does happen and it highlights the social responsibility that comes with our interconnectivity, said Neal Jardine, Global Cyber Risk Intelligence and Claims Director at Boxx Insurance.

“If you are working at home and use your work computer to conduct private business, something that involves identifiable, personal information about yourself or others, if you don’t have personal cyber insurance and that information is stolen as a result of your negligence, you could be held liable,” Jardine said.

Chubb’s Maria Messina said the work from home environment has increased the necessity for personal cyber insurance coverage.

“We are always connected and thus vulnerable to cyber attacks because of the rise of social media platforms, online schooling, and smart toys and homes,” she said. “All of these factors are increasing awareness and the need for personal cyber products.”

These personal cyber insurance products are available, but uptake is wanting.

Derek Faulconer, Regional Manager of Markham-based brokerage Westland Insurance Group said the reputation of personal cyber insurance today is where commercial cyber insurance was over a decade ago.

“There are a few providers offering (personal cyber) now but unlike commercial cyber, which is an easy sell now, it’s following the same curve of when we started selling commercial cyber coverage — it’s the same struggle now,” Faulconer said. “Not until people have experienced a loss or know someone who has experienced a loss will they buy the insurance, even if it’s inexpensive. The products are available but there is not a great deal of uptake.”

Boxx Insurance’s Neal Jardine said he expects it will take time for personal cyber to increase in popularity, and that right now human emotion is a factor thwarting its uptake. Same as was the case with commercial cyber in the past — there is an embarrassment factor.

“There is not enough traction yet because the (personal cyber) risk isn’t talked about as much — you’re not talking to your neighbour about your computer being ransomed,” Jardine said.

He said only a few years ago, commercial cyber events were not discussed publicly either.

Understanding Personal Risk

“When threat actors said they were going to tell the media about a breach, companies got scared and were more likely to pay the ransom to keep it under wraps,” Jardine said. “Now it’s not as newsworthy because it happens so much.”

I think personal lines cyber is where commercial lines used to be like, no one wants to tell anyone, and the risk is a dark secret.

Chubb’s Messina said personal cyber insurance uptake will increase in tandem with public education.

She said it’s now considered ‘nice to have’ coverage when it should be viewed as a ‘must have.’

Awareness of personal cyber risk has grown in the last few years,” she said. “Although we have seen our clients’ appetite for personal cyber products increase in the last few years, more public education is needed with respect to the potential risks the public faces every day when it comes to cyberattacks.

Visser expects it will just take time — that the uptake of personal cyber insurance will increase as people better understand the risk.

She said until personal cyber insurance becomes more mainstream, relying on home policy cyber endorsements is unwise. Not only is it inadequate coverage, making a cyber-related claim on a home policy could undermine policyholders’ insurability. 

“Your home insurance policy should not insure something that is not your home,” Visser said. “We know the reason it’s there but the (endorsement) hasn’t evolved with the rest of the market enough to justify its existence.”

“As a broker the last thing I’d allow my client to do would be to prejudice their future insurability on their home policy due to an auxiliary coverage,” she added. “And most people have $1,000 deductible — they are not making a claim for these (events) because it’s either a wash or they are compromising the insurability of their home.”