An employee is tricked into clicking on a link that’s loaded with malware. What happens next is every company’s nightmare. There are multiple scenarios. One is that everything locks down immediately, a troll pops up on-screen, and a hacker demands a ransom in order for that company’s systems and data to be unlocked. These days, that ransom demand could be anywhere up to six or seven figures. Another scenario is that nothing obvious happens right away. The bad actor sneaks into the company’s systems and fishes around for months, building up a profile of that organization before exploiting it and hitting it with a maximum pain punch.
As soon as a breach is detected, whether it’s immediate or delayed, speed in response is paramount. There’s really no option of sitting back and waiting to see how a breach plays out. Unfortunately, hackers aren’t willing to allow their victims that luxury. Therefore, breached firms must tackle everything at once, from unlocking systems if they’re down, to carrying out forensic investigations, to facilitating bitcoin negotiation if the incident involves ransomware, to crisis management, and, of course, to breach notification.
Canadian companies are subject to mandatory breach notification regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA). The Act defines “breach of security safeguards” as either a loss, unauthorized access or disclosure of personal identifiable information resulting from a breach of a company’s systems. It contains stringent notification guidelines and harsh penalties for firms that break the rules.
“PIPEDA has required Canadian companies to think about cyber security and data privacy. It has made them be more proactive in their planning and their processes to the extent that they’re now required to notify individuals of a breach by law,” said Marcello Antonucci, global claims team leader – cyber & tech, Beazley. “We’ve long identified Canada as fit for cyber insurance growth. The regulatory scheme they’ve had in place for some time is forcing companies to be compliant, and from a breach perspective, to notify individuals. Canada also has businesses that want to do the right thing and see it as a reputational advantage to get ahead of privacy and cyber issues.
“Companies in Canada, like all parts of the world, are threatened by data breach, cyber extortion and disruptive events. The threats and the publicity of the threats have driven submission to business, so we’re seeing growth in Canada across all verticals, moving from traditional retail and financial institutions to manufacturing and construction. We’re also seeing uptake not only from the largest companies who have thought about cyber security for a long time before there were laws like PIPEDA, to the smaller companies who may actually need cyber insurance to help in their balance sheet protection.”
When up against an ever-evolving cyber risk landscape, with particularly concerning trends around ransomware and cyber extortion, companies’ information security hygiene is key, according to Antonucci. Best-practice cyber risk mitigation includes things like ensuring good credential maintenance, strong messaging from management, multi-layer authentication, patch maintenance, and so on.
“At Beazley, we believe disaster recovery and business continuity are the new breach response,” Antonucci added. “How are companies going to be resilient? How are they going to get back up and running? How are they going to move their products around? How are they going to communicate with the world when everybody knows they’re down and they don’t have any time to manage that message? And, how are they going to liaise with different stakeholders to ensure they’re responding in the best possible way? That’s where insurance brokers and the insurance community can really help to educate folks and connect them with experts who can test their plans. In some ways, all we can control is our clients’ planning and their testing processes.”
