While no employee wants to be the reason for a potential cyberattack due to an error in judgement, they need to feel empowered and comfortable to report any potential wrongdoings to their superiors.
“There’s a certain stigma or shame in admitting that you may have accidentally clicked a malicious link or that certain events are occurring at an employee’s expense,” said Matthew Benaim, Sompo’s AVP of cyber and professional lines.
“If we think that we have made a mistake, the instinct isn’t to tell everybody, but rather to deal with it ourselves, or maybe tell one person at the office.”
However, when it comes to cyberattacks, response time is absolutely crucial in being able to rectify a situation without any catastrophic outcomes — every second counts.
“Of course, when you are in the midst of an event, stress can certainly impact an individual’s thought process,” Benaim said.
“But we need to arm our employees with the knowledge or training on how to respond in the event of an attack or breach and create a culture where reporting an incident is not a bad thing at all.”
“I think humanizing our communication with our employees, colleagues and with our clients is really the next wave of what we’re going to see as it relates to how companies are insured,” added Jenna Fraser, BFL Canada’s VP of financial and professional services.
Benaim and Fraser were joined by Liberty Mutual’s AVP of cyber, technology and mobility, Brandon Middleton, during a breakout session at this year’s NetDiligence Toronto conference entitled, “The Human Element vs. Focus on Security Vulnerabilities”.
During the conversation, the three discussed how advancements in technology are outpacing response efforts and why underwriting needs greater involvement from insureds to better understand risk.
Middleton pointed out how with generative AI and deep fake technology, it is becoming increasingly difficult to distinguish between what is real and what is false.
This is especially important as it has been found that 95% of cyber breaches are attributable to human error, per NetDiligence’s recent cyber claims report.
“We’re seeing more realistic attempts at phishing emails with more detailed and conversational language involved,” he said.
“I also read that it only takes about three minutes of audio of someone to be able to use AI to generate a pretty convincing version of their voice, which can be used to make Teams or other calls.”
Responding to Middleton’s concerns, Benaim noted how “the training and strategy around addressing AI and sophisticated attacks isn’t keeping up with the advancement of technology.”
However, with the current state of technology, there are certain things to keep an eye out for.
“Deepfakes don’t render hands very well, images can be blurred and words in the video may appear misspelt or like complete gibberish,” Benaim said.
Another safety control Middleton recommended was the “four eyes approach”, wherein two sets of eyes are needed on every financial transaction that goes through a company.
“The first set of eyes will look over and approve the transaction, while the second set is looking for social engineering tactics, but that involves more in-depth training to be up to speed with the ever-evolving threat landscape,” he added.
While implementing cyber hygiene and vigilance protocols is becoming the norm from SMEs to large corporations, Benaim said that more can be done during the application process when onboarding a client.
“We encourage brokers to have their clients be more detailed about their cyber posture in their applications,” he said.
“As a broker, when you’re having that initial interaction, you need to give them the ‘why’ behind each question because they probably have much more information than you think,” added Fraser.
Middleton echoed the sentiments of his panellists, noting how he hopes that, over time, insurance professionals will find creative ways to get access to this information and develop closer relationships with clients to get a better sense of their complete cyber posture.
“In an ideal world, from an underwriter’s perspective, we would want to see if a company has internal cyber champions that are set up and have a better understanding of network security and cybersecurity and spread it amongst their peers throughout the organization,” he said.
“You can give that committee a specific name and logo, so when they reach out to the rest of the company, they know to pay attention.”
All three panellists agreed that giving employees access to more resources through an internal cybersecurity hub, or one from a third-party vendor, will bolster cybersecurity awareness and can lead to better overall culture throughout the organization.
Furthermore, it is important to implement internal security measures externally when interacting and working with customers and other vendors.
“When you’re dealing with parties that might not necessarily follow the same types of security policies and procedures that you have, try not to be as compromising as you may have been in the past,” Middleton added.
“Practice what you preach.”
