How Canadian cyber risk is different from American cyber risk

How Canadian cyber risk is different from American cyber risk | Insurance Business Canada

How Canadian cyber risk is different from American cyber risk
Canadian cyber risk is less privacy driven and more crime-caused than in the US, according to CFC Underwriting’s international cyber team leader Lindsey Nelson.

Social engineering tactics where deceptive email accounts posing as CEOs or vendors manipulate employees into passing on company information is often the method of choice.

Learn more about phishing insurance here.

“In 2016 we had over 400 claims, more than one a day, when you remove the US from the equation, the cybercrime and social engineering ends up being 38% of our total claims,” Nelson said, “which is a massive statistic in comparison with your other lines of coverage.”

While privacy concerns over user information are ubiquitous in hacking headlines, Canadian firms aren’t facing cyber risk in the same manifestations as American ones are.

“Because not everybody is holding vast amounts of data but everybody’s holding cash, the cybercrime and social engineering fraud tends to be a more applicable cover to those Canadian companies,” Nelson said.

“To sell it on that basis has been worthwhile because it really focuses the attention away from the privacy aspect that’s seen a lot in the US, in addition to some other coverages that are, at times, overlooked - such as the service business interruption.”

Want the latest insurance industry news first? Sign up for our completely free newsletter service now.

Another, related difference Nelson points out is the US’s nearly 15-year-old hack reporting legislation (a patchwork of rules, state by state) compared with Canada’s nearly passed national legislation requiring companies to report their breaches.

Hackers are increasingly targeting people rather than security systems when robbing or spying on companies, something protocol could help alleviate according to Nelson.

“Proactively make sure you have employee training programs in place, make sure you can mimic phishing attacks on your own employees to get them to notice that coverage a little,” Nelson said.

“Make sure you implement call back procedures and dual authentication measures. So if someone’s emailing you, don’t take it for face value, do your checks and actually call in and verify the phone number to make sure it is the intended recipient.” 

Related stories: