Despite the constant headlines involving data breaches, most recently impacting a Canadian medical cannabis company, and new ransomware strains, Canadian firms continue to struggle with vulnerabilities that expose them to cyber risk. Business email compromise (BEC) is one such incident that’s keeping many companies on their toes, after Beazley reported a 133% growth in business email compromises in 2018.
The cost of forensics to determine what information contained in compromised emails was sensitive goes up as emails accumulate across a business’s lifecycle, and that’s not the only factor making companies wary of this cyber threat.
“Layer on the fact that there are post-November 01 reporting requirements in the Office of the Privacy Commissioner, and firms are now being exposed to more of a regulatory landscape than they might have been previously on something that seems to happen fairly regularly,” said Greg Markell (pictured), president and CEO of Ridge Canada Cyber Solutions, adding that the number one driver of BEC is still weak passwords. In fact, Ridge Canada has seen hacked clients whose passwords were revealed to be 12345.
“This is happening at sophisticated clients, so the crypto-jacking and the emerging trends, like negative search optimization, are coming and we’re getting prepared for them and making sure that clients and brokers are aware of [these], but the pandemic of ransomware hasn’t been cured yet,” explained Markell. “Business email compromise continues to be an issue, and adequate passwords and the like are still drivers in what’s going on, so I think it’s a testament to the fact that there’s even more of a threat landscape out there and continues to be by the day, and businesses in Canada are not immune.”
The false sense of security among Canadian companies – that just because they’re in Canada doesn’t mean they’re not targets for cyber criminals – has to end, added Markell, who believes that the claims will continue to prove this simply isn’t the case.
The numbers back up the Ridge Canada leader’s point – a report published by security vendor Carbon Black found that 83% of the Canadian CIOs, CTOs and CISOs surveyed admitted that their organizations had suffered a cyber security breach in the previous 12 months. Brokers are meanwhile doing their part to reduce their clients’ exposures to cyber threats.
“We’re seeing a lot more broker interest, which is great. The purchasing rate has remained relatively similar to what we saw last year. I think that is a testament to the difference in the type of work that we do, in terms of being able to help our brokers from a sales enablement standpoint, and to help them talk the cyber lingo with their clients and to know where to press and what to do when things come back or when they get hit with any sort of pushback at the client level,” said Markell. “We’re starting to see brokers be more comfortable talking about [cyber insurance], which I think is very important and needed to happen. We’re also starting to see brokers invest in it, and to me that’s wonderful. More brokers have brought on cyber experts, and are training people to be cyber experts, and I think that that’s going to drive a lot of movement within the industry.”
While the Carbon Black report points to a telling trend, the more critical metrics are those provided by Statistics Canada in January, which showed that of the 1.18 million employer businesses in Canada, 1.15 million (97.9%) were small businesses. The fact of the matter is that a small business is unlikely to have a CTO or a CIO, and their cyber insurance uptake is very low, according to Markell, never mind that few have a standalone cyber policy.
With brokers on the front lines matching up companies with the right cyber insurance policies, they need all the support they can get from the rest of the insurance industry.
“For us, it’s working with our broker partners to identify where they need help, where we can help, and what things are going to look like a year out because if you look at procurement as part of the overall problem, it used to be that small business clients didn’t have the time or the bandwidth to fill out these massive applications that were very intrusive,” said Markell. “The entire insurance industry in Canada has reacted to that, and you’re starting to see some of the underwriting questions and diligence be scaled back a touch when it comes to smaller business, which, frankly, I think is helping in really softening one of the barriers to entry for these clients, in terms of getting into the cyber insurance market, and using it as a risk transfer protocol across their portfolios.
“Some of the issues that are still inciting clients to buy, and where brokers are having the conversation and where this is being driven is still on those type of pandemic issues that we’re seeing clients encounter every single day. That’s not even including the element of the social engineering piece from a fraud perspective and whether or not that’s on a cyber policy or a crime policy. It doesn’t matter – clients are still getting hit with this.”