In this Cyber Claims Landscape special, Eric Dolden, senior insurance lawyer and partner at Dolden Wallace Folick, joins Elizabeth Bull, senior vice president of claims, and Shiraz Saeed, vice president, cyber risk product leader, both of Arch Insurance, to take a look at the key trends impacting the market. They examine the challenges that stand out, whether insureds truly see the value of the product and how brokers can break the misconceptions around cyber.
Paul: [00:00:28] Hello everyone. And welcome to the latest edition of Insurance Business TV, a cyber claim special in association with Arch Insurance. Why this topic? Well, here insurance business. We cover all aspects of insurance news across a host of specialties, from professional risk to environmental to home, auto catastrophe and technology. But here's an insight for you. The most consistently visited section of our website over the last two years has been the cyber section. Now you might ask why the product has been around since the late nineties. So why this interest now? Is it finally becoming mainstream on the back of COVID, or are we just seeing all those threats like ransomware, phishing and denial of service attacks seeping into our vocabularies and our day to day lives? Well, no matter how much you may know about cyber, there's no doubt you have plenty to learn because this is a product area that doesn't stop evolving. That's why, with the help of Arch Insurance, we've put together an expert panel to guide you through the current landscape and answer the sector's biggest questions. They are. Elizabeth Bull, senior vice president, claims at Arch Insurance Canada. Shiraz Saeed Vice President, Cyber Risk Product Leader at Arch Insurance. And Eric Dolden, a partner in a law firm that specializes in cyber losses. Dolden Wallace Folick LLP. So welcome, everyone. And let's start with the current picture. Are there any trends or new challenges that stand out, particularly, of course, around the type of claims that are being made? And if you don't mind as well, give me some insight into what can be done to mitigate those threats. Eric, I'm going to start with you.
Eric: [00:02:16] Thanks, Paul. If we look back over the legal landscape in Canada over the last three years, there's some really clear trends emerging. The first is, and this will come as a surprise to many, I think, if if your network system is intruded by a foreign actor, whether they're just snooping to look at the data on your system or they exfiltrated outwards to a foreign actor. Your clients and customers have a right to sue for damages. And what Canadian judges have indicated is that the clients and customers don't need to be out of pocket in order to recover damages. Canadian judges have adopted the view that you can recover general damages simply because your privacy and has been infringed upon or compromised. The second thing is that we're seeing a big uptake in cyber class actions in Canada and class actions that are certified. And class counts have realized that if they're complaining about the loss of the same type of personally identifiable information among all the clients and customers that were affected, they can certify a class action and that can be very expensive for a business. The third trend that we ought to take note of is that up until this point in Canada, remedies for privacy breaches has come through a patchwork of judge made remedies and provincial legislation. Canada is at a turning point in the House of Commons. They are actively considering Bill C-11 and that is going to be new federal legislation that in essence says anyone who is affected by a privacy breach has a right to sue for damages. And that's going to provide consumers, your your clients and your customers with a very powerful remedy in the event that your network system has been compromised.
Paul: [00:04:13] Yeah, excellent start, Eric. Shiraz, if I can come to you. I mean, I asked Eric to just give us some some trends out there, and he gave me three. Can you keep the momentum going?
Shiraz: [00:04:25] Sure. I mean, just just to build off of what Eric is saying. And one of the things that he mentioned is what really concerns us on the underwriting side is, is this ability for the consumer to have their claim, for all intents and purposes, heard and confirmed. You know, a lot of my experiences is in the US and that's one of the big glaring issues is we can't prove what we refer to as concrete damages on a liability. So here they're going to have the ability to do that every time, and that's just going to open up the landscape for liability tremendously. But besides that, the the three most common or frequency that we're seeing is for ransomware, which I think is now a household term that you were mentioning earlier. Paul, there's you also use the term phishing, which results in social engineering or what we call business email compromise, where you do a fraudulent transaction or you wire money to an incorrect place because you were sent an email that purportedly seemed to be from somebody legitimate. And then the the third most common is what Eric was mentioning is privacy disclosure. But what we're starting to see a lot more is not necessarily the loss of the private information, but rather proper disclosure and consent on the collection or gathering of that private information. And you're seeing a lot of regulatory change in the US where it's more geared towards having those controls in place on disclosure and consent, where you're going to see a lot of the fines and the penalties. And it's really driven by the European law, GDPR or general data protection regulation where they really started to push that wrong for collection and gathering exposure. So I think what I noticed is when looking at the stats, I read a report about cybercrime in Canada written by the government and it seems that ransomware is the biggest looming threat that they feel to businesses. And I think why that is compared to the business email compromise or the regulation is ransomware leads to the disruption of business and the disruption of business can impact individuals. Citizens as you. On the Colonial Pipeline in the United States. It ended up having gas stations closed in certain areas. So when that hits home like that, I think that's where that disruption of operations is really what concerns the government and should concern businesses.
Paul: [00:07:12] I like how you're sort of giving us different types of trends. Of course, Shiraz clearly concentrated there on all claims trends. Elizabeth, if I can bring you in, I hope you don't mind. I'm going to put you on the spot a little bit. I'm just wondering if there are any tips that you've got for insurers and brokers in terms of the trends that you would put across?
Elizabeth: [00:07:30] In keeping with the top three items, we strongly recommend implementing basic cyber security measures with the goal of improving the organization's overall cyber hygiene. This certainly goes a long way to stop system access in many cases, and we find as organizations add security measures to their environments, their threat surface decreases and their security posture increases. A really good resource that we've found for both brokers and insurance is the Canadian Center for Cyber Security. They have an exhaustive list of best practices for development of a secure I.T infrastructure and protection of an organization's networks. It's also imperative to ensure that the organization is conducting ongoing risk analysis on their security measures and i.t. Infrastructure. It's important to do this to identify and address any gaps or weaknesses that may be present. And one quick and affordable defense that can be utilized and often in some policies it's actually required. But to ensure that there's a multi-factor authentication system or MFA system in place, this assists and presenting unauthorized access to systems in particularly email and that would in turn would prevent access to employee and client personal identification information or PII. The second important tip. Is always to notify your broker or cyber carrier at the first notice of any potential loss. If there's been a breach on the system, no matter how minor or even if it's accidental, it's certainly better to be safe than sorry it's in. It really is an inexpensive way to monitor the system and do a forensic check to see if systems have been or could have been compromised and take this preventative action. We note that sometimes it takes many months for threat actors to make use of the data that they've come across and or for issues to come to light, at which point so much more data may have been compromised and or exposed. The third important tip that we've seen from an audit candidate claims experiences perspective. By now you would think, it seems that this should be an automatic. But many businesses, even large ones, still have not implemented training programs on their cybersecurity for all employees. So we want them to ensure that they have training for best practices and fraud detection and fraud screening. Many of the entry points for these threat actors could be avoided with better privacy and security hygiene practices throughout the organizations.
Paul: [00:10:23] I think we've picked up on a lot of trends from each of you, and if you don't mind, I'm going to reference a trend that I used to hear a lot about, because what I'd like to know from you all is do you think insureds are really seeing the value now of cyber insurance as a product? Because that trend that people used to tell me about all the time was that there was that mentality of it. It won't happen to me. We won't be threatened by cyber. We're too small, for example. So has this finally been overcome? Shiraz, I'm going to go to you.
Shiraz: [00:10:55] I mean, I've been underwriting cyber risk insurance for over ten years now. And in the beginning, I would literally go door to door to brokers offices saying, hey, you have these clients and these businesses and they have computers, they have private information, they have websites that have media on it. If something are going to happen to that, how are they going to run their business? And you had to go through a whole sales process of convincing them and pointing them in the direction of what the need is. And I think over the past ten years, the need has become more and more understood by the business community. And those that have suffered an actual ransomware or cyber incident definitely recognize and see the value in the policy. A They didn't have it and they paid for these expenses, the first party expenses and the liability is out of pocket. Or they had the policy and it saved them and it saved their balance sheet because they had a 1 million or 3 million or $5 Million policy that absorbed all these costs when their balance sheet did not have that. So I think when you do have a policy and you do have an incident just like every other insurance, it's going to work great. And it's going to solve not 100% of every loss that arose from a network security breach or a privacy violation. But it should contemplate, at least I would say, 75 or 80% of those losses that come in.
Paul: [00:12:31] So it's about showing the value of cyber insurance, I guess. And Elizabeth, I'm assuming that part of that as well is to to give real life claims examples.
Elizabeth: [00:12:41] Unfortunately, many of these threat actors are not caught and they operate across the globe, moving frequently and acting in highly organized global operations. We find as a result, even if they're unsuccessful, there's little risk for them. And their continued attempts of cyber attacks will amplify, in particular with political instability in certain regions where these organizations can operate and carry out attacks without any repercussions, the value of these claims can be significant not only in terms of demand, but in terms of impact on the operations. We recently had a claim that involved a ransomware attack on a large, specialized engineering firm. They lost access to their data going back over 20 years, which included plans for complex operations that they had developed and that were proprietary to them. Their entire operations were paralyzed for two weeks. The business interruption cover included not only losses sustained during that time, but also the extra cost and time and effort of having staff work overtime to go through their hard copies and their stored data and their backups. Coverage included forensic analysis, breach, council consultation and monitoring and ongoing communication and negotiation with the threat actor, which included verification that they have the data and that it was recoverable and remained encrypted. It also included proof of functional key for the encryption and ensured that payments made to the threat actor were within the legal parameters. Also included assistance in encrypting the data on return and organizing it so the insurance business could return to functionality. We also covered increased costs and losses during the relevant time that their outage occurred and also analysis and monitoring with respect to any PII that may have been exposed. Another key point is to ensure that. For those organizations that even if they feel confident in their own systems and security, there's often a reliance on other vendors i.t providers that can leave a vast amount of their data unsecured. We've also had experience in claims where insurers vendors who host vast amounts of data on behalf of the insurers is compromised and subjected to ransom demands. And quite shockingly, some of the vendor firms who host the data had no specific cyber insurance or were highly insufficient limits of cyber given the number of clients and the amount of data that they hosted. So in in these cases, the arch policy would respond not only to the insurance data that was under their control, but also if it was compromised well in the control of a host. Arch works with a select group of specialty vendors in legal and forensics to ensure not only is the data restored without compromise of the quality or the security of the data, but also that the insurer is not running afoul with the law and making any payments. We ensure that proper notification of authorities and the transaction is pre vetted to ensure compliance of all anti terrorism initiatives.
Paul: [00:16:16] Yeah. Fantastic example that Elizabeth and Eric, if I can move across to you, how is this impacted cost as well? Can you give me some insight there?
Eric: [00:16:24] Yeah, I want to echo what Shiraz says. I think Canadian businesses have recognized it's not whether they're going to be hit with a cyber compromise. It's when it's going to occur. And the big the big change I've witnessed over the last five years is this increasing realization that most Canadian businesses cannot afford the cost of a compromise in their data. I'm going to give you some recent statistical information. Over the last five years within Canada, cyber related claims costs have increased by 56%. And we know that much of that increase is a result of the fact that the cost of restoring your data, if it's compromise, encrypted or stolen, has risen dramatically. And the other thing is the other reality that Canadian businesses face is that ransomware claims are up by 40% over the last five years. And the average ransom payment now is coming in about 1.8 million CAD. And many businesses can't afford that. As stress indicated, they can't take the hit on their balance sheet. So they need a risk transfer device in the form of cyber insurance to deal with those exposures.
Paul: [00:17:48] Yeah, that's excellent background there. And if you don't mind as well, talk to us about how you're working with brokers to overcome some of the misconceptions about cyber insurance. I mean, I spoke earlier about this idea that some companies just don't need it or don't think that they need it. So give us some tips that you can offer and perhaps explain to us what some of those misconceptions actually are. Shiraz, I'll come to you.
Shiraz: [00:18:11] Sure. I think if you like I said even ten years ago and now the biggest challenge are hurdle around underwriting and understanding the risk of cyber revolves around. A the the class of business or how they operate their business and how that impacts losses downstream. So, for example, if you said you're a business to business, I don't have consumer private information. I don't have a cyber exposure. It was a typical answer that you would get. But in today's world with ransomware, if you were to suffer that and you were a manufacturer or a construction company, well, the platforms and applications and systems you use to operate your business, they're disrupted now. And you can't show up to the job site or you cannot actually manufacture something. So no matter what, you'll still need to get a lawyer like Eric to help you mitigate and figure out what's happened. They're going to hire a cybersecurity firm to do data forensics and incident response. You might even need to bring in a PR company to do the brand reputational harm reduction. Now, from there, as Eric mentioned, there's data recovery. So the cost to restore and recollect lost electronic data. There's going to be a negotiation and potential payment of an extortion demand. And then if you're down for five, ten, 15 business days or more, then how much income you suffer loss. Right, and what extra expenses that you incur as a business. Now, that's for companies that don't have the private information or access to it or do business in it. Once you bring that into the fray, well, now you have to notify those individuals, provide them some sort of identity or credit monitoring. Those individuals can now come together and sue you in a class action. And in addition to that, there can be regulatory proceedings brought because you now violated either federal or state law. And then. That is, if you deal with direct to consumer, then there's a third bucket which is even more dangerous, which is companies that are business to business but provide services and products to the direct to consumer companies. So they're aggregating all the private information and have access to your computer system or both. So if once you categorize and look at your business from this perspective and then recognize how large you are from a scale perspective, so that could be in revenues, employee count the amount of technology you have, meaning we have 1000 laptops and workstations versus a company that has 100 laptops and workstations. So these are things that are. Ways to understand the exposure. And that could be complicated and it requires some expertise. But then from there, the most cumbersome part is going through the controls and understanding what products, tools, policies, procedures and people the company has in place. And I think that's where you're seeing a lot of misconception right now, because many brokers and policy holders are coming back to carriers and saying, you're all asking us ten different things when in reality we're all asking you the ten same things, just posing it to you in different ways and using different slight different verbiage and stuff. And I think that's what we want brokers and policyholders to understand is we're all trying to get to the same objective, which is minimizing the likelihood of you having a breach. And we believe that these tools and these policies and these people that you have in place are going to minimize that. So we're we're not asking you anything new. We're just scrutinizing more things in a more detailed way because we now have the loss history to reflect on those policies and procedures.
Paul: [00:22:29] Thanks Shiraz. I think you covered a lot of ground across those various buckets there. But Elizabeth, if you don't mind me bringing you in, give us some perspective from the claims handling standpoint.
Elizabeth: [00:22:40] I think the greatest misconception in the cyber claims space is the fact that the claims go straight to the lawyers and there's no adjuster involvement when in fact, Canada claims stays very involved. We have a dedicated claims team that is just for cyber claims, and they handle all cyber related matters. We work closely with the insureds and our broker partners and the various experts involved in the assessment of losses and throughout the entire life of the claim. It's my opinion that we offer unparalleled service and technical claims guidance. And while we rely on our. Expert vendors for specific guidance on the technical and legal aspects of the claims. We act as the liaison or the advocates for the insureds, and that's an effort to ensure efficient and necessary communication between the various vendors is taking place in a timely manner and that the insureds priorities, which certainly can change based on the particulars of their claim and the nature of the insurance business. A larger complex loss, as there may be a multitude of service providers involved, including breach councils, forensic I.T. and forensic accounting. And we like to quarterback all of those vendors and processes throughout the claim. Often we find there may be also a need to liaise on with government authorities, and urge can act as that point person for the various vendors and also facilitate timely communications and getting the necessary answers to the insurers. Allowing them the ability to focus on how best to keep their business functional and respond to any issues that have arisen as a result of the breach. We also ensure that we take the time to ensure that coverage is fully explained to the insured in terms of what documentation may be provided or required, as well as to keep them involved and up to date in the process of the claim. We also ensure that we take the time to assist the insureds with looking through the strategy and the pros and cons of making payments where data may be recovered from backup servers without necessitating any payment to a threat actor. However, there is no guarantee that the PII that may have been contained in the data is not exposed if no payment is made and analyzing the cost of payment to be to the threat actor versus payment for identity and credit monitoring based on the amount and type of data exposed of a number of individuals affected while also considering potential reputational and relationship damage. Should note that the coverage also includes crisis management. So again, we act as often acting as the information hub and the primary context for the insurance and the brokers during this claims process. And while the claims process unfolds, we also assist in ensuring that the appropriate sub-specialty of vendors is retained to assist with each particular breach loss. And we ensure that we obtain preferred rates for only the highest quality vendors using the latest methods and equipment, which further drives down the costs and risk by allowing the process to be dealt with more quickly. And lastly, if situations warrant it, we'll explore if it's viable to pursue options for subrogation. If the insurance data has been compromised by a third party that they relied upon, such as the host provider.
Paul: [00:26:25] Excellent insights there. And Eric, any misconceptions that you're seeing?
Eric: [00:26:31] One of the things I emphasize both to Canadian businesses and insurance brokers is that many businesses purchase breach response coverage. So it indemnifies them in the event that they have a compromised or their network security. But what many businesses and brokers don't realize that under current Canadian law, in the event that there is this type of compromise, they have to provide notice to affected clients and customers that's mandated by law. And what we're finding is that if a breach notice, as it's called, is sent to affected customers and clients, many of them will pursue third party liability claims like it may be an individual claim seeking, seeking compensation or as Shiraz mentioned, it could be as pervasive as a class action. But it underscores the importance of buying cyber liability insurance and inadequate limits. You have to take stock. How many customers are clients would be impacted if we had a compromise of our network security. The larger the client and customer base, it augers for higher liability limits. And that's really important. And businesses who talk to their insurance broker about what their needs are in terms of third life, third party liability insurance.
Paul: [00:27:51] So let's bring things very much to the here and now. Talk to us about the cyber claims marketplace in 2022 so far and what's changed, I guess, as we settle into this new normal. Of course, we're in a supposedly post pandemic. I'll use that term loosely environment. So is there a heightened risk now, especially with people working from home, for example? Eric, what are you seeing?
Eric: [00:28:16] Yes, we detected since 2020 a discernible increase in the number of cyber intrusions that resulted from the mass migration of workers from their business offices to their home. What's happening is many organizations have relaxed security controls. They've given employees access to a wider range of sensitive material. And what we're finding is that through these remote locations, there's an increased number of intrusions. Frankly, in some cases, it's employee dishonesty. It's using information, maliciously selling it on the dark web. And also, obviously, in remote locations, other people can access the employee system. So we we we've detected a definite uptake in number of claims arising from broadly what I would call employee dishonesty from a remote location. The second thing that I've noticed is and this has actually been occurring over the last five years, it was a pronounced claim trend even in the several years before COVID impacted us is many businesses are going to what are called managed service providers, what people commonly referred to as an AI cloud provider. And what'll happen is these aggregators of data will service a wide range of clients, all of whom have data. And what's happened is foreign actors have gotten very good at gaining entry into these managed service providers. And so when we do have a claim, when their data, for example, is encrypted and there's a ransomware demand, it affects anywhere from 10 to 100 businesses, all of whom have the same AI cloud provider. So we're actually getting, in some cases, a single ransomware demand can impact a vast array of businesses, often in the same industry sector. And it causes a systemic failure. And this can be very expensive and it's occurring with greater frequency.
Paul: [00:30:20] And it's interesting, isn't it, because I suppose our circumstances have changed quite dramatically in a lot of cases. But Shiraz I mean, this threat landscape isn't really new, is it?
Shiraz: [00:30:30] Well, that's the thing. Again, I hearken back to the earlier days of the underwriting process and meeting with businesses and then us asking, well, what percentage of your network or your system is outsourced to a third party versus operated by yourself? And you would hear varying answers. 70% is in-house, 30% is outsourced. But now it's the complete reverse. It's 100% outsource or 95% outsource and very minimal done in-house, especially if you lack expertise. So like Eric is mentioning, a managed service provider, let's say they do security services for you from a cyber perspective. Well, they have a team of people that are dedicated to this, doing it all day, every day. Are you going to be able to hire for people that are experts in cybersecurity to manage your security and create a security operations center and monitor it real time? It's a lot of effort to create it in-house. When you have these businesses that are designed to make it easy and not a heavy lift. However, you're putting all your eggs into one basket in the terms of your relying on this business to operate your business. Right. And with the proliferation of moving it to these outsource providers or into the cloud, and then because of COVID, you went from 0 to 100 or from first gear to sixth gear in terms of companies deploying remote access. It's been around for a while, but it would be done methodically, strategically tested. Instead. You just went, Oh, we're going and we're going live today. Right. And I think what's happened there is threat actors have seen this vacuum where they're remote access, whether it's through a VPN, if you're in Microsoft or most remote desktop protocol, whatever it may be that you're using to connect back to the network. Vulnerabilities that can be exploited there. And this is the actual vulnerability or exploit, which has driven the insurance carriers to want multi-factor authentication. It's driven by remote access and accessing the network remotely. So from an underwriting perspective, remote access has become one of the biggest hot button issues when thinking about what is the trigger or cause of the network security breach of what's being exploited. So that's what we think is increasing the threat landscape, and you're starting to see that in the claims trends for 2022.
Paul: [00:33:23] Well, from hot button issues, I want you to tell me what's hot about cyber policies. If you don't mind, give us some insight into what brokers should be thinking about when choosing the right cyber coverage, if you want, for the clients. What separates Archie's proposition, for example, from from the rest of the pack? Shiraz, I guess you're the man to answer that one.
Shiraz: [00:33:44] Sure. So, I mean, right now, the marketplace for cyber risk insurance is flush with carriers that want to get into the business. And there's also a new capital coming in from other non-traditional sources. And as such, I use this term reputable market or reputable carrier. If you're a broker, you want to work with a reputable market or a reputable carrier. And to to me or to us at Arch, that that starts with expert underwriting acumen. So when I was talking earlier about figuring out the class of business and understanding the exposure. I think that's super important. And as risks become more complex, working with brokers and potential policyholders to figure out what all all the exposures and addressing them in a manner that assists them the most is important. I think, secondly, having a quality insurance product service is important as well. And to us that means having loss preventative services to assist the client ahead of time before binding, having effective policy wording within the actual contract and then also on the back end having a robust claims department that is going to be able, like Beth said, to do more than just pass it on to the lawyer, but assist you and go throughout the whole process of going through this traumatic incident. So I think for the brokers out there, you can look at Arch as a carrier that has underwriting expertise, that does have a quality product, that has an effective loss prevention policy wording and claims and capabilities.
Paul: [00:35:29] Yes. And some some excellent tips. Eric, let's come to you.
Eric: [00:35:33] Yeah, I think brokers need to be concerned about a number of issues. The first is that when they turn their minds to getting coverage for their client for breach response costs, they need to be very sensitive to the fact that there are different coverages. Some policies, for example, do cover social engineering losses. Others do not. So they have to be very careful about making sure they have the insurance clauses that meet their client's business requirements. The other aspect is I've noticed many insurers are opting to have significant deductibles or self retentions, and then when they get a hit with a loss, they find that they can't cope with the cost of burying the deductible or the self retention. Make sure you carefully calibrate how much you want to absorb to your own balance sheet in the event of a cyber loss. And I think the third dimension is making sure that you have adequate liability limits. You know, there's historically there's some policies that have written very low liability limits. And in the current legal climate in Canada, particularly, the ability of your customers and clients to get damages, even if they're not out of pocket augers for higher liability limits. So the broker should have a really meaningful discussion with their client about what sort of third party liability limits they need in their cyber policy.
Paul: [00:36:57] All right. Some great tips there from the gents. Elizabeth, let's come to you now.
Elizabeth: [00:37:04] This really speaks to the heart of our claims value proposition at Arch Canada claims. We certainly work with the most experienced vendors, vendors who are actively involved in this ever growing and ever changing field to stay abreast of new risks and methods for cost containing costs and risks, in particular by taking early action, by devising and deploying strategy for containment and restoration. And I'm very proud to say that Arch has a proven track record of reasonably evaluating the insureds on. In business operations, business relationships and reputation. Well, factoring in the cost and time involved in how a cyber claim should be handled. Arch Canada claims team has always taken an active role in claims adjudication as opposed to a passive monitoring of the claims. And we believe in frequent and meaningful communications with insureds and our vendors to ensure we understand priorities and the insureds values while making decisions collaboratively. And lastly, Arch Canada claims is committed to staying abreast of legal and regulatory environments that impact the handling of cyber losses.
Paul: [00:38:19] All right. I'm sure you've turned a lot of heads with that outline. My huge thanks to all of you for joining today. To Elizabeth, to Shiraz and to Eric, and, of course, to Arch Insurance for helping put this roundtable together. Hopefully you got all the hacks you need to succeed in cyber. For more insights and fewer bad puns, see you next time here on Insurance Business TV.