Phil Baker of Creechurch International discusses cyber risk in Canada with IBC in an exclusive interview.
IBC: How significant is the cyber risk to Canadian businesses in 2015, in a general sense?
PB: Certainly, in a general sense, it’s bigger now than it’s ever been and continues to grow. I’ve seen different figures in terms of what the impact of cybercrime is in Canada, and I’ve seen figures as high as $3b annually, and that’s only growing. So I think any organisation in Canada that has employees or customers, which is pretty much every business, has an exposure to cyber risk.
IBC: What are the greatest risks businesses face in the cyber space?
PB: Fines for PCI compliance…can be up to $1m. And that’s not necessarily dependent on the size of a business…even small companies can incur massive fines and penalties due to lack of PCI compliance. Class action suits are on the rise. [They] have been certified in Canada for privacy-related breaches, so the damages are only going to go up, and they’re going to go up exponentially. If a company’s not prepared [and] doesn’t have the security in place to prevent that, and doesn’t have the insurance to transfer that risk, ultimately a company could face bankruptcy.
IBC: How well appreciated do you think those risks are by Canadian businesses?
PB: My personal opinion is that there is an underestimation of the exposure that companies face. Certainly the buying patterns for cyber insurance lag well behind what similar- sized companies in the United States are buying, based on the information that we have...
I think companies in Canada are finally starting to realise that insurance is a necessary part of the risk management process…Certainly companies are aware of it and asking questions, and brokers are certainly much more aware they must present an option for insurance relating to cyber and privacy.
The other component of that is how much Canadian companies are spending on data security. There’ve been a number of different studies, but I think the general consensus is ‘not enough’. I’ve seen one figure that [says] Canadian companies with employees of 1,000 or less are spending only 14% of what a similar-sized US organization might spend on data security.
IBC: How does your CyberPlusPlatinum product provide wider protection against cyber incidents than the majority of products in the Canadian marketplace?
PB: Most companies will take a US-based product or a European-based product and tailor it for the Canadian market. At Creechurch we built ours from the ground up with the intent of creating a ‘made in Canada’ policy.
The biggest thing, I think, [is] the resources we offer in the event of a breach. For instance, we’ve partnered with CGI…They’ll provide an online assessment tool to analyse risk, they’ll do a detailed assessment at the request of the client, and then they work with us on a post-breach situation to do forensics and mitigate the losses….
Upon the suspected release of confidential personal information, our clients have access free-of-charge to a legal expert hotline…to ensure they know who they need to advise of this breach, which privacy commissioners require information and what form that information must take.
TG: What general advice would you offer to businesses about protecting themselves against cyber risk?
PB: What we find is that a lot of companies will invest in cyber security and the IT department will say to the CEO, ‘No we’re good. You don’t need to buy the insurance because we’ve just upgraded all our hardware and software, such that we think we’re protected.’ And my response to that is, if you install a burglar alarm in your home or a fire alarm, you don’t then cancel your burglary and fire insurance. One is risk mitigation and the other is risk transfer. To adequately protect yourself, I think you need to consider both aspects. And then, taking it outside of the actual electronic realm…Most of the breaches we see relate to either paper files, a lost thumb drive, a lost laptop – not an actual hacking, but human error…Put controls around physical assets that may leave the office that will have sensitive data…[And] don’t assume that, if you’re a small business, you’re immune…Small criminals are targeting small businesses.
