The Ontario Broker - April 2018 - 17

Mainstream media and insurance industry publications
are riddled with daily stories of cyber breaches, network
extortion, social engineering fraud... the list goes on. The
Cyber Security Readiness of Canadian Organizations
2018 SCALAR Security Study reports that the annual
cost to recover from breaches averages $3.7 million in
direct and indirect costs per organization. SCALAR
noted in its study that Canadian organizations reported
an average of 455 attacks in 2017 - more than one a day.
No doubt, just as many or perhaps even more cyber
events weren't reported. Suffice it to say, if we're hearing
about cyber security disasters every day in the news, we
ought to be talking to our clients about them too.
Not only is there a direct first-party financial cost to
cyber privacy claims, there's also a risk of third-party
costs arising out of a breach of private information.
The recent Equifax data breach is a good example.
Reputational harm, privacy regulatory penalties
and productivity loss all occur when data is lost
or networks are shut down due to a cyber attack.
With well-crafted cyber security insurance in place,
the client can access the insurer's forensic cyber
security experts, breach notification services, legal
advice and access to restoration contractors. In the
case of network extortion with ransom ware, the
insurer's cyber claims specialists will know whether
to negotiate a bitcoin settlement demand or not. And
the insurer will know how to access a bitcoin purse if
a decision is made to meet the ransom demand.
Sharing insurer's cyber security claims examples
will help your clients visualize similar or common
vulnerabilities in their own organization. For example,
an unwitting employee opens a link that causes a
virus to spread throughout the network, or loses a
laptop or smart phone on public transit, leaving the
organization vulnerable to the loss of sensitive data.
Social engineering claims involving phishing or other
electronic scams are becoming increasingly common.
Brokers can play an important role educating business
owners on how to identify cyber security risks they
never realized existed, and select the best cyber
privacy insurance solution for their operation.
Just because cyber privacy coverage has not
traditionally been in the coverage line-up business
owners typically purchase, we must not gloss over its
importance in an annual or mid-term coverage review
or when advising new clients. Presenting properly
crafted insurance solutions before cyber events, not
after, is our absolute responsibility. If a client declines
coverage, it behooves every broker to be sure it's an
educated and documented no; that you did a thorough
job communicating the importance and relevance of
coverage to the client's operations. Failing to educate
them leaves us open to errors and omissions claims.
Besides, clients who listen to our advice will sleep
better at night knowing they're well covered.
From a risk management perspective, brokers
can point their clients in the right direction by
encouraging them to develop internal protocols,
employee training, incident response plans including
practice sessions and table top exercises that clearly
define responsibilities and communication

WWW.IBAO.ORG

455
31%

REPORTED ATTACKS IN CANADA IN 2017

OF BREACHES INVOLVED COMPANIES
WITH FEWER THAN 100 EMPLOYEES

78%
OF CYBER THIEVES EMPLOYED
TECHNIQUES CLASSIFIED AS LOW
OR VERY LOW DIFFICULTY

75%
OF CYBER ATTACKS WERE UNTARGETED
AND OPPORTUNISTIC

66%
OF BREACHES TOOK MONTHS OR
LONGER TO BE DISCOVERED

17

protocols. Brokers can access insurer cyber
security guides that offer advice on how clients can
prepare, prevent, mitigate and restore in the wake
of a breach. In many instances it might be advisable
to recommend engaging outside cyber security
experts to perform security audits that identify
vulnerabilities, provide advice on how to fix them
and develop a response plan in the event of a breach.
As brokers we must not hold ourselves out to be
cyber security experts, rather recommend that
clients seek expert advice if they don't have their
own cyber security experts on staff. This is akin to
a broker recommending building replacement cost
appraisals to ensure insured values are kept up to
date - we don't hold ourselves out as appraisers.
While we have our work cut out for us - educating
clients about the need for cyber privacy insurance
- Principal Brokers ought not overlook their own
need for cyber privacy insurance given the extensive
amount of client information every brokerage
gathers. Although RIBO hasn't mandated that
brokers carry cyber privacy insurance, we should
carry the coverage nonetheless given the significance
of our business's exposure. The mitigation and
restoration resources provided by cyber privacy
insurers are critical to minimize the damage
following a cyber security event.
Bear in mind, a privacy breach won't necessarily
involve a cyber event. Carelessness around
protection of paper files containing private client
information can also occur. In my early days in
insurance, a co-worker left several client files in a
subway car; of course, panic ensued the next day.
With mandatory Federal Privacy Breach Notification
legislation on the horizon, clients will face breach
notification costs in the range of $200 per record;
this typically includes credit-monitoring services.
Depending on the number of records involved,
breach notification costs can be staggering. In the
aftermath of a breach, insurers help clients comply
with breach notification legislation.
Statistics on data breaches investigated in the
Verizon Data Breach Investigations Report indicated
that 31% of breaches involved companies with fewer
than 100 employees, 78% of cyber thieves employed
techniques classified as low or very low difficulty,
75% of attacks were untargeted and opportunistic,
and 66% of breaches took months or longer to
be discovered. Victims represented a wide range
of industries - 37% financial organizations, 24%
retailers and restaurants, 20% manufacturing,
transportation and utilities industries, and 20%
professional firms.
A cyber security mishap can happen to any business.
It can become a broker's worst nightmare to receive
a client's report of an uninsured cyber event. This
predicament can be avoided by offering cyber
security insurance to each and every client. The time
for a vaccination is before the virus strikes, not after.
And remember, no one's immune!

APRIL 2018
http://WWW.IBAO.ORG
Table of Contents for the Digital Edition of The Ontario Broker - April 2018
