Firms globally are embracing innovative technologies for a variety of reasons. For some, it is motivated by cost savings from pushing its workload to a cloud service provider, embracing back-office automation or business process re-engineering. For others, the motivation to embrace technology is driven by the desire for increased speed, efficiency and accelerated growth through Machine Learning, Unified communications and the Internet of Things.
No matter the motivation, these technological advances are changing the face of enterprise, allowing more data to flow between locations, workers, and devices faster than ever before.
The Price of Innovation
But innovations like these come at a cost. When an enterprise spreads outside the traditional confines of a physical workplace, to meet staff and customers wherever they may be, data is less secure. As third party platforms, applications and devices proliferate and connect, they present the cyber-criminal with an ever-growing ‘attack surface’ that is almost impossible to patrol.
Yet, just as enterprise data is more broadly distributed, criminals are proving that the their drive to innovate matches or exceeds that of many legitimate businesses. Indeed, hackers are currently operating at a more advanced technical and experimental level than companies and governments can possibly defend against.
The recent explosion in ransomware is a case in point.
Ransomware, Everywhere
Ransomware is a type of malware (or malicious software) that either denies access to a organization’s or person’s data, or threatens to make it public, unless the ransom is paid. It has been with us for a surprisingly long time – since 1989 or earlier – but its use has grown exponentially in recent times. While accounts vary, one source suggest that a company somewhere will get hit with ransomware every 40 seconds, which is up from every 2 minutes in Q1 2016[1].
And that is only half of the story. The criminals behind this malware are using highly sophisticated techniques to manipulate employees into giving them access to a company’s systems so that they can install the malware. This use of email to trick employees into sharing sensitive information is known as a ‘phishing’ attack.
Detecting and resolving a cyber breach requires malware reverse engineering expertise. As a consequence, even companies with large IT departments are unlikely have the expertise required to remediate an organization’s systems following a ransomware attack. With the very latest ransomware, the use cryptography is so state-of-the-art that it can be nearly impossible to recover data unless support is provided by the hacker who installed it.
Human Error
The Data Breach Investigations Report (DBIR) published by Verizon states that phishing was used in more than 90% of the 42,000 security incidents, with 2,000 confirmed breaches across 84 countries it studied.
From receptionists to CEOs, employees receive emails every day that look and sound genuine – but in reality are phishing attempts. A quick click on an apparently benign link or attachment connects a victim’s computer to the malware, which then spreads to other computers. In a matter of minutes, an entire organization can be locked out of its data.
Imminent Danger
For most enterprises, there is a limited budget they can spend to fortify their networks and protect their data. In the face of cyber-criminals who can spend 100% of their funds to hack your network, it is far from a fair fight.
Regardless of the budget, with employee errors and omissions being a contributing force to many cyber breaches, organizations need to accept the new reality that it is no longer ‘if’ but ‘how often’ your systems and network will be breached. A recent Accenture survey found that among 2,000 security officers, representing large corporations around the world, one in three had experienced a targeted attack that was successful.
The consequences of a cyber breach can be devastating and no industry is immune to the threat. During 2016 and 2017, there were confirmed attacks on power companies, nuclear power plants, banks, military contractors, broadcasters, pharmaceutical firms, manufacturers, logistics companies, airlines as well as retailers. The Net Diligence 2017 Cyber Claims Study found that companies with revenues greater than USD $2B suffered an average breach cost of $3.2M. While the numbers can be shocking, what is more critical to realize is that, in Canada, impacted clients can bring a class action lawsuit, even where there is “no evidence that a Class Member absorbed a fraudulent charge.”[2]
The fallout from the cyber-threat has moved beyond balance sheets. It now affects senior executives directly – their jobs, their reputations, and the reputations of their businesses.
The Cyber-Threat To Executives Is Now Personal
As one of the world’s largest consumer credit agencies, Equifax, reeled from a 2017 cyber-attack that compromised data held on 143 million Americans[3] and 19,000 Canadians[4], it lost board member after board member. In September last year, its CEO retired from his post, following in the footsteps of the company’s CIO and CSO.
At the beginning of 2018, the company reported that costs related to the breach would reach nearly half a billion dollars by the end of 2018 – making it the most expensive reported attack in history.
For publicly traded corporations, cyber security is now a board issue, a risk for which they have a fiduciary duty to understand and manage. For board members, a cyber incident or privacy breach could prompt shareholder lawsuits for security failures, declines in a company’s stock price, and allegations of management negligence.
Future Risk
New risks are emerging too. Company directors and officers are now entering the relatively uncharted territory of personal liability if they don’t comply with new regulations.
“Regulatory compliance regimes around the world are quickly catching up with the threat. Compliance at senior management level is absolutely critical,” says Angela Feudo, Cyber Underwriter at QBE Canada. General Data Protection Regulation (GDPR) is a regulation in EU law which comes into force in May of 2018. It is the most stringent privacy regulation of any region to date. To ensure compliance, many multinational companies are modifying their procedures not just for Europe but for their operations globally.
Closer to home, amendment are being made to Canada’s federal privacy law for private-sector organizations, PIPEDA. This is the act which regulates the collection, use or disclose of an individual's personal information by an enterprise. Following changes which take effect on November 1, 2018 (S-4: Digital Privacy Act), businesses will be mandated to document every breach, not matter how trivial. Furthermore, where there is a risk of ‘real risk of significant harm’, they will need to give notice to affected individuals and to the Office of the Privacy Commissioner of Canada ‘as soon as feasible’. Knowing violations of the new breach notification or breach record keeping requirements could result in: (a) an offence punishable on summary conviction and a $10,000 fine; or (b) an indictable offence and a fine not exceeding $100,000. On a per breach basis, this is a manageable business risk; however, at this time, it is not clear if these fines could be levied in respect of each individual affected by a breach. Generally and not surprisingly, the new requirements are expected to lead to increased litigation activity, more class action claims, and a greater number regulatory investigations in Canada.
A Holistic Cyber-Response
Given the speed with which criminals are changing the cyber security landscape, what should an enterprise do to respond? Companies have traditionally expended the majority of their efforts on defensive technology – focusing on the firewalls, anti-virus software, intrusion detection and malware detonation sandboxes that protect devices and networks.
Instead, board members, risk managers and the IT security community need to adopt a more holistic approach.
Four Steps To Better Protection
- It starts with cultural change. Employee security awareness programs are critical if businesses are to defend against a attack. Mock phishing campaigns, regular password changes, clear, enforced employee access-control and the segregation of systems are the first lines of defence.
- Improve your ability to detect a breach. Progressive organizations have begun to incorporate security information and event management systems (SIEMs) into their security architecture. If criminals have used your employees to get past your outer defences, these allow your security teams to visualize and observe active adversaries once they are inside your network.
- Detection is not enough. Organizations must markedly improve their in-house threat intelligence, the situational awareness of their teams, and their incident response management skills. This is best achieved by creating a formal Incident Response Plan, which encompass the external parties you would want to engage if your systems or data were compromised. Most critically, individuals should be trained based on their role in the plan, with the plan itself being periodically tested to ensure it continues to be comprehensive and effective.
- When a breach event occurs, time is of the essence. Companies should partner with a breach coach and a specialist global cyber-insurer, like QBE, to effectively manage the repercussions of a breach, including the financial, legal and public relations needs. A well managed breach is the best defence against lawsuits and possible regulatory fines. It also minimizes the reputational damage to your business.
Comprehensive Cyber Protection
QBE is a leader in cyber-risk underwriting and claims resolution, with the capability to support organizations around the globe. As no one firm has the same cyber-risk, QBE’s approach goes beyond providing a payment for insured losses – purchase of a policy also provides access and immediate support from some of the world’s most experienced cyber-security, legal and public relations companies. It is this crisis response that matters most to board members and IT security teams on ‘day zero’.
“Our crisis solution is available 24 hours, seven days a week, 365 days a year,” says Feudo. “It doesn’t matter if it is a Friday night or at 2am – there will be an expert at the other end of the line, ready to gather the resources necessary to respond and mitigate the effects of a breach.”
Full Support
Following the purchase of a cyber policy from QBE, IT forensic teams are available to work with you to establish the cause and extent of the cyber breach or cyber extortion threat. They can assess your network security and recommend improvements. If necessary because your systems remain vulnerable, they can store data at a third-party host location.
Legal specialists can assess whether the compromise puts you in breach of a data protection law. If so, they will help you notify regulators and the affected individuals, as well as supporting you as you respond to any regulatory investigation.
Crisis communications can be as important a shield as any other to blunt the effects of an attack. With QBE’s Cyber Insurance, you have access to crisis communication specialists, whose work helps to mitigate damage to your brand and also ensures you’re meeting notification requirements as set out by the by regulators.
“Some of our customers will have capabilities in-house to address a cyber breach or they’ll have existing relations with skilled outsourced agencies,” says Feudo. “But most organization can benefit from outside support to make sure the right decisions are quickly being made once a breach has been detected. For this reason, we bring together some of the most experienced companies in the world to help businesses when they need it most.”
These companies include law firms Fasken Martineau, Hicks Morley and Miller Thomson, IT forensics services from Deloitte, Mandiant and Kivu Consulting, credit and identity theft monitoring from Equifax and idAlerts Canada, Post Incident Notification by Equifax and NPC Immersion Data Breach Response and crisis communications specialists Fleishman Hillard.
“The most important thing is that we are able to offer help when and where our customers need it. Even if your business only operates in Canada, if your data includes a resident of another country and that data is breached, you now have to meet the legal requirements of the country where that individual resides. With QBE’s Cyber Insurance vendor team, if your breach impacts a resident of the US, the E.U. or any other country, our partners are able to help remediate the breach and meet the regulatory requirements of all impacted territories.”
The Most Experience
Support following a breach is a key value of purchasing cyber insurance. This is core to QBE’s cyber offering but the support QBE can provide goes beyond this. QBE vendors group has knowledge and experience in every kind of breach or incident a business might suffer or have exposure to.
In an area of risk that is relatively new but also quickly evolving, this experience and knowledge is what customers should be demanding of their insurers so they can be pro-active in mitigating their own risks.
“The reality is that businesses and criminals are in an arms race, and regulatory regimes are becoming more strict. Investigating cyber-insurance is no longer enough. It is time to act.”
[1] https://blog.barkly.com/new-ransomware-trends-2017
[2] www.canadianunderwriter.ca/insurance/data-breach-settlement-approved-canadian-class-action-lawsuit-home-depot-1004099522
[3] https://www.cnbc.com/2018/03/10/in-the-wake-of-the-equifax-data-breach-consumers-more-at-risk.html
[4] https://www.thestar.com/business/2018/01/24/equifax-canada-works-to-rebuild-trust-after-major-data-breach.html