Click here to read this HyperArticle™ in the BC Broker magazine:

 

Optional - Supplemental Materials

Key Definitions

From https://cyber.gc.ca/en/glossary:

Cyberattack – The use of electronic means to interrupt, manipulate, destroy, or gain unauthorized access to a computer system, network, or device.

Cyber incident – Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.

Cybersecurity – The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage, or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber threat – A threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries.

Residual risk – The likelihood and impact of a threat that remains after security controls are implemented.

Residual risk assessment – An assessment, which is performed at the end of the system development life cycle, to determine the remaining likelihood and impact of a threat.

Legal and Operational Ramifications of Cyber Risks

Liability for costs incurred by customers and other third parties. Where customer data is breached or compromised, severe liability costs may arise such as in privacy breach cases.

System recovery costs relating to the need to repair or replace computer systems or lost data following damage or compromise of websites, programs, or electronic data. This cover, in particular, is evolving as cyberattacks take different forms, create various loss scenarios and push the limits of wordings. The U.S. case National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company 2018[1] is a classic example. The court decided, for the plaintiff, that the slowness and inefficient state of the computer after the cyberattack did constitute loss or damage to the computer system, forcing the insurer to pay to replace the computer system. The insurer had argued that the computers were still functioning, albeit slowly.

Business interruption costs such as loss of income, including where caused by damage to your reputation.

Notification expenses in cases whereby customers are to be notified and kept updated (even if a breach is only suspected.)

Regulatory fines, along with the cost of investigations, may be levied because of the failure to reasonably protect consumer data even in the absence of compliance requirements. Class-action lawsuits, which speaks for itself once lawyers get involved. Identity theft.

Ransomware or cyber extortion – In addition to the ransom costs, a risk consultancy firm may be retained to manage the situation.

Breach costs – In the event of a data breach (electronic or otherwise), costs include forensic investigations, legal advice, notifying customers or regulators, and offering support such as credit monitoring to affected customers.

Crisis containment costs – Where there may be reputation damage or loss, expert assistance to mitigate could be critical. This may include public relations counsel to oversee the recovery of reputation.

Multimedia liability – For example, unintentionally infringing upon someone’s copyright, for example, by using a picture online without permission, or accidentally libeling a third-party in an electronic communication.

Operator error or user error, administrative error, software bugs, failure to upgrade.

Cyber Risks and the Principle of Risk Management

In the early 1990s when cyber liability cover was making its debut on the market, understandably there were those who labelled it as over-hyped and a money grab. Not so today, as it’s now one of the most requested types of insurance coverage in this increasingly electronic and digital market. In fact, many procurement departments may now require vendor or affiliated companies to carry cyber liability cover in their own attempt to secure their operations and manage their exposures. Further, many small businesses may not think they need this cover and yet they are the very ones who may not be able to withstand the intrusion by some small-time hacker or a teenager just trying out their skills.

While insurance forms part of most risk management plans, the risks and exposures relating to cyber liability are unique. The fallout may not allow, as in property insurance, for simple rebuilding because the loss and damage could ruin a company in ways that may prevent or significantly restrict meaningful and substantial recovery.

This is why cyber liability control mechanisms must work within the principle of constant mitigation. Brokers must work step by step with their clients to ensure there is a mutual exchange of information and intelligence to ensure every potential for loss is being addressed effectively and timely. OpenSSL (software that secures internet/electronic communications from breaches), for example, was for years thought to be an effective encryption technology – that is, until it was discovered to be open to cyber related attacks.

Proactive Measures to Reduce, Mitigate and/or Possibly Prevent Cyber Liability Risks from Manifesting

- Implement a program of constant maintenance and updating of security software and hardware. For example, speak to the insured about whether they perform ‘penetration tests’ to assess current vulnerability both in systems and procedures. In addition, ask if they have a system of consistent ‘patch management’ to address the need for fixes promptly and effectively.

- Hire a properly researched IT security services vendor and review their performances regularly.

- Adapt operations to incorporate the use of cloud computing services.

- Rigorously implement and enforce a data privacy policy including publicly posting details so that they are conspicuous to all parties.- Regularly back up data to a secure offsite location.

- Review the need for and extent of encryption.

- A complete audit to identify all points of access to your confidential information, be it on internal systems or portable devices and maintain strict guidelines on the use of portable devices.

- Ensure that there is a detailed and easily executable business continuity plan.

- Are automated virus scans being performed on a regular basis, is real-time network monitoring for possible intrusions or abnormalities and is multi-factor authentication in use?

Further information to bear in mind:

- The use of http as opposed to https. The use of the former leaves a system more vulnerable; the latter (Hypertext Transfer Protocol Secure) is more secure due to the added encryption.

- Virtual Private Networks (VPN) create a more secure connection from a private network across public networks by shielding the information sent. If employees are using free Wi-Fi (for example, in a public hotspot) that is a cause for concern.- Is your clients’ information encrypted from end to end?

- Does your client enforce two-step authentication?

- Has your client addressed the risks of social engineering[2] with all staff, implemented protocols for responses to requests for sensitive data and money transfers and has regular training and audits in this area? On Sept. 29, 2020, the Québec Superior Court in Future Electronics Inc. (Distribution) Pte Ltd. v. Chubb Insurance Company of Canada, 2020 QCCS 3042[3] ruled in favour of the insurer by validating a sub-limit of $50,000 in a claim arising out of a social engineering fraud. Brokers should not overlook sub-limits or take them for granted as acceptable. It is critical sub-limits be brought to the attention of the applicant or the insured, in the proper manner, to ensure the limit is understood and the consequences of not seeking a higher limit if available is explained. The actual claim was for $2.7 million, and the issue may not end there if the insured decides to pursue the broker to determine if they may be liable in any way.

Key areas for brokers and clients to focus on:

- Audit and evaluate consistently and continuously the day-to-day operational working relationships with any entities outside the client’s immediate operations; keep social engineering in mind. Social engineering involves detailed, well-planned, and deliberate efforts by criminals who employ psychological manipulation of innocent, untrained or careless employees to manipulate them into providing sensitive information or allowing unfettered access to company systems. Their modus operandi also includes phishing emails in which a hacker assumes a seemingly genuine identity or authority. Even the use of telephone calls and in-person attempts happen with regular frequency. Education of the client is paramount to reducing risk and can never be understated.

- Take advantage of employees with cybersecurity knowledge and experience.

- Notify the legal authorities and relevant parties (broker, insurer, insured and the insureds clients) if an incident has occurred.

- Business interruption is a very overlooked and underserved portion of cyber loss protection. Brokers must understand how critical it is at the very least to present a proper analysis and cover recommendation to their clients for consideration. If the client declines the broker’s recommendations, then the broker, once due diligence occurred, would be able to say they did what was reasonably expected.

Best Practice for Brokers in Embracing Cyber Risks

What do you recommend? By now you should realize that this is an unusual risk to address for several reasons:

- Cyber risk is relatively new in the insurance world. Many are still coming to terms with what ransomware is.

- It is growing at a disturbing and alarming rate.

- It will call for due diligence, in-depth analysis, continuous collaboration, and communication with your clients to ensure that you, as the broker, are in sync with their operations and ready to respond.

- This risk also requires that the broker see cyber liability, probably, more than most other risks, at the top of activities in this realm. Vigilance is also critical. Brokers must be aware of what types of breaches or attacks occur, the vulnerabilities that exposed companies and equally as important.

Further Reading & Resources

Provincial:

- Business guidance for developing a privacy policy:
https://www2.gov.bc.ca/gov/content/employment-business/business/managing-a-business/protect-personal-information/develop-policy

- B.C. Office of the Information & Privacy Commissioner:
https://www.oipc.bc.ca/

Federal:

- Canadian Centre for Cyber Security:
https://www.cyber.gc.ca/en

- Office of the Privacy Commissioner of Canada:
https://www.priv.gc.ca/en

- Canada’s Anti-Spam Legislation:
https://www.fightspam.gc.ca

- OSFI Technology and Cyber Risk Management:
https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx

- Centre for Study of Insurance Operations:
https://csio.com/

Other:

- Canada: Privacy Law Overview:
https://www.stikeman.com/en-ca/kh/canadian-technology-ip-law/privacy-and-data-protection-in-canada-a-concise-legal-overview

- IBABC:
https://www.ibabc.org

- The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet: https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet^[1] 

---

[1] https://www.mondaq.com/canada/white-collar-crime-anti-corruption-fraud/1000210/case-summary-national-ink-stitch-llc-v-state-auto-property-casualty-insurance-company^[2] 

[2] Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Scammers lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems.

[3] https://www.rsslex.com/en/bulletins-en/20201015_future-electronics-v-chubb-insurance-the-insurer-prevails-in-canadas-first-ruling-on-the-social-engineering-fraud-endorsement/