Bring in the Feds to deal with cyber, says Zurich Canada
Someday, someone will do one of those “fun” documentaries on how the news and movies and pop culture put cyber as a prefix to everything and reveled in their Neuromancer coolness and just how damn quaint all that naive chatter was.
Only today, cyber is not sexy, it’s not cool, it’s an extraordinary hassle that means you got to keep switching your password every 90 days, because if you don’t, kiss goodbye to oodles of data that can wind up vacuumed out of your servers.
Last month, we learned you could actually hack J.P. Morgan and Dow Jones. (And no, it wasn’t some “mischievous” teenager pulling a prank or Anonymous, it was the mob. That’s right—the mob, as in mafia. As in your leg-breaking, Scorsese-filmable, nasty yet innovative gangsters scattered across a dozen countries, led by an Israeli “digital don.”) On Remembrance Day, The Telegraph in the UK reported that British broadband operator Talk Talk will likely have to fork out $53 million to clean up the mess left by hackers breaking into its systems in October (the BBC mentioned, with its usual quiet understatement, that if you were an outraged customer, well, too bad, because the contracts for mobile and other services often locked you in for two years, so good luck trying to escape without getting hit with a penalty cost).
Oh, and if all these developments feel too distant, Statistics Canada has already informed us that six percent of Canadian businesses had a security breach in 2013. (Note the year, ahem—it’s about to become significant.)
Everyone agrees cyber threats are a problem, but there doesn’t seem to be much momentum to do something about it, at least not piecemeal. But Zurich Canada CEO Patrick Lundy gets quite passionate when he talks about cyber, and even more interesting is the fact that he actually has new things to say. He doesn’t think, for example, “we’re educating Canadian consumers, companies, enough. Under public policy we spend a lot of time talking about data breaches and what does it mean for the general public, and that’s what public policy does in Canada.” Which is all well and good, but what about business? What about their massive exposures?
Lundy says Zurich reached out to the national ministries of finance, public safety and industry. “We made the first contact with the government on the premise of being able to go back and get a broader industry perspective to coming to work with them. First wanting to work… and then agree that yep, there’s something here for us to partner on.” The answer back, he says, was positive, but this was before the federal election. “So I think we’d look to rekindle discussions with them as we get into 2016. But my point in the meetings with them was to say, ‘Hey look, a lot of Canadian companies are exposed, there are a lot of Canadian companies here that either don’t have the resources, have the awareness or understanding of what the depth of their exposures look like.”
Lundy argues that carriers are offering a broader range of protections to privacy and security, but the industry as a whole needs to have more Canadian-centric data on breaches—what kind, their size, their frequency and other details. “Right now we speculate on a lot of these. We’re starting to get peripheral data, but I even stated to you numbers from 2013. That’s not real time.” The industry, he points out, has been forced to make assumptions for 2014 and 2015.
“We have our own proprietary data, but that’s a small subset, right? We really need to go to government and say, ‘You’ve got all this information that you’re collecting by virtue of the privacy commissioner’s office, and saying companies need to report this. We don’t want to know the name of the companies. But we need that information. That information could be very helpful to us. Let’s put a partnership together. And by the way, government, we’re in here today talking to you on our perception of what these liabilities are.’”
Since 2010, in fact, Zurich Canada has seen requests increase by 50 percent year over year for cyber liability coverage. You would think then that such an initiative for prevention would be a no-brainer, given there are precedents. In April, for example, Top Broker told you about CANATICS’ analytics tool that relies on pooled industry data to help prevent auto fraud. And Lundy is quite clear that he doesn’t see this initiative as company-centric. The next step, he says, is to enlist other carriers and bring them into the conversation through the recognized trade associations in the industry. But Lundy is coy when it comes to naming which companies he’s approached so far or even the industry groups he has in mind.
Asked on a grey-sky Friday afternoon to weigh in on the idea, IBAO president Michael Brattman says he’d need to know more information about such an initiative, but “if it makes sense to be at the table, we definitely want to do that.” He sees education as the foremost priority for any industry initiative that would partner with government. And when it comes to the issue of learning about breaches, Brattman notes that brokers have to rely on what they learn from either the media or the carriers, but he’s inclined to think Lundy is accurate and most of the information is coming out of the U.S.
Greg Markell, the broker who runs HUB International’s cyber practice, echoes Lundy’s call for transparency and information sharing, and he wants to see proactive measures taken, such as discussing the importance of testing networks. “There are a few organizations that are working on some pre-breach measures to actually help businesses, to make them aware of what vulnerabilities they might have; which I think is going a long way, and it’s showing the end-clients that the insurers are willing to spend money to help them from a risk management perspective.”
Markell emphasizes that there’s still a need to develop and promote a cyber security and privacy culture among employees “because half of the time when these incidents occur, it is as a result of human error. It’s not that your IT system is faulty or designed improperly or anything like that. It’s just regular human error: people losing laptops, sending things to people they shouldn’t, just small items like that.”
As we noted in our last issue, an expert at this year’s RIMS pointed out how the “built to last” thinking in vogue right now is completely at odds with the crazy, frenetic pace of breaches and threats. So I put this to Greg Markell, asking why we still have this mentality.
He took a deep thoughtful breath and replied, “I think it’s something that’s evolving so quickly. Because everything is changing every day, so too does the level of understanding—it has to. Quantifying exactly where a threat or where something is going to come from, you just can’t do it, because it could come from anywhere. Again, it could be your own employees, it could be someone sitting halfway across the world, it could be government-based. There are so many different factors based on the industry that you’re in that could potentially lead to it. So in terms of predictive analytics, we just don’t have the data…”
The retail and health care sectors have fairly easy and obvious exposures, says Markell, “but for everything else, who knows where it could come from? And I think that’s part of the difficulty—people have a difficult time understanding that, even though their business may not be targeted, they can still have these types of losses and these issues.”
“We need to find a resilient way to handle this,” says Lundy. “Technology… is an area of risk and reward. There’s opportunity, but… there are a lot of challenges to associate to it if we don’t do it right.”
Copyright 2015 Rogers Publishing Ltd. This article first appeared in the December 2015 edition of Canadian Insurance Top Broker magazine