Companies large and small have to start taking cybercrime seriously and see it as a dangerous, pernicious crime that can potentially cost them tens of millions of dollars and ruin the reputation of their firm, warned the vice president of cybersolution of Aon.
“We have to stop thinking about [cybercrime] as a kid in a hoodie or a small group of hackers. It is a multi-trillion dollar industry,” Bryan Hurd told a recent webinar. “It’s a global ecosystem of evil with hundreds of thousands of people in thousands of evil organizations targeting every strata of business. There is no too-small-not-to-be-targeted group because it’s a small group of criminals that just walk along the internet jiggling door handles like cars in a parking lot, specifically for small clients.”
There’s no doubt there is also an elite level of international hackers who aim for the biggest companies, banks or insurers. Basically, said Hurd, there’s a hacker for every size business out there.
While money can be a big deal when it comes to cybercrime, reputation is just as important, he said. Hackers who can get into a company’s computer systems can get information about a supplier or partner who may also get tied up in a cybercrime.
“It’s not so much about the technology they use – it’s about the trust inside your organization,” said Hurd. Well-meaning employees can be unwittingly tricked into doing something egregious and then be scared to call their boss to double check.
Hurd said every company needs to have a plan it will follow in case of a ransomware attack, including the name and number of an incident response company, a list of colleagues and executives, even clients and regulators who an employee can reach if he believes their firm is being hacked.
When it comes to ransomware, there is usually a two-stage plan by hackers: first, they try to gain the decryption solution that will give them the keys to a company’s data and then they will publish information they stole and resell the data. Hurd says sometimes hackers hold on to the data for a few months and then sell it on the black market.
Hurd said he has worked on cases in Canada and the U.S. that can cost companies anywhere from $5 million-$20 million.
Recently, the Insurance Bureau of Canada (IBC) released a survey indicating that more than 40 per cent of small businesses have suffered cyberattacks. Insurers paid out more than $106 million in cyber liability claims in just the first half of this year, mostly dealing with ransomware. But almost half of Canadian small businesses do not include cyber security in their operating budgets.
But it’s not that easy-to-get cyber insurance placed in a policy, said Brian Rosenbaum, Aon’s senior vice president, National Claims Director.
At one time, property policies, for example, were largely silent on what the catalyst was for property damage or business interruption, such as a fire, flood or a cyber crime, said Rosenbaum.
But then, he said, the insurance industry mandated the use of cyber exclusions on most policies. After that, insurers started to underwrite some specific cyber risks.
The insurance industry is constantly changing to try to catch up to some ever-changing cyber rules. How a company covers cybercrime can be extremely complicated because there are a number of policies that come into play.
“You couldn’t get that coverage back into your policy if you weren’t a good risk and if you did, it would usually be limited” and the client would have to pay significantly more premiums, said Rosenbaum.
Possibility of co-insurance
Some insurers will talk about the possibility of co-insurance when it comes to cybercrime, said Catherine Roe, Aon’s senior vice president and Regional Director of Ontario. Other insurers will put restrictions in place.
Roe said insurers are trying to figure out a way that they can partner with companies on cyber risk while still maintaining a level of profitability, but added that she doesn’t think there will be an industry-wide solution for some time to come.