The definition of a Cyber Crime can vary depending on the context. A simple and broad definition might be any illegal activity involving the use of a computer, network or the internet. Almost every person, company or government who is connected to the internet is vulnerable to some sort of Cyber Crime. Cyber Crime knows no boundaries and is not specific to race, colour, country or size of target. It is truly a global concern that unfortunately has very little regulatory control.

History

As the interweb (as it is affectionately known) grows exponentially every year, we become more and more reliant on it in our personal and professional lives. It is constantly evolving and moving forward, and the possibilities for its growth are boundless. What would you have said 5 years ago if someone told you that you would soon be able to turn on the washing machine in your home from halfway around the world? We never would have believed it, but today it is a reality.

With the internet tying more and more mobile computers, social networks and cloud based systems together there is an enormous amount of centralized information that can be accessed with anonymity making it very tempting for those who are criminally inclined. Years ago, when cyber criminals (hackers) first started breaking into computer systems, they did so for personal accomplishment and recognition from their peers but, over time, that has changed and we now see hackers applying their trade with political, environmental, monetary or publicity motives.

With the internet tying more and more mobile computers, social networks and cloud based systems together there is an enormolls amount of centralized information that can be accessed with anonymity making it very tempting for those whoare criminally inclined.

Over the past 6 months it has been difficult to pick up a magazine or newspaper without seeing an article on cyber this or cyber that Last year we saw high profile companies being infiltrated such as Sony, Target, Home Depot, JP. Morgan as well as countless others. However, this is not just a US problem. In Canada we experienced the Heartbleed virus that infected the CRA websites at tax time as well as attacks on The National Research Council of Canada, Bell Canada and numerous lower profile companies.

Not surprisingly, 2013 was the worst year for data breach with, according to Data Breach Toady, 740 million files viewed or stolen around the world. It would not be surprising to see that figure having doubled for 2014. In Canada alone, it is estimated that, at any given time there are more than 50 ongoing cyber attacks. One report said that the annual global cost of cyber crime was expected to exceed 400 billion in 2014, which is a conservative estimate given that most companies are reluctant and not legally required, to report their breaches. It is just as difficult to predict what the numbers will look like for 2015 but consider that, in a prelude to the Interpol world 2015 conference cyber crime is referred to as a form of crime with a global cost greater than that of trafficking in marijuana, heroin and cocaine combined with an estimated one cybercrime victim in every three Internet users.

Attacks

More and more cyber professionals are concluding that when it comes to cyber crime there are two types of companies, those who have been hacked and those that don’t yet know they have been hacked. It is not whether or not it this is going to happen but when it will happen.

More and more cyber professionals are concluding that when it comes to cyber crime there are two types of companies, those who have been hacked and those that don’t yet know they have been hacked. It is not whether or not it this is going to happen but when it will happen.

So what does one of these attacks or hacks look like? Well, because there are so many ways a cyber attack can be executed painting an ideal picture of the crime is difficult. Some are more common than others but countless techniques are being developed on a daily basis, making defining and identifying cyber crime challenging. The following list represents some of the more common types of cyber attacks:

  • Denial of Service (005) or Distributed Denial of Service (DDos): this makes a computer or site unavailable for its intended use
  •  Software and Information Piracy: theft of copyright material
  • Cyber Extortion: holding a company ransom through DoS or the threat of release of confidential information
  • Phishing: disguising an email as coming from a known source in order to obtain sensitive data
  • Spoofing: misleading people to enter personal information onto a false website
  • Identity Theft: obtaining personal information to open new accounts or services in the name of the victim
  • Customer Data Theft: obtaining sensitive customer data for financial gain

The most common breaches happen in the simplest ways, a lost or stolen laptop, a misplaced memory stick, or a back up drive that goes missing. But when a sophisticated attack takes place it might not be immediately evident and can lie dormant for some time in the targeted system remaining unnoticed until well after the breach has run its course and the information has been copied and/or removed.

These unnoticed breaches can cause direct financial loss through fraud, indirect financial loss such as business interruption, or the loss of intellectual property. By far the biggest loss to a large company who fall victim to a breach is a damaged reputation and consumer confidence.

Prevention

So how can you protect yourself and your company? The best thing you can do is to be diligent and be aware. Pay attention to your tools by testing your equipment, frequently monitoring antivirus software and update it regularly, and putting procedures in place in the event of a loss. Additionally, set up human safeguards by educating and training employees on the latest breaches and attacks, changing passwords frequently, conducting a risk analysis to determine your susceptibility and if possible transfer some of that risk by purchasing an insurance product (coverage) suitable for your needs.

The current trend in the cyber community is to focus more on detection and containment rather than prevention as prevention is virtually impossible. As fast as protective systems are set in place they are already hacked. A detection and containment program might identify the intrusion and allow the hacker access but then isolate the intrusion so that the attacker thinks he is attacking the company when in fact it might be in a virtual machine being studied and observed by security experts.

Insurance Involvement

The insurance industry for cyber insurance products, especially when it comes to Canada, is in its infancy stage.

At the Provincial level, Alberta and Manitoba are the only provinces to have introduced privacy legislation which require notification of breaches to affected individuals. Federally, under PIPEDA there is no current mandatory requirement to report a breach to affected individuals. Bill 5- 4, the Digital Privacy Act, will mark the first Federal law requiring mandatory data breach reporting. The Bill will also allow the privacy commissioner to fine or penalize organizations that do not comply. It is speculated that the demand for cyber insurance has not met projected expectations because there is no mandatory provision of reporting in Canada, however once Bill 5-4 is passed this will likely change making cyber insurance a necessary staple for companies.

Another issue that has slowed down the progress of cyber insurance is the high degree of complexity involved in cyber claims. As a result, the development of a suitable one-size fits all insurance product has been slow making product delivery challenging. Moreover, the lack of historical data available to insurers makes building an accurate picture of the exposure difficult. These roadblocks have held the insurance industry back from developing a product that addresses the current and real threat of cyber crime.

The current trend in the cyber community is to focus more on detection and containment rather than prevention as prevention is virtually impossible, As fast as protective systems are set in place they are already hacked

That said, the industry is making efforts to try to satisfy the demand to protect against cyber attacks.  Some insurers have offered add on endorsements or clauses to existing policies which provide very narrow coverage will require claims experts with the capacity to handle the inherent complexity of cyber liability calling for a designated field of cyber insurance.

To better understand what an insurer would face in providing stand alone cyber coverage let’s look at what might be involved in a simple cyber breach.

  • An IT forensic investigation to identify the intrusion and take corrective measures to isolate the intrusion.
  • Corrective measures to repair any damage to systems caused by breach.
  • Restoring the affected data
  • Notification to third parties effected by breach (customers, vendors, suppliers)
  • Maintenance of business continuity and determining business interruption
  • Crisis management – assuring customers of corrective measures and verification of what information was stolen.
  • Monitoring customer’s credit ratings for cause and effect
  • Retaining legal services to assist with law suits (possibly class action)

Because of the broad nature of cyber crime, the policy demands flexible wording and coverage. Without a better understanding of what cyber crime entails, the industry will continue to face wording and coverage challenges.

There are at least four insurers in Canada that are presently offering stand alone cyber policies and a good deal more are developing policies for cyber coverage. Some of the coverage included in the present policies involves data restoration, notification assistance, credit monitoring, crisis management, forensic accounting, legal services, and business interruption not caused by any physical damage. These early policies demonstrate the challenge of protection against cyber crime. Because of the broad nature of cyber crime, the policy demands flexible wording and coverage. Without a better understanding of what cyber crime entails, the industry will continue to face wording and coverage challenges.

Conclusion

Developing and offering cyber insurance is a work in progress. As high profile cases continue to raise awareness, business will likely feel the need to tackle the subject of cyber crime as a strategic issue because of the potentially serious consequences for business reputation and continuity. This will fuel the development of commercial cyber insurance policies. Legislative bodies will have no alternative but to introduce laws that will address the issue and consequently, insurance companies will play a large role in providing protection against these intrusions. We are at the beginning stages of an entirely new line of insurance for a cyber world that is constantly evolving. These are interesting times

Clive Wayne, CIP, CRM is the principle at CW Claims & Risk Inc., specializing in a diverse range of claims with a strong knowledge of cyber related investigation.