2 minute read
Preparing for the Cyber Insurance Challenges Ahead
Cyber criminals are stalking Canadian local governments. A few years ago, this trend was concentrated in the east. Since then, cyber attack activity has migrated west. In 2020 criminals misappropriated $700,000 in funds from Prince George by diverting monies intended for City contractors. In 2021 the Resort Municipality of Whistler (RMOW) was victim of a ransomware attack. While the RMOW did not make any payment or engage in dialogue with the cybercriminals, it was a lot of work to restore services and rebuild their network and systems.
Cyber criminals favour local governments, as they perceive weakness in their cyber defences compared to other targets. Moreover, cyber criminals believe that cities and towns may be more willing to pay ransoms than other organizations because of the amount of personal information they hold. Personal information is a broad category that includes employee records, property tax information, incident reports and similar forms of information.
Advertisement
To combat this threat, local governments have taken a multi-faceted approach to mitigating their cyber risks. These defences include strengthening their IT security and employee education. As not all attacks are preventable, robust cyber insurance coverage has become an essential tool to help manage the risk.
Unfortunately, we are in a hardening cyber insurance market and obtaining coverage has become increasingly difficult. As cyber incidents escalate in both frequency and severity, insurers have responded by increasing rates, restricting capacity and implementing greater underwriting controls. Many insurance companies are moving away altogether from providing cyber insurance to public entities. Those insurers that are still providing coverage to public entities now require that baseline internal controls be in place prior to offering coverage. It used to be that implementing cyber risk mitigation measures was a way to reduce premiums. Now, cyber risk mitigation measures need to be in place just to obtain coverage.
Local governments looking to purchase cyber insurance for the first time or looking to renew their existing cyber policy must show that specific levels of cyber security have already been implemented within their organization. Such steps are a minimum prerequisite to obtaining cyber coverage. Examples of these minimums are set out below.
CYBER-SECURITY TRAINING
Employees can be the biggest risk factor for cyber attacks and everyone plays a role in managing cyber risks and preventing cyber breaches. Implementing a training program or taking advantage of a training service is a critical way to prevent cyber criminals from stealing from your organization or compromising your IT infrastructure.
MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application. MFA should be implemented on all critical business applications, such as email and privileged user accounts.
By proactively implementing these two cyber controls you are ensuring you are well on your way to being a cyber-secure organization. You are also ensuring that you will be able to obtain critical insurance protection that is essential in today’s heightened cyber risk landscape.
NICOLE PURVES is the Deputy Director of Insurance at the MIABC. Nicole has worked in the insurance industry for 25 years, primarily involved in claims handling, specializing in casualty claims. For more information on programs and services the MIABC offers to help its members mitigate cyber risk contact askusanything@ miabc.org.
