Cyber and Social Engineering Attacks: Don’t Let Insurance Gaps Leave You Vulnerable In 2018, hackers compromised Wasaga Beach’s servers for weeks before the town paid a ransom to regain control. In 2019, criminals posing as one of Saskatoon’s contractors used email fraud to misappropriate $1 million. That same year, Stratford City Hall paid $75,000 in Bitcoin to a hacker who crippled its network. While these incidents were well-publicized, there are many more that never make the local news. Make no mistake: local governments – small, medium and large – are increasingly at risk of cyberattacks. The threat is particularly acute at the moment, when the demands of operating remotely have made organizations highly reliant on technology. Strategies to prevent these attacks must be multi-faceted. Organizations should have sound IT security and a strong employee training program (as many attacks begin with an employee clicking a link or misplacing a device). Finally, since not all attacks are preventable, robust insurance coverage is essential. Cyber Risks Cyberattacks can take many forms. Social engineering fraud – where a criminal impersonates a real person – is on the rise. We have all received phishing emails that invite us to click on a suspicious-looking link; however, cybercriminals are becoming increasingly sophisticated, making it difficult to distinguish between what is real and what is fake. Another example is ransomware, where hackers install malware on an organization’s network and demand a ransom to release control. The losses and expenses arising from these attacks are myriad: • Out-of-pocket expenses to investigate the attack, respond to it, repair the damage and notify all persons whose data was affected; 14 | GFOABC.CA
• The cost to defend claims by third parties whose personal information was compromised; • Ransoms; and • Regulatory fines arising from privacy breaches. Cyber Coverage Many local governments are already covered in some form against cyber risks. You may have coverage under a standard property insurance package, or you may have paid an additional premium for a standalone crime or cyber policy. Chances are, however, that coverage is insufficient. For example, many policies do not cover social engineering fraud. The following coverage is standard under most cyber policies: • Security and privacy liability; • Multimedia and intellectual property liability; • Network interruption and recovery coverage; • Event support expense coverage; • Privacy regulatory defence & penalties; and • Network extortion. Certain insurers offer additional features, including coverage for: • Social engineering fraud; • Cyber terrorism; • Bricking (damage to devices and hardware); • Payment card industry fines; • Reputational damage; and • Losses above the aggregate policy limit.
