Insurance Expect More Cyber Crime

from Canadian Apartment Magazine * January 2020

The Heightened Demand for Rental

No business is safe in the foreseeable future Expect More Cyber Crime

by Andy Schwartze

As we enter the new decade, the business of protecting the corporate balance sheet and revenue flow from illegal attacks is becoming a greater concern to owners and managers. These “cyber-attacks” are becoming more frequent, broad-based and certainly creative. With regular digital communications, electronic data and payments being shared over the internet, openings for abuse are expanding and will inevitably become a growing threat.

In this respect, the areas of exposure encompass a number of business sectors. The insurance world is still grappling with the perceived enormity of a possible claim and has not yet fully built out a coverage system that is able to maturely rely on many years of experience. Nor is it sufficiently defined to enable corporate insurance buyers to accurately nail down a connection between coverage needs and what may be available in the marketplace, not to mention the balancing of these with premium cost availabilities.

Companies have any one of a number of exposures that can be attacked from the outside. These can be defined in broad terms, and probably fall mostly into the following categories:

1. Unauthorized access to financial accounts 2. Establishment of fictitious outside payees 3. Access to sensitive/proprietary or intellectual “property” or trade secrets 4. Theft of established and internally developed database information 5. Theft of “personal” information collected from suppliers or customers.

Whether an illegal external intrusion comes from within the organization, or from the outside, the corporate victim generally does not know something has been “stolen” until after the deed

has occurred. It can even happen that the intrusion is hidden for a period of time, enabling the criminal intruder(s) to expand the activity and create even more havoc.

As corporate insurance buyers, we know that there is a wellestablished insurance system in place that protects in the event of criminal theft from within the organization. Where an employee decides to steal from his/her employer, there are insurance contracts that can be entered in to that have well defined and understood coverages. Accounting procedures have been established that will confirm the facts of an employee theft, without the need for a full, extensive audit in order to receive claims benefits. We’ve experienced many of these claims from clients over the years, and they typically result in a satisfactory settlement fairly quickly. The system, if we can call it that, is established and it works well. Experienced adjusters, well-versed and trained in employee theft claims, are readily available and contribute positively to the wrapping up of this kind of claim. With growing concerns about external electronic intrusions, the insurance system is not yet well established, with many insurers and brokers still in the learning stage. Where a corporate client’s electronic system is invaded, and perhaps vandalized, the rebuilding process can be costly. Where a business’s system is invaded by ransomware and shut down until a money demand has been satisfied, how is that handled and to what extent does one meet the demand? Then there is the concern that the intruders might return. And if an outside criminal element manages to steal the personal information of suppliers or customers, once the notification requirements have been met, what is the corporate responsibility to those affected? How long does that responsibility last? Is it based on provable allegations of negligence? How do you figure out what the dollar value of this inconvenience is, and if not easily calculated, does the business want to make a gratuitous payment to each record owner?

This entire arena of cyber crime is still very immature, and while there is insurance coverage available, the property/casualty industry is being very careful in not offering very high coverage limits. Currently, we are finding that $5,000,000 is the upper level of coverage being offered with numerous underwriters preferring to offer lesser levels. To a large extent currently available coverage offerings are underwritten by Lloyds, the usual place where new insurance ideas are incubated.

But the exposure to unauthorized entry into corporate information systems is something that we all need to understand and discuss with our preferred risk management professionals. As in the case of any “exposure” we have the option of ignoring it, erecting internal protective barriers or look to the insurance world for coverage. In a 2019 “Cyber Risks” report, prepared by The Insurance Institute of Canada, there is constant reference made to statistics that point in only one direction. This problem is escalating and will continue to do so, at least for the foreseeable future.

Andy Schwartze, BSc., MBA, CIP, is an insurance broker specializing in property management and real estate. He can be reached at andy@takecover.ca.