Cyber Crime, Are You Prepared?

Another year, another data breach. Are you prepared in the event of your data being compromised? In this episode of Risky Business, Colin Rooke talks about the implications of such an event.

Listen to the full episode here, or read the full transcript below


Paul Martin: Good morning, and welcome to Risky Business, Commercial Insurance with Butler Byers. I’m Paul Martin, business commentator here on CKLM. You’ve heard me talking about the Butler Byers risk assessment system. Today we continue to explore this area of commercial activity, and we’ll learn some key points that are crucial to your commercial insurance strategy, and really how you make decisions about it. As always, we have invited Colin Rooke, the commercial risk reduction specialist with Butler Byers Commercial Insurance, to join us in studio.

Colin, we have so much stuff going on that is so timely in the news today, it was almost … I had some difficulty deciding, what are we gonna talk about? Is it gonna be hurricanes? But there was one that caught my mind that I wanna spend some time on, and it was another of these cyber breaches. I don’t wanna make it sound like, “Oh, we had another cyber crime episode.” Not really. But we’re gonna talk about it and the implications of it, because this one is different than most. It has far-reaching implications. It’s the Equifax breach that just became public here not so long ago.

Colin Rooke: Yeah. Isn’t it funny when you’re trying to prep for a show and you think, “There is so much risk going on today, what do we talk about? What’s more topical than the other? Do we go world’s largest data breach? Do we go devastation in Florida and Houston due to hurricanes, and reinsurance issues?”

Yeah. This won’t be a show about, what is cyber crime? We’ve covered that. This is more about … It is about risk, but although the risk we’re gonna discuss is a cyber crime type of risk, it’s a cyber breach, the point is to look at your business and think, “Do I have plans in place currently to protect myself against all forms of risk, not just cyber crime? Am I working a plan? Is it in place? If I was ever called to task, can I prove that I did my due diligence, that I wasn’t negligent?”

So yeah, we’re gonna talk about the Equifax breach. For those that aren’t 100% familiar … My whole world is risk, so sometimes I think that everyone knows about this stuff. Just wanna give you some background. The initial breach was in May, and it was discovered July 29th. There’s basically three major players in the credit check market. Equifax is one of those. They had a breach in May. It was discovered July 29th. The personal information of at least 143 million people has been stolen. It’s gone. The bad guys have it, so to speak.

What did they take? They took credit card numbers. They took social security numbers. They know birthdays. They know addresses. They have driver’s license numbers. They know mortgages. They have credit ratings. What most don’t know is this is the third breach Equifax has had since 2015. It’s a frequency issue with Equifax.

Paul Martin: All right. Equifax is a name, I guess, those in the business community may have heard of. In all likelihood, probably haven’t had much dealing with. It takes me to that question of, so what? Why should I care about this? I guess from a consumer’s perspective, there’s one angle, which is the potential for identity theft with all this information being out there. But from a business person’s perspective, why do I care? It’s a so what for me. Answer that for me, if you can.

Colin Rooke: Yeah, really, really good point. If you say, “I don’t have any dealings with Equifax, so I’m fine …” What Equifax does is, they are given credit information from third parties. These are credit card companies. If you’ve ever applied for a credit card, banks, any other lender, or anyone reporting on any credit activity at all, and they do both hard credit checks and soft credit checks. You’ll never be called by Equifax. You’ll never have an Equifax account. Equifax is used by other businesses that you do business with in order to provide credit to your clients.

For those listening right now that aren’t in business, where you’re put at risk is that if you’ve ever, again, applied for credit anywhere, chances are Equifax has information on you. Again, there is only three major players. They have fairly equal market share. Equifax is the larger of the three, and basically they had access to every file they had on record.

Paul Martin: So if I have passed on my information, applied for a credit card at a bank or a traditional credit card, a Mastercard or something like that, but also even one from a retail chain, from the Bay or something like that, all of these … I have no idea if the Bay deals with Equifax or not, but I assume when I’m handing out this information, it’s confidential stuff. So if there’s a breach, somebody could take that and recreate my identity, right?

Colin Rooke: Exactly. In this case, the bad guys, the hackers, they have absolutely everything they need to create false identities. The claims are already coming in. It’s by the thousands. The funny thing is, too, for those that are notified by other businesses that your credit or your identity may have been at risk, the bad guys are patient. They realize that once a breach has happened, once they’ve stolen something, everyone is on high alert. But that information’s forever. If they have your SIN number today, they can use it 18 months from now. The real risk and the real threat is, they wait. It’s not an all-at-once. They will create identities over time.

Where the real money is in hacking is, of course, selling that information to other third parties who will pay a pretty penny to have that information. Those sales take time. The magnitude of this breach we won’t even know for years.

Paul Martin: It’s an interesting point, because we’re usually talking about commercial insurance here, but even for just average people who aren’t in the business world, listen up to this one. Check your credit card file, your statement. Don’t leave it in an envelope on the desk. Better yet, if you’re online and you have it, check it regularly.

I know mine was compromised not so long ago, and it was interesting how the crooks actually play the game. They test you. A couple of small transactions. I had a pizza place in New York and a Subway or something, sub sandwich place, in Houston. They were $10, $20, $30 transactions to see whether I noticed or not. Then the next one’s gonna be a couple hundred, and then they’re gonna really crank it up. So watch your file. They’re very, very good at this. Who knows when the compromise happened. They could’ve been sitting on my account for 18 months. But they start out very small to see if you’re vigilant, so check your account and keep track of it.

Colin Rooke: If you can imagine walking into your bank to renew your mortgage, and from across the table, they look at you and say, “You’re not Paul Martin. Paul Martin already has a mortgage and you’re not him.” That’s happening already due to this breach. It’s really scary stuff.

Paul Martin: So somebody has stolen that identity.

Colin Rooke: Yeah, already.

Paul Martin: And the bank, in their view, is-

Colin Rooke: They’ve created a person.

Paul Martin: Yeah. The fake one is the real one for the bank’s perspective.

Colin Rooke: Yeah. They had everything they needed, right?

Paul Martin: This is scary, scary stuff. For people who aren’t familiar with the cyber world, this is a whole new endeavor. But as always, we try and talk about commercial stuff here, so especially small business people, what should they be looking out for?

Colin Rooke: Yeah. Again, good point. Why are we talking about this? Anyone can listen to the news and learn that there’s a problem. The real problem we see is, again, business owners don’t feel or believe the threat is real. This is why I wanna talk about what this breach means to everyone.

Here’s the problem. Again, if you deal with any form of hard or soft credit, if you have any sort of payment plan, or you sell credit insurance as a company, which … that’s thousands and thousands of retailers out there. If you deal in any way, you will have dealings with Equifax. The real problem is gaps in coverage. So all of a sudden Paul Martin says, “My identity has been compromised and I’ve had some purchases made on my credit card. I believe it happened at your business.” In most circumstances, your commercial general liability does not cover you. There is no coverage for this type of claim.

Paul Martin: Whoa. We’re gonna get into this. We gotta take a little break, so when we come back, I’m gonna have you explore this and explain it so that business people in the community can actually take some steps to protect themselves. You’re listening to Colin Rooke, the commercial insurance specialist with Butler Byers Commercial Insurance. We’re gonna take a little break. Risky Business returns after this.

Paul Martin: Welcome back to Risky Business. This is Paul Martin and I’m talking as always with Colin Rooke, the commercial risk reduction specialist with Butler Byers. Just before the break, we were talking about your traditional liability policy for a business not really covering the kinds of things that are increasingly happening.  The Equifax breach, for example. Cyber breaches, this kind of stuff. If I’m a business owner, what steps do I need to do to protect myself? Are there steps I need to take?

Colin Rooke: I’ll give a good rationale as to why you need to take steps in the first place. When claims are made … We just did a survey. The average claim in Canada already in 2017 is roughly $5.78 million. That is a big number.

Paul Martin: That’s not an aggregate, that’s an average.

Colin Rooke: That’s an average. 30% of all cyber breaches are now employee error, which means again, it’s your people letting in, whether it be the ransomware, the virus. It’s human error occurring in the company. This is not an IT issue. This is a people issue.

30% of all cyber breaches are now employee error, which means again, it’s your people letting in, whether it be the ransomware, the virus. It’s human error occurring in the company. This is not an IT issue. This is a people issue.

Both the cost of claims and the size have increased from 2016. They’re larger and more often. When it comes to ransomware, which I think is the term that most business owners would be familiar with, especially small business owners … So far we are averaging in 2017 4,000 ransomware attacks a day, and those are reported attacks. It’s estimated that that number would be three to five times larger, because most attacks are not reported. So if you can imagine, it could be up to 15, 20,000 successful ransomware attacks in Canada per day. It’s absolutely crazy.

Paul Martin: Of course you throw up your hands as a business owner. Okay, those are terrifying numbers. Not just scary, they’re terrifying. But what do I do about it?

Colin Rooke: Again, why are we talking about these numbers? If you are called to task, if there is a claim of negligence against your business, if you’re gonna defend yourself at all, especially if you don’t have coverage, you need to prove you’ve done your due diligence. You need to prove you weren’t negligent, that you took steps to protect your customers against this type of fraud. If you aren’t working a plan, if you haven’t identified the need and you don’t have measures in place to educate your organization, educate your customers, and to prepare yourself for a breach of this magnitude … Again, the likelihood that they will find negligence is definitely going to increase.

It all plays into why business owners need to have a proactive risk management plan.

Yes, we’ve talked about cyber crime, and yes, we’ve talked about this Equifax data breach. But it all plays into why business owners need to have a proactive risk management plan. This is just one form of risk. Like we said, we haven’t even talked about what the cost of the damages of these hurricanes, the impact on the insurance market. But if you’re working a plan, if you’re identifying risk, if you’re working through that plan and bettering the organization, when breaches like this Equifax … When you are notified that a client has a complaint, you now have ammo to say, “We did what we could. We’re not perfect. We never will be. But we’ve done everything we could do, again, mitigate our risk.” Again, if you can prove you weren’t negligent, then you don’t have to go through a liability claim. You’re far better off as an organization.

If you can prove you weren’t negligent, then you don’t have to go through a liability claim. You’re far better off as an organization.

Paul Martin: Yeah, and the insurers will stand behind you then.

Colin Rooke: Exactly, yeah.

Paul Martin: They won’t deny and say-

Colin Rooke: It’s a slam dunk otherwise.

Paul Martin: Yeah. It takes a little bit of work. But this kinda brings us full circle, doesn’t it, from what we’re always talking about on this program, which is build a plan, work the plan. Your risk reduction, step by step, assessment and reduction plan. I guess this is just one more example of why this is important. It’s more to it than just fill out the form. There’s actually some work behind it all.

Colin Rooke: Exactly. Will your risk reduction plan prevent Equifax from having a data breach? No. But if you are called to task because Equifax did have a data breach and you are doing business with Equifax, and you can show that you have a plan in place and you’ve done what was reasonable, you’re far less likely to have damages awarded. Again, that’s just one area of risk. There’s thousands of areas of risk that business owners need to be aware of. It’s showing, again, that you’re working on it, that you’re being made aware, that you’re taking steps to prevent, to mitigate.

Paul Martin: One of the points you’ve always made in this program is that not only do you get a plan that identifies risk one, two, three, four, this being one of them, that you also gotta kind of … The remedy comes with it, too. You say, “If we can work on these things to improve your business, no matter what at the end of the day, even if you never had an insurance claim, your business is better off ’cause you’re better managed.”

Colin Rooke: Yeah. And you will save money as a result.

Paul Martin: Yeah. There’s a kind of a double win to this. Is it reasonable to assume that with a firm the magnitude of Equifax, that there are businesses in Saskatchewan that will have been impacted by this thing?

Colin Rooke: Oh, absolutely. Hundreds if not thousands. Again, it’s anyone that deals in credit in any way. You can just think of every time you’ve been asked for a credit check. Again, any industry, they probably have sent data to Equifax whether they’re aware of it or not. Because again, the third parties they use, the banks, the lenders, they’re definitely sending that information off to Equifax.

Paul Martin: So even when you make a bank loan application or something-

Colin Rooke: Exactly.

Paul Martin: You apply for a mortgage.

Colin Rooke: Exactly. So again-

Paul Martin: Probably if you own a house, you likely on a list somewhere?

Colin Rooke: If you have a credit card at all, Equifax has your information. It’s that simple.

Paul Martin: As a business in this province, the likelihood of one of my customers-

Colin Rooke: Having a [crosstalk].

Paul Martin: -coming back to me and saying, “It was your fault” goes up probably exponentially.

Colin Rooke: Exactly. If they’re able to determine that yes, my information made it to Equifax, yes, my information was stolen, and yes, the criminals are using it … If you can say, “The only place in the last X amount of time that I’ve given any sort of credit information to was …”

Again, you might not be negligent. At the end of the day, the lawsuit could go away. They could say there’s not enough evidence. But again, do you want to take that risk of saying, “We can’t pinpoint what exactly happened, but we do know this organization did virtually nothing to prevent. It would be reasonable to ascertain that the breach could have come from this business.”

Paul Martin: Colin, as always, very informative. Sometime a little scary, but the good news is you bring along the pillow that I can hug and get a little comfort from. Because I think it’s important that in this program, we raise awareness about some of the challenges and issues that are out there and how they can affect business people, even though they may not sort of readily know that. So thank you for that, as always.

Colin Rooke: Yeah. Thanks, Paul.

Paul Martin: You’ve been listening to Colin Rooke, the commercial risk reduction specialist with Butler Byers Commercial Insurance. As always, we’d encourage you, give him a call. It’s free. He will walk you through their step-by-step assessment and help you as a business owner understand some of the pitfalls that are out there and how he can fill those potholes so you don’t break a tire as you’re driving down the road. This is Paul Martin. You’ve been listening to Risky Business. Join us again next time.