Colin Rooke and Paul Martin talk about the largest risks the world experienced in 2019, and how to use that information in the years ahead.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business, Commercial Insurance with Butler Byers. I’m Paul Martin, the business commentator here on CKOM and you’ve heard me for weeks now, well years now I guess with Colin Rook, our commercial risk reduction specialist at Butler Byers, talking about all matters related to risk management. And one of those things of course is your insurance policy is one of the things that you buy to help manage your risk. But today we’re going to talk about well it’s the beginning of the year and it’s a good time now we’ve got the numbers in we can reflect on what was the big stuff from last year Colin. And we always have at this time of year the release of the big global risks. What do people around the world think are the greatest risks of the coming year? And that list is, it’s not static it’s changing and you were just telling me just before we came on the air that I guess some things that caught me by surprise but cyber is still a topic everybody’s talking about, huh?
Colin Rooke:
Yeah. So we’ve been, we’ve discussed this list I guess would be probably the fourth or fifth, yeah fourth time and so it’s pretty interesting. So it is a list of businesses in over a 100 countries across 22 different sectors and the focus is on, it’s a good selection of small and medium and some large but the primary folks would be medium size businesses and really the questions are simple. What is keeping you up at night? Looking into 2020 after 2019 has ended what are you concerned about now? What are you going to be concerned about in the future? And this list that we get every year it talks about global risk but it also talks about individual countries, what are you worried about?
So when I mentioned the 102 countries it does give us a list of specifically within those countries, what are you worried about? And what’s really interesting is in the past it’s been all over the map, depending on where you are you’re going to be worried about different things, I can say not this year. So the global list is almost identical to the individual lists of most of these countries with some variation. Which so when we talk about cyber and so this year for the first time cyber is top of the list. So when we first started doing this show it was in the 30s but notable and it jumped to 12 which we did a big show about, this huge increase we better get on it. Then it was top five, now it’s number one and again it’s not just number one globally it’s basically number one across the board no matter what country you’re looking at currently other than I think in Australia forest fire quite frankly was the number one risk. So, we’ve got to start getting a lot more serious about cyber crime.
The global list is almost identical to the individual lists of most of these countries, with some variation.
Paul Martin:
Isn’t that interesting though that there’s unanimity around the world now that the hackers have become so proficient that business people it doesn’t matter where you are, what country, what continent, what industry you now see yourself as being a potential target and that this is something you need to be worried about?
Colin Rooke:
Yeah. And I do want to be clear that these risks are not what risks that are covered under your insurance policy that keeps you up, that’s not what this list is based on. So again, this is looking at everything that’s giving you anxiety as a owner, as a leader, as an executive team, cyber is what is most concerning to the world currently. Traditionally the number one risk has or at least always been top five and is still number two is business interruption. Now there is business interruption insurance available and most organizations would carry it. I want to be clear that’s not what they’re worried about. They’re worried about events that will stop these businesses from being able to operate. And when you read further into specifically what are they concerned about like what are they citing as the cause of these interruptions, is it natural disaster, they are worried about IT threats, cyber crime being the leading cause of their concern or why they feel that they would be interrupted for a long period of time. So I would argue that risk one and two are the same risk meaning that ..
Paul Martin:
It’s dominant. It really is dominant.
Colin Rooke:
It is dominant and it’s not going away it’s getting worse and it’s imperative that everyone put more focus on cyber crime mitigation.
It is dominant and it’s not going away it’s getting worse and it’s imperative that everyone put more focus on cyber crime mitigation.
Paul Martin:
As you discuss this Colin I can’t help but think of that line about taking a knife to a gunfight. That business owners really are the knife here and that the hackers are the gunfighters. That they are miles ahead of business owners and the business industry period has been quite slow, they haven’t caught up to the sophistication and the ability that the hackers and the cyber pirates have that they’ve been executing or exhibiting.
Colin Rooke:
Yeah, really good point and business owners have got to stop saying that they’ve outsourced IT and that they have backups or all my information is host offsite. That has nothing to do with this problem. What the problem is is we’ve got whole countries devoting resources to educate criminals to steal information from others. They are trained in what’s available today. They know what you’ve bought, they know how it works, they have those same programs and they’re being taught how to disarm them.
And so, this idea that you can purchase a product that will protect you you’ve got to stop that line of thinking. What needs to be focused on now is when I discover and again I mean when I discover I have a breach what am I going to do about it? What will I learn from it and how will I better handle quite frankly the next breach? I mean that’s where the industry is right now. Again, I said it before I used to say it’s not a matter of if it’s when but it truly is those that know about their breach and those that don’t that’s where the industry is at for cyber crime.
Paul Martin:
And it’s probably reasonable to assume that if you get hit and you make the fix you’re probably ready for the next one, right? Yeah I mean that it’s not a one off. This is, you will be repeatedly targeted. This is not a go away problem.
Colin Rooke:
No it isn’t. And I’m not really offering solutions in the sense that it’d be nice if you could purchase something, wave a magic wand and mitigate this entirely and unfortunately that’s not the case but you can still arm yourself with knowledge. There’s still so many types of viruses that you can thwart by education or identification. But again for those that cannot you need to focus on a recovery plan, an incident response plan that that would include things like, and we’ve talked about it before, any PR firm that may need to work with your company for any reputation risk associated with.
But again, at minimum without knowing how significant a breach to your organization could be you’ve got to have a plan in place to handle that. If you learn you were lucky and it’s just ransomware for example great. At least you put in the time to plan for it and you work through that and you move forward. But what if it’s not just simple ransomware? What if you learned that they’ve been in your system for years and essentially every email you’ve sent for the last 24 months has infected others. What if you’re that company? And again, that may not be you, it might never be that severe but again some level of planning is required at this point.
Paul Martin:
Well you’ve scared me sufficiently now so we’re going to take a break and when we come back we can talk about some potential steps that business owners and executives and professional managers can take or what would happen if they engaged you in a conversation. What would that conversation sound like and what kinds of things do we as business owners need to be thinking about? So we’ll come back after this break and we’ll be picking that up.
You’re listening to Risky Business, Commercial Insurance With Butler Byers back after this. Welcome back to Risky Business, Commercial Insurance With Butler Byers. Paul Martin here as the host today and joining me as always Colin Rook the commercial risk reduction specialist with Butler Byers. Just before the break we were talking about all things cyber that’s now the top of the heap for concerns that businesses around the world have about what keeps them up at night and what they feel they’re threatened by. And you said in that survey that was done, it was more than a hundred countries I think. Where did Canada stack up in all of this saying are we any good at this or are we weakened targets or where are we in that ranking?
Colin Rooke:
Yeah. So it’s pretty interesting because you know the list of concerns from Canadian business owners is, especially the top 10 is very similar to the global survey. But what’s funny is again back to cyber incidents, cybersecurity, another article has come out that basically states that among the cyber criminals, the hackers if you will, Canada is being targeted more so, they’re putting more emphasis on Canada, because they’ve determined that the awareness and the infrastructure isn’t there. It’s not to the level of some of the other countries that are making cybercrime a priority. So I mean what they’re basically saying is they’ve identified doing their own let’s say market research that it’s easier to hack a Canadian firm than it would be a U.S. based firm or a European company and that’s really alarming. And another interesting point it I would say proves this concept a little bit is I did say that Canada’s list is almost verbatim but the Canadian businesses ranked cyber crime number two whereas if you look at most of the other developed countries they ranked it number one. So the fact that the rest of ..
Paul Martin:
And it still hasn’t figured it out.
Colin Rooke:
Yeah it just doesn’t …
Paul Martin:
We don’t give it as much emphasis as the rest of the industrialized world.
Colin Rooke:
Yeah. You’ve got essentially a hundred others saying number one for sure and it’s not far off but still for Canada to say number two it proves the point of this article that we’re not putting the effort there, the infrastructure isn’t there, the awareness isn’t there. And so, that’s alarming that they’re saying, “We will probably have a higher degree of success if we target Canadian companies moving forward.”
Paul Martin:
Well, I guess there’s nothing like being the number one prospect of a criminal.
Colin Rooke:
Well yeah that’s essentially it. The criminals have basically released their prospect list and Canada is …
Paul Martin:
Top of the pile.
Colin Rooke:
Yeah their ideal client.
Paul Martin:
And I guess there’d be no reason to assume Saskatchewan would be any different so business owners here probably would fall into that same mindset.
Colin Rooke:
Yeah, exactly. And again, you might say, “Well I’m not large enough,” or they’re probably thinking Toronto or Vancouver or Montreal, Calgary but they’re not that specific. It’s less targeted than you think, it’s a blanket approach. They develop a way to hack certain systems and then they just, it’s often just a blanket approach and whatever works they run with. So to say, “Well I’m not big enough or I’m too far away from the big smoke as you would say Paul being Toronto it’s just not the case. You’re just as likely to be a target as a company out east.
And again, it’s something that needs to be discussed in the management meetings, at the executive level, the board of directors. We have to take cyber crime very seriously. And again, we’ve talked about this list before and I don’t want to just make the show about cyber but I do want to point out a huge change on this list. When we first started the first two years we talked about reputation risk almost nonstop. That was the number one global risk reputation, loss of brand value. It is now globally number eight. So in two years my tune has almost completely changed from reputation risk which again we beat that to death and now it’s almost a hundred percent cyber and as much as I try and get away from the topic it just keeps growing.
…it’s something that needs to be discussed in the management meetings, at the executive level, the board of directors. We have to take cyber crime very seriously.
Paul Martin:
The industry just won’t let you do it. It’s interesting climate changes moved down the list too and cyber has moved up.
Colin Rooke:
It was reputation risk and climate change and now we’re talking about risk eight and risk nine being reputation risk and climate change. So big changes on again what’s keeping business owners up at night.
Paul Martin:
Well listen, this is scary and I think if I’m a business owner listening to this you’re enlightening me in saying you’re turning the red light on I’d better pay attention to this. So when they call you what’s the nature of the conversation you have with a business owner? I mean what are you talking to them about? What questions are you asking? What answers are they seeking?
Colin Rooke:
So are we an insurance brokerage? Yes. Do we sell insurance? Yes. And our clients carry insurance but insurance is one of the tools we use. We need to have a conversation about cyber crime. Every client that we work with goes through a risk assessment. They are all unique to the businesses that we’re working with, to the individual businesses. But I can assure you on every single one cyber will come up and we need to determine together your level of preparedness and we will help you identify the risk and also work on a plan moving forward. We’re going to work together to mitigate cyber crime.
Now if we determine together that coverage is warranted we will look at placing a cyber liability policy but I can assure you prior to that or part and parcel we will educate on cyber crime. If we don’t put in the work, if we don’t work together to develop a plan, the insurance policy is almost meaningless. Again we talked about business interruption being the number two risk. Well if we sell you the product and we say, “Don’t worry. When your system is crippled we’ll make sure some of the bills get paid.” At the end of the day you still, back to your business interruption, you still were down and if you don’t work on a plan it could be for an extended period of time.
Planning, working together, sharing that plan, reviewing the plan and updating that plan is going to reduce that time to as little as possible and that is our goal. So that’s one of the things we are going to work on. But we also have to educate because there’s a lot of misconceptions as to what is a virus and the types of viruses. It’s no longer an X rated email that gets through with a strange attachment that people open. I mean, if you think,, “I watch for those and I don’t click on them,” that is not what we’re talking about at all and we need to educate as to what to look for and how the nature …
Paul Martin:
So the hackers have become more sophisticated and we are still living in
Colin Rooke:
They’re experts at replicating those working in the organizations and we have to teach you how to identify that.
Paul Martin:
Colin as always we could go on and on about this and we’ll have to end it here but there’s a new risk in town and business owners need to be paying attention to it. And if they reach out to you you’d be quite willing to sit down with them and walk them through it and give them some guidance and advice. You’ve been listening to Colin Rook the commercial risk reduction specialist with Butler Byers. This is Risky Business, Commercial Insurance With Butler Byers. I’m Paul Martin. Thanks for joining us. Talk to you next time.