State of the Cyber Market

Home For Business Risky Business Podcast State of the Cyber Market

Paul Martin and Colin Rooke discuss the issue of cyber crime and ransomware as the 2021 assessments roll in.

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Buyers. This is Paul Martin. And my guest today joining me as always, Colin Rooke, commercial risk reduction specialist at Butler Buyers. Colin we’re going to go back to a topic that well, we haven’t touched for a while. But it was a pretty common theme for us in 2021. And that’s this issue of cyber crime. And it’s been pushed off the headlines a little bit by other events that have been going on, but it never really went away. And now here we are pretty much the end of Q1 of 2022. So we’re starting to get the assessments of what last year looked like. And we now got the numbers on this issue of ransomware and cyber crime, and all of that. And all of a sudden we’re talking about it again, because guess what the numbers are in, and they’re really noteworthy. And what did we see last year, with companies being attacked on electronically and digitally? And what’s the insurance industry’s perspective on this?

Colin Rooke:

Yeah so, good lead up. So now that 2021 is finalized, I can report that roughly a quarter of all Canadian businesses experienced some cyber attack last year. To make matters worse, and this will lead into the topic of this show. Of those businesses that experienced some ransom demand ransomware, 56% paid the ransom. And so I want to talk about why that’s happening, what’s going on. Dispel some of the myths about well, is this growing because more businesses are buying it. Talk about again, what’s causing these ransoms, and then what you can do about it. And lastly, how this is impacting the insurance markets. And how they are addressing this, and how their stance has changed very specific to ransomware or cyber extortion.

Paul Martin:

Well I guess insurance companies are at the end of the day, not in the business of paying out claims. They end up doing it as a course of business, but it’s not their mission, or their ambition is to go out and pay out claims. So when they start to see a category of claims going up, I would assume they respond. They look at it and say, hang on. What are we doing here? And probably starts with a process of making it harder to get. Secondly after that then raising deductibles, and eventually just taking it off the table. Am I even close to what the process looks like?

Colin Rooke:

Yeah, exactly. We’re getting very close to the taking it off the table. Cyber Liability Insurance is still fairly attainable. However, where underwriters and insurers are getting a lot stickier, is cyber extortion or ransomware. And so within the policy now, we are seeing decreased limits. So it’s now not uncommon that the max payable might be 25% of your overall limit liability, which was never the case before. Depending on any third party scan, or work done on your system. They might say you know what, there’s so many vulnerabilities here. We’re not going to offer it all together. So they have the ability to offer it, and they’re saying we won’t. And then there’s other insurers that are saying, we’re not going to get out of the space. But all we’re doing is paying for ransomware, so we’re not offering it. We want to be a player in cyber liability, but we’re not going to offer that coverage whatsoever.

And others are waiting around to see okay, if we are known for not offering ransomware, or sorry extortion coverage, will that impact the likelihood of our customers receiving ransomware? So the insurance company says, well if we are known for not offering it, and the hackers or criminals are able to determine who our policy holders are, are they going to leave them alone? And that is proving also not to be the case. It doesn’t matter if they think you have it or not. There’s really no deterrent. But from the industry perspective, it’s a ginormous lost leader.

Paul Martin:

That sounds ominous I think in the sense of, there’s been a lot of comfort drawn by business owners, and those who run companies. That been drawn from the fact that they could get this insurance, and that it was always this backstop. Now you’re saying that pardon upon insurance policy may well disappear, that it might not be available anymore. And that takes you to the position of okay, then what? What’s my next step after that? How do business managers, business owners protect themselves? What do you do with this thing?

Colin Rooke:

You have to put the work in. So the issue is 53% of all attacks on Canadian business, were caused by an individual working in that business. So you could look at that and say, 53% of all the activity was human error. And so the industry says we… And of course we talk about this all the time, but we have to get better. Our customer have to get better. We’ve got to start talking about this. We’ve got to start educating. We have to understand what a cyber threat is. We have to have an internal policy. We’ve got to work on incident response planning.

In my opinion I’ll say, it’s not that we’re going to get to the point where it’s not available. But they’re going to limit who gets it. And they’re going to reserve it for the businesses that understand. That are taking the recommendations from whether it’s their IT provider, or the insurance industry third party audits, or all of them. And they’re saying okay, if we wrote out a wish list of what we want all of our clients to have, those that get a 100% scorecard, we’re going to offer it any deviation from that. It’s going to be a no.

And to take it a step further, we end up talking about multifactor authentication all the time now. And cyber insurers are demanding it, even if you have absolutely no need. So you don’t have anyone logging in remotely as an example. There’s no access to the server, or the system through your phone. And they’re saying, we don’t care. You got to have it anyway. Even if that’s not the case, we just need you to have it.

Paul Martin:

It’s a funny thing about how sometimes the insurance industry is the leader in dragging people along. They are the ones at the pointing end of the stick, if I can put it that way. In terms of feeling the impact of the conduct of these cyber criminals. So they’re the ones that are most vehement about, here’s the steps you’ve got to take, and by the way if you don’t I can’t do business with you.

Colin Rooke:

Exactly. And I feel like I say this all the time, but some of the recommendations that we were reviewing two or three years ago, went from a recommendation, to best in class, to now a requirement. And then those recommendations are evolving. And at a high level when you talk about IT, if you don’t view your IT provider as a strategic partner in your business, and the IT space as a necessary investment. No different than locking doors on your office. If you don’t have that view that they are so important to how we operate, and what… I don’t want to say whatever they say will do, but again if you don’t have that level of confidence where they are that valued advisor, you’re going to find yourself in this group.

That’s going to have ransom, or paying the ransom, or not being able to get proper coverage. And again it’s not a matter of we’ll call in. What if I throw up a big deductible, they’re going to take it. No they’re not. It’s not a deductible issue. The payouts are growing in frequency and severity. And we are starting to see the insurance market take a stand on extortion coverage.

Paul Martin:

Right. This is an interesting topic, and right in your kitchen if you’re running a business. So I want to continue with this, but we got to take a little break. You’re listening to Risky Business Commercial Insurance with Butler Buyers. I’m Paul Martin, back after this.

Welcome back to Risky Business Commercial Insurance with Butler Buyers. This is Paul Martin. And joining me Colin Rooke, commercial risk reduction specialist with Butler Buyers. And just before the break, we were talking about the severity of claims, and the severity of demands being made by the cyber kidnappers if you want to call them that, the extortionist. That the frequencies going up, the values are going up. Insurance companies are saying whoa, I don’t know if I want to play this anymore. All right. So what does the business owner do? That’s the question. You can acknowledge all of this stuff, but say all right then what? So if someone calls you up and says, help me with this, saying what’s first steps on this one?

Colin Rooke:

Yeah, good point. You’re right. I don’t want to just leave it all as doom and gloom, and then hand out the show. But at minimum, at absolute minimum, and this is not something new. It’s something that has evolved over time for us. But I’m sure we talked about our cyber risk scorecard five, six years ago. But if you just did that, it’s something that you can reach out to us. Request it, it’s self scoring. There’s no risk of well this is rigged, and whatever my answer’s going to be. It explains before you go in, what’s a yes, what’s a no, what’s an unsure. But so you can go through this risk assessment. It’s going to tell you, are you a target, do you have stuff that someone wants or not. But also the scorecard Excel… the scorecard itself, there’s 20 questions on there. But they’re all designed to spark conversation. Whether you have a yes or a no, these are all big ticket items.

And so you’re able to work through that, and really think are we exposed? Have we done this? Why aren’t we doing this? We’ve talked about this. That sort of thing. That would be the first step. Now I don’t want to suggest that if you fill out the score card, and it says your risk is low, you don’t need any protection. That needs to be determined later on. But it will certainly let you know, at a high level where you fit. From there we are also able to do system scans that by… They’re done by a third party, not by Butler Buyers. That will say, okay we’ve done this first step. And now we can look for known vulnerabilities, and we can also rank any class of business where they fit within their peers. The likelihood of breach, the average cost across all different lines.

And spoiler alert, ransomware is always the highest by five to tenfold in these claims examples. But it lets you know where you fit, based on how your system set up today. Where you fit among your peers, where you fit among Canada. And also how this could impact you. And it’s a very detailed report. And then we can take it a step further. And it’s something that I believe every business should have, is a proper incidence response plan. Regardless of coverage, what are you going to do when you find yourself locked out? When you find yourself with a ransom. If your answer is well, I’ll just call my IT department, you’re in big trouble.

Paul Martin:

Yeah. And we tend to talk about this in the context of, it’s simply an isolated event. It’s behind your closed doors, inside your business. And work your way through it. Now this has an impact on customers, it has an impact all the way down the chain. I think about a pretty well known one in Saskatchewan. I think it was Christmas day or something. The SLGA, the Liquor Board got hit. And I remember talking with some of their staff the morning after. Customers came in, they were actually handwriting the sale down on a piece of paper. That’s how debilitated it was. And so if you’re in business, sometimes it means you’re not in business the next day, because you’ve got too many problems to deal with.

Colin Rooke:

Yeah, absolutely. And just back to the coverage question. If extortion is excluded on your cyber polls, usually the perks that go with it are removed as well. Which would mean business interruption, so lost revenue as a result of that breach. So it’s something they could really think about. But great example. And I do not want to suggest that if you have a breach, you wouldn’t call your IT provider. Obviously they’re going to play an integral role in getting you back up to speed. But it’s all those other components.

What do we tell our customers? What do we tell our staff? Do we need help from a PR firm? How bad is this thing? In the event of ransomware, who’s going to help? Are we just going to pay it? Are we going to put in a claim? Are we going to hire a negotiator? Do we need a forensic analysis to help us out? And so it’s answering all those questions in advance, and really sorting out the true cost of a breach. And knowing whether or not, is it $10,000 a day in lost revenue? Could it be a 100,000 a day, 500,000? Understanding the full impact of downtime, and also the social consequences of that breach.

Paul Martin:

This is a little bit off the topic, but as we are having this conversation here today, there is currently a war in Eastern Europe. And one of the participants the Russians are famous for being active, extremely active in the cyber attack world. They look at the West now a country like Canada, which is sending supplies to the enemy. Does that ramp up that this is… We’re at war now. And this is one of the battlefields that will be played, is that this will… The Russians may not be doing well militarily, but they certainly are doing it well in this front. And will they just amp up their activity? And in fact business owners need to understand, if your nation is a Quasi participant in a war, you’re a target. And they’re elevating. They’re going to stop targeting companies in Africa, they’re coming after us. Are we actually liable to be more subject to these attacks going forward?

Colin Rooke:

Yeah very good point, and I was hoping we had time to briefly discuss. But Putin has promised increased cyber activity. And the articles are all suggesting, where is it? I would argue that it’s coming, they’re planning it out. If it’s anticipated today, then we’re going to ramp up security and watch more closely. But you look at the economic sanctions that the world has imposed on Russia, while he’s got to pay for this war somewhere. And cyber crime is big business. And he’s made outward threats saying, we’re going to ramp this up. I believe that we are going to see a significant increase in the frequency, and severity of cyber crime in the future.

Paul Martin:

Really this would serve as a warning to any business owners that are listening to this. Is that the war we’re not necessarily isolated from this, and that the war can be brought to our doorstep in a digital wage. And whether you like it or not, you may well be a participant in this, and you’re certainly more of a target now. So if for no other reason than that, get ahold of Colin and his team at Butler Buyers. They have this free scorecard. They’ll allow you to walk through, and you can self test yourself. And see whether or not you’re a high risk, or a low risk, or you need to do some work on it. Colin, we run out of time on this one, but we’re talking about pretty serious stuff here. So and encourage anyone to reach out to you, and you’d be quite pleased to entertain a call I’m sure.

Colin Rooke:

Thanks Paul.

Paul Martin:

You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Buyers. I’m Paul Martin. You’re listening to Risky Business. Thanks for Joining us, talk to you next time.