Insurers urged to prepare for more cyber risk oversight

THE FEDERAL government has become more focused on cyber security since the breach at credit rating firm Equifax, delegates heard at the recent Insurance Bureau of Canada’s Regulatory Affairs Symposium in Toronto.

The Equifax breach leaked highly personal information including names, addresses, social security numbers and birthdates of millions of its customers in the U.S. and Canada.
The company was breached in July but Equifax didn’t notify customers until September. The incident led ceo Richard Smith to retire and subsequently issue a public apology in the Wall Street Journal.

IBC president and ceo Don Forgeron said that, due to the Equifax incident, when the IBC met with Malcolm Brown, the deputy minister of public safety, to talk about flood issues and natural catastrophes, he was “absolutely seized” with cyber breach issues.

“Everyone from the federal government and small business owners are asking how to protect themselves,” Mr. Forgeron said.

He added that the federal government has plans to act on and respond to these issues soon.

“No amount of security can completely adequately protect against cyber attacks and although insurance transfers some risk it isn’t the whole solution,” Mr. Forgeron said.

And while insurers have an appetite to cover cyber risk, they are also vulnerable.
“Insurers are also becoming much more aware of their very own real exposure to cyber attacks,” he said.
“Insurers hold personal information, and a lot of it. How do we protect our own systems?’

Mr. Forgeron and two speakers at the symposium said Canadian insurers can learn a lot from the Equifax breach. Speaking at a privacy law development panel during the symposium, Farah Zafar, senior counsel, corporate compliance and privacy officer at Economical Insurance, said one of the biggest impacts of a cyber breach is on a company’s brand. She said one of the biggest concerns with the Equifax breach was how long it took the company to tell its customers about it.

“Certainly consumers looking at that felt that Equifax took too long to share that information.

“There seems to be a visceral reaction because they felt Equifax took too long in getting the information out to impacted consumers.”
But Ms. Zafar said it is difficult for companies to assess when to report breaches.

“The reality is that it can be challenging to get your arms around these breaches and fully understand what has actually happened,” she said.

“Even figuring out what happened and fully understanding and providing meaningful information — that in and of itself can take time although there seems to be a public perception that it needs to be immediate and shared as soon as it happens.”
That, she said, makes it crucial for companies to have incident plans in place prior to anything bad happening.

Creating an incident plan once a breach happens is too late.

“Insurers have to be proactive about these things since insurers are aware of the volumes of data they hold from their customers,” Ms. Zafar said.

“It’s really important to be proactive and internally develop a team to respond to these situations that can triage and assess and understand what is going on.”
Co-panellist Timothy Banks, a partner at law firm Dentons Canada, said his observations of breach incidents in general is that delaying reporting to consumers is sometimes a wise decision.

He said usually the numbers of customers affected goes down from what is often initially estimated.
“So there is always a risk in coming out and reporting the size of a breach too early,” Mr. Banks said.
“Because chances are that through additional forensics you are going to narrow the scope of the breach and know the timeline and scope of the intrusion — narrowing the total number of people affected.”

(More coverage of the symposium was presented in our Nov. 13th weekly edition. To subscribe, please choose the ‘Subscribe’ tab on our main page or email mpub@rogers.com).