Recent cyberattacks on municipalities and businesses — including Moose Jaw’s South Hill Fine Foods (SHFF) — should encourage such groups to take precautions to prevent victimization, says a commercial insurance advisor.
“Doing what we do and our area of business, we hear every day about cyberattacks and cyber-potential losses that are happening,” said Tereen Mowrey with Henderson Insurance.
“To be honest, we weren’t surprised (about South Hill Fine Foods). Small businesses are being targeted at the same rate as large corporations. If anything, it can be more detrimental to them. … It can financially cripple a small- to mid-size business.”
Data breaches affected three in four Canadians in 2019, according to the Office of the Privacy Commissioner of Canada. There were 680 reports of data breaches, including 58 per cent for unauthorized access, 58 per cent for stolen documents or computers, 25 per cent for phishing and impersonation, and 22 per cent for accidental disclosure of data.
The existence of cyberattacks is a good reason why buying cyber insurance is important, said Mowrey. Henderson Insurance has worked diligently during the last five years to advise new and existing clients to consider such insurance.
“Not all products are created equal. There’s a lot of packages that will come with a small amount of cyber (coverage) for low limits and maybe not as broad of coverage,” she said. “You can buy standalone policies with limits as high as $5 million.”
Small and large policies
Small- and medium-sized businesses can afford to purchase cyber coverage with such limits since it helps protect the business against cyberattacks similar to what SHFF experienced, she added. Policies are driven by revenue, number of employees and number of documents or records. Therefore, a policy could range from approximately $500 a year to $2,000 a year for premium coverage.
Besides the financial coverage and ensuring that businesses are able to purchase new equipment, cyber insurance can also provide crisis management and public relations support since the fallout from a cyberattack can affect a company’s prestige.
“Customers don’t want to go there and use their credit cards. Customers don’t want to give their information,” Mowrey said. “So even if the business is back up and running, they’ve lost business (and) they’ve lost reputation.”
Insurance is one way to manage risk, but it’s also important for businesses to have a strong firewall in place, Mowrey continued. It’s beneficial to train managers and employees to spot suspicious emails. It’s also positive to educate customers about what their potential risk is when dealing with businesses facing cyberthreats.
Major attacks on businesses
There were six major cyberattacks last year in Canada. The City of Saskatoon fell victim to a $1 million cyberattack, while Stratford, Ont., experienced a ransomware attack that encrypted city hall data and locked out staff from their computer systems for more than a week. Ottawa experienced a phishing attack, where $130,000 of taxpayers’ money was lost in an e-fraud transfer.
Mitsubishi Canada Aerospace fell victim to a ransomware cyber heist that compromised the company’s data and left it without internet access for weeks. Meanwhile, credit-monitoring agency TransUnion had 37,000 Canadians’ personal data compromised when someone illegally used a legitimate customer’s login to access the data.
Beyond commercial concerns, there are also policies to cover individuals against issues such as identity theft. This is a problem Henderson Insurance sees often, Mowrey said. Residents should ask about purchasing personal cyber insurance, especially since e-transfer fraud happens regularly.
Types of attacks
Ransomware — which affected SHFF — is one of the most common threats individuals and businesses face. This is any piece of malicious software that gains access to vulnerable networks and removes the user’s access until a ransom is paid.
It is estimated that the grocery store spent $75,000 to replace its electronics since the cyberattack compromised every system within the organization.
Phishing emails are also a problem since the emails look legitimate and unsuspecting employees can think it’s coming from the employer. One request that Henderson Insurance has heard about recently is where the email asks employees to purchase iTunes gift cards using company money.
“The gift cards are then compromised because they’ve been asked to send the code on them and the money is long gone,” Mowrey added.
It can cost a company hundreds of dollars to recover each document captured during a ransomware attack, she continued. This is where business interruption insurance can be useful, since if a business is unable to operate, hundreds of thousands of dollars could be lost while the business is shut down. Some businesses may never recover at all.
One client who experienced ransomware attacks received a request to pay more than $250,000 simply to meet the ransom demand and keep the doors open. Fortunately, said Mowrey, that client had insurance to help with that situation.
“We believe that as an emerging risk, it’s not emerging anymore,” she added. “This is a real threat to (all-sized) businesses and what we say to our client is, ‘It’s not about if, it’s about when you’re going to experience a cyberattack.’”
For more insurance contact Tereen Mowrey at Henderson Insurance at 306-694-5959.