Okay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.
What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.
According to a study prepared by the U.K.-based International Cyber Security Protection Alliance (ICSPA) and commissioned by Blackberry, McAfee, Lockheed Martin and Above Security, 69 per cent of Canadian businesses reported that over a one-year period, they had experienced a cyber-related attack through the use of malware, computer viruses, phishing and social engineering.
ICSPA’s analysis, appropriately named the Study of the Impact of Cyber Crime on Businesses in Canada, surveyed 520 small, medium-sized and large Canadian companies.
Beyond the magnitude of the number of companies affected, ICSPA found that roughly 26 per cent of the respondents reported that cyber attacks had caused significant financial and reputational damage, with losses approximating CD$5.3 million and the average financial loss at just under $15,000.
Financial fraud was reported to be the most significant threat at 36%, with the theft of company information second, accounting for 16 per cent of losses. Malware and virus attacks accounted for the third highest cost, while sabotage of data and networks was fourth.
According to ICSPA,
“Total cost due to cyber crime attacks increases with revenues: on average, an incident costs large organizations $1,181, compared to $991 in medium, and $741 in small ones.”
Perhaps most importantly for a certain sector of our CyberInquirer readers, 44 per cent of the businesses surveyed reported that they had retained a private commercial provider rather than a government agency to respond to their cyber event. Indeed, only 11 per cent of the affected organizations advised that they had contacted the RCMP or another government agency. According to the ICSPA, this statistic alone highlights the need for greater awareness and information concerning the services offered by the government. Equally relevant, ICSPA concludes that its findings “demonstratethat across business communities, there is a general lack of strategy, procedures and trained personnel to combat cyber crime” in Canada.
Needless to say, there is much work to be done to better educate and assist businesses throughout Canada and elsewhere about the risks, exposures, expenses and solutions relevant to the protection (and loss) of intangible assets, IP, PII, PHI and other personal and commercial records. Our October 2011 report on Canadian privacy issues addresses many of these issues. If you’d like a copy, please feel free to email me.
In any event, as in the United States, it is incumbent that insurance brokers and underwriters get the word out. In Canada and Australia in particular, the Privacy Commissioners are hard at work educating the public. But that most certainly is not near enough. Its up to us to supplement those efforts.
Among the standards to be emphasized is that greater legal and regulatory oversight of cyber-incidents affecting the Canadian market is inevitable. Yeesh. It could be just around the corner. And at some point, a privacy notification regime (which already exists in Alberta and in certain discrete contexts) will become the paradigm.
In anticipation of these changes, it should be self-evident that the Canadian insurance industry needs to become proactive in explaining their cyber products and why Canadian businesses should be escalating their cybersecurity protocols, including through the purchase of cyber insurance. And, as in the U.S., crisis management and risk transfer solutions ultimately will become the paradigm. I’ve been presenting, writing and counseling clients on the associated issues for years. Its time for my friends in Canada to start practicing what I preach.
Leave a Reply
You must be logged in to post a comment.