Cyber security is a material risk for businesses of all sizes. In this episode of the Canadian Equities podcast David M. Gray, Vice-President in the insurance group at Gallagher Canada, joins Robert Cooper to discuss the changing landscape with respect to cyber threats, how insurance coverage has changed and where the market is going. For the full length version of the Canadian Equities podcast connect with us at acumencapital.com/podcast.
Cyber security is a material risk for businesses of all sizes. In this episode of the Canadian Equities podcast David M. Gray, Vice-President in the insurance group at Gallagher Canada, joins Robert Cooper to discuss the changing landscape with respect to cyber threats, how insurance coverage has changed and where the market is going. For the full length version of the Canadian Equities podcast connect with us at acumencapital.com/podcast.
Moderator:
Welcome to Canadian equities with Acumen Capital. Today, we're joined by David Gray. Vice-president at Arthur J. Gallagher, Canada. David is a vice-president in the insurance group, serving small and medium-sized businesses. He also sits on the and cyber committee at Gallagher. Cyber security is a material risk for businesses of all sizes. Today we will be discussing the changing landscape with respect to cyber threats, how insurance coverage has changed and where the market is going. David, welcome to Canadian
David Gray:
equities. Okay.
Moderator:
What's been the biggest change in cyber insurance over the past several years?
David Gray:
Well, actually Rob with the increased frequency and severity of security claims in the past few years, the insurance industry is in a bit of a tailspin. most insurers are cutting back on the limits being offered. They've changed their appetite to some industries that have. Are also required. So minimum security controls or else they may not even insure you. Um, it's often hard to get exact statistics, but, um, uh, a calculation give you some background in the mid, 2019 from the insurance industry. Canada showed that for every dollar of premium that came in for cyber insurance. The insurers actually paid out about$5. So it's not rocket science to figure out why the cyber industry is in a bit of a state of flux these past few years.
Moderator:
How are the cyber insurance products being offered? Evolve? With the needs of business today? Well,
David Gray:
looking back, I think the sales approach to cyber insurance was initially focused on the increasing regulatory changes around privacy laws and making sure that if you were hacked, that you could pay the penalties and protect the personal information of employees and clients, at least initially. Uh, and, and while that. Was instill is a concern. It really wasn't viewed as a big enough reason to buy cyber insurance. the insurance product itself has actually always been quite broad, uh, by covering most of the costs after a breach to get your business back up and running. the broadness of the policy wordings, however, may have contributed to the current issues. Uh, since the bad actors demands, uh, for ransom, have increased significant. And they're becoming more sophisticated.
Moderator:
Are you finding that your customers are becoming much more sophisticated and aware of their potential vulnerabilities? Or is it still a little bit of where you find there are some, babe in the woods kind of attitude towards the cyber risk and their cyber profile?
David Gray:
I think there's a little bit of each, for sure. there are still some saying that, you know, I I've reading the paper. tell me more. What I would be getting with an insurance policy, covering all the cyber risks. Uh, we certainly get that. we've had some with very sophisticated it departments, that have done some checks and balances and gone through a number of tools and, and present themselves very well to an insurance company. And that's gonna go a long way, with respect to their premiums. It's that they're going to be offered. So, uh, you know, in, in general, uh, people are becoming more cyber conscious, cyber aware, uh, it's in the paper almost daily. it's very topical and yes, that has improved dramatically, uh, over the last few years.
Moderator:
Describe for us the evolution in the cyber threats and techniques used by the bad guys.
David Gray:
Well, if we were to look back to 2016 or so, and the hackers were a lot less sophisticated, as you say, and less organized, and we're generally looking for three to 10 Bitcoins, or anywhere from 10 to$20,000 from the businesses that they hack. They were also using pre-packaged malware of the dark weapons. Oftentimes they didn't know even how to use it and sometimes how to fix the. That they may have installed on some of these businesses, computers, uh, that said the bad actors have always been actively exploiting vulnerabilities in the standard software that's out there. Uh, that could cause widespread issues similar to what a, the WannaCry ransomware was in 2017, but by 2019, they were asking for$300,000 after they locked up. Uh, businesses network using very clever fishing techniques that can fool even the seasoned business people. They were also becoming very well organized into multi-level of criminal groups who each take a cut of the proceeds. And of course they're well hidden behind layers. Fake IP addresses and multiple countries today, the hackers even put a chat feature on their ransomware and they're available 24 7 to talk to you. Um, and there's now a corporate espionage with, uh, you know, nation state, bad actors that may even have government funding. They also are not just looking for one business to breach, but to take down multiple businesses in a supply chain, like using ransomware, like the solar winds, um, of two years ago,
Moderator:
Is there a favorite industry for hackers or ones that they purposely avoid or even countries that are preferred or avoided.
David Gray:
Yeah. Some of these criminal groups have a bit of a moral code. but, but in some ways they do, some, they obviously like to have four. they know that any government, uh, agencies that they tackle are going to bring about Interpol and the RCMP. And I have a lot of police work trying to locate them. So they generally avoid that. They leave that up to the nation state to bad guys. and they, they even will, uh, try and avoid some non-profit education. Obviously there's not a lot of money in that. They've even recently, although there's a lot of information, the healthcare industry, started to shy away from that, as well, it's just an overwhelming task. Uh, and so it's so much volume of information that they're actually looking for the small to medium size companies that haven't maybe done all of the things that they could be doing, to install on their computers. And there's also. The last two years in particular with everyone being remote, how are those remote desktop protocols, being used and how many sign-ins procedures do you have to go through to get into the network? Some have been rather weak and that's been a weak point in the last couple of years. and, and I'll pinpoint Canada cause it's, it's been one of the poster children of, the bad guys. They. Canada, certainly the U S and Australia and Europe. Those are their top four, but they, they look at Canada as some small to mid-sized businesses that just have installed all that they can there's costume to doing, getting your it up to snuff.
Moderator:
when you talk to businesses about their cyber insurance needs, what is the biggest misconception that you encounter?
David Gray:
Yeah. The biggest misconception is that a security breach is something that happens is a quick, and it's a short duration, like a break in, on your home. And it, it sort of goes along with the myth that, oh, if we could do daily backups we're we're okay. and the issue is that these bad actors may have been sitting quietly in your system for months, watching all of the activity. Including how and where the backups are stored banking, information, et cetera. they may even be using your network to run ransomware into other businesses, to hack, or they could be harnessing your computer power to mine for cryptocurrency for that matter. So it's a misconception that, um, it's a quick and short duration. These security breaches.
Moderator:
I was digging around on this. I found an IBM study from 2021. It's called the cost of data breach report. And it estimated that the average total cost of a cyber breach is four and a quarter million dollars. With the average cost for the financial industry is substantially higher at closer to$6 million. Those are big numbers. What's driving them.
David Gray:
So there, there's a number of factors that play in those driving the numbers higher. I mean, first due to the sophistication of these breaches, and the time to identify the breach and the time to contain the problem, that's growing that timeline. In fact, there was a net 2019 study by Ponoma that, The meantime to identify a breach was 203 days and 72 days to contain it. That's a very large length of time and a long time for a business to be potentially out of business. Uh, let alone the cost to restore the data, uh alone can be very costly. there are also, Increasing costs in the litigation by customers or shareholders. and if there was any personal information still. The businesses may have to monitor a customer's credit ratings for a couple of years, depending on the province or the state that it happened in. Uh, cause there's all sorts of regulatory requirements around that. and it goes without saying ransom demands of. And while the largest one I've heard of was around$40 million demand. a recent cyber webinar that I had with a key insurance company in north America, they actually handled a$10 million demand. So those are driving these costs, uh, exponentially.
Moderator:
Well, that was a fascinating discussion. David Gray. Vice-president at Gallagher. Thanks for joining us today and sharing your insights on Canadian and equities.
David Gray:
Thanks for having me, Rob.
Note that this podcast is not making an investment recommendation on any companies discussed. We welcome your comments on today's episode or any other episode. Connect with us at Acumen Capital dot com.