#CyberFLASH: Lack of cyber data a current barrier to more comprehensive offerings: Kovacs

large_cybersecCanada’s property and casualty insurance industry has taken important strides to provide coverage for select cyber security risks, but the lack of data around other related threats has prevented insurers from moving forward with more comprehensive offerings, attendees of an Insurance Institute of Canada (IIC) forum in downtown Toronto heard Thursday.

Paul Kovacs, founder and executive director of the Institute for Catastrophic Loss Reduction, and president and CEO of the Property and Casualty Insurance Compensation Corporation, suggested that barriers currently exist and those hurdles will not be cleared absent the industry gathering additional information.

“In the last few years, the industry has really stepped up and offered solutions for breach attacks, for identity theft. There are some key areas where the industry is now playing a role,” Kovacs said during IIC’s inaugural Emerging Issues Forum, the first of a series of discussions that will deal with emerging issues of interest to those in Canada’s p&c industry.

With regard to Canadians and Canadian businesses buying breach and identity theft coverage, “our sense over the next five to 10 years is that’s going to grow very quickly,” he told forum attendees.

What has changed? Kovacs pointed to the “combination of companies doing a much better job in terms of having a product that is really accepted and wanted,” a large number of high-profile attacks, growing interest from governing bodies like Boards of Directors and third parties such as regulators and others asking and expecting cyber coverage to be in place.

Read more here

#CyberFLASH: How much cybersecurity is enough?

cra-passwords-security_211076204-e1402005190177How much cybersecurity is enough? This question is as legal as it is technical. In legal terms, the question is answered by the applicable standard of care. The standard of care draws the line between conduct that renders a company liable, and that which does not. Where a company meets or exceeds the standard of care, it cannot be held liable in law for damages related to that conduct. In the context of cybersecurity, the standard of care may be established by a regulator, by the legislature, by contract or, retrospectively, by a court in the context of a lawsuit. This is rarely if ever done explicitly. Standards of care, typically are framed in “should” rather than “must” language. They are, often, technologically neutral, in the sense that they do not require a specific solution to a specific problem.

By way of example, most regulators prefer persuasive as opposed to mandatory regulation. Hence they prefer to issue “guidelines” or “advisories” to establish standards of care. Thus, for example, the CSA Staff Notice 11-326 Cyber Security is, as its name states, a notice, rather than an order or regulation. As a notice, it is not enforceable at the instance of the regulator, nor is there a penalty regime in place for failure to abide. That said, failure to comply would be a strike against an issuer, registrant or regulated entity in any proceeding that arises as a result of a cybersecurity breach.

Similarly, the Office of the Superintendent of Financial Institutions of Canada (OSFI) issued its Cyber Security Self-Assessment Guidance on October 28, 2013. While noting that many federally regulated financial institutions were already conducting assessments of their level of preparedness, OSFI suggested those institutions “could benefit from guidance related to such self-assessment activities.” While the guidance is neither a regulation nor order, per se, no one doubts that OSFI expects federally regulated institutions to abide by it, and that a failure to do so would have consequences in other forums’ proceedings related to cybersecurity breaches.

Read more here

#CyberFLASH: Time to measure your security maturity

typing-image-genericMost CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.

But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?

There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.

An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5 across six categories (for example, security awareness and training.)

Read more here

#CyberFLASH: Threat from hackers and cybercriminals growing in Canada

10978476VANCOUVER — If you’re on the Internet, it’s no longer a case of if you will come under attack, it’s when.

That’s the finding of Symantec’s latest annual Internet Security Threat Report released this week. Its message is underscored by Dell’s annual security report, which lists growing threats in the business world ranging from the troublesome — cybercriminals intercepting your credit card details at the cash register — to the terrifying, hackers bent on wreaking havoc shutting down entire power grids or other critical infrastructure.

“The fact is, it’s just a matter of time when you will be breached,” said Alexander Rau, Symantec Canada’s national information security strategist.

Symantec’s 2015 Security Threat Report found that Canada ranked No. 4 worldwide in terms of ransomware and social media scam attacks last year. Ransomware is malicious software that can lock a computer down, restricting the user’s access to it, while the creator of the software demands a ransom to unlock it. Ransomware attacks climbed 113 per cent in the past year.

Read more here

#CyberFLASH: Federal government uses CODE2015 to boost open data’s profile in Canada

CODE-2015_featureThe federal government kicked off its promotion of an open data hackathon in Toronto on Wednesday night, encouraging people to use publicly available data provided by government departments to build new apps.

Now in its second year, the Canadian Open Data Experience (CODE) hackathon is targeted towards students, entrepreneurs, programmers, developers, and graphic designers. Participants will have two days to come up with a creative mobile app using open data sets provided by the federal government, with an eye to helping youth, commerce, or to improving quality of life. The contest kicks off Feb. 20 and runs until Feb. 22, coinciding with International Open Data Day on Feb. 21.

Last year, more than 900 participants competed in the hackathon, so the organizers are hoping for an even bigger turnout this time around. But more importantly, they’re trying to highlight what people can do with open data, said Ray Sharma, founder of Toronto’s XMG Studio Inc. and one of the main organizers of CODE2015.

“Every government agency, we’re talking fisheries, we’re talking defense, we’re talking immigration, we’re talking StatsCan, every regulatory body – can you imagine the data that exists?… Do you see why that’s exciting?” Sharma said, adding there’s a vein of untapped potential in all of that data. He’s especially excited about the prospect of bringing research publications online.

Read more here

#CyberFLASH: Are Canadian firms lagging behind with IT security?

rb-ca-securityAre Canadian companies lagging behind our U.S. counterparts when it comes to strategic information technology spending? I recently had lunch with a friend and that troubling question arose.

My friend works for a multi-national information technology (IT) company. We ended up chatting about some pressing topics in our industry – new cyber threats, government surveillance, large-scale security breaches, among others.

What was disconcerting was that he mentioned that based on his experience working on both sides of the border, he sees Canadian companies trailing behind our U.S. peers in investments in people, process and tools when it comes to information security.

“Companies in Canada aren’t really seeing the need to invest and executives don’t understand the risks,” he said.

This begs the question: Are we less vulnerable to these kinds of security threats than our U.S. neighbours?

The answer is no. In 2013, Symantec released our annual Norton Report that showed the cost of cybercrime to Canadians was $3-billion for the year, more than twice the cost from the previous year. And while attacks targeting institutions like government agencies and retail giants may seem to be most prevalent and serious given the exposure they receive in the media, the reality is, no organization is immune.

Read more here

#CyberFLASH: China slams Canada for ‘irresponsible’ hacking accusations


BEIJING – China’s foreign ministry accused Canada on Thursday of making irresponsible accusations lacking any credible evidence after Canada singled out Chinese hackers for attacking a key computer network and lodged a protest with Beijing.

Officials said “a highly sophisticated Chinese state-sponsored actor” had recently broken into the National Research Council. The council, Canada’s leading research body, works with major companies such as aircraft and train maker Bombardier Inc..

Canada has reported hacking incidents before, but this was the first time it had singled out China.

Read more here

#CyberFLASH: Ottawa warned about its vulnerability to hackers, lack of strategy


OTTAWA—Federal bureaucrats are warning that some departments and agencies lack sufficient network security and that Ottawa needs a more coherent plan to address large-scale cyber attacks, according to internal documents obtained by Torstar News Service.

The documents reveal that even as the government accused Chinese-backed hackers of infiltrating the National Research Council’s network on Tuesday, senior bureaucrats warned of deficiencies in Ottawa’s response to threats to federal networks.

The documents — part of a presentation to the chief information officer on Monday — state control of the government’s IT “incident management plan” was too complex, with overlapping roles and unclear “accountabilities.”

The plan is not aligned with the larger Federal Emergency Response Plan, which co-ordinates response efforts between different levels of government and does not include a consideration of “wide-spread government cyber (incidents).”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.