May 18, 2022 • 10 mins
Cyber security is a material risk for businesses of all sizes. In this episode of the Canadian Equities podcast David M. Gray, Vice-President in the insurance group at Gallagher Canada, joins Robert Cooper to discuss the changing landscape with respect to cyber threats, how insurance coverage has changed and where the market is going. For the full length version of the Canadian Equities podcast connect with us at acumencapital.com/podcast.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Moderator (00:00):
Welcome to Canadian equities with Acumen Capital.
Today, we're joined by DavidGray.
Vice-president at Arthur J.
Gallagher, Canada.
David is a vice-president in theinsurance group, serving small
and medium-sized businesses.
He also sits on the and cybercommittee at Gallagher.
Cyber security is a materialrisk for businesses of all
sizes.
Today we will be discussing thechanging landscape with respect
(00:22):
to cyber threats, how insurancecoverage has changed and where
the market is going.
David, welcome to Canadian
David Gray (00:30):
equities.
Okay.
Moderator (00:33):
What's been the biggest change in cyber
insurance over the past severalyears?
David Gray (00:37):
Well, actually Rob with the increased frequency and
severity of security claims inthe past few years, the
insurance industry is in a bitof a tailspin.
most insurers are cutting backon the limits being offered.
They've changed their appetiteto some industries that have.
Are also required.
So minimum security controls orelse they may not even insure
(01:00):
you.
Um, it's often hard to get exactstatistics, but, um, uh, a
calculation give you somebackground in the mid, 2019 from
the insurance industry.
Canada showed that for everydollar of premium that came in
for cyber insurance.
The insurers actually paid outabout$5.
(01:21):
So it's not rocket science tofigure out why the cyber
industry is in a bit of a stateof flux these past few years.
Moderator (01:30):
How are the cyber insurance products being
offered?
Evolve?
With the needs of businesstoday?
Well,
David Gray (01:37):
looking back, I think the sales approach to
cyber insurance was initiallyfocused on the increasing
regulatory changes aroundprivacy laws and making sure
that if you were hacked, thatyou could pay the penalties and
protect the personal informationof employees and clients, at
least initially.
Uh, and, and while that.
(01:59):
Was instill is a concern.
It really wasn't viewed as a bigenough reason to buy cyber
insurance.
the insurance product itself hasactually always been quite
broad, uh, by covering most ofthe costs after a breach to get
your business back up andrunning.
the broadness of the policywordings, however, may have
contributed to the currentissues.
(02:20):
Uh, since the bad actorsdemands, uh, for ransom, have
increased significant.
And they're becoming moresophisticated.
Moderator (02:29):
Are you finding that your customers are becoming much
more sophisticated and aware oftheir potential vulnerabilities?
Or is it still a little bit ofwhere you find there are some,
babe in the woods kind ofattitude towards the cyber risk
and their cyber profile?
David Gray (02:47):
I think there's a little bit of each, for sure.
there are still some sayingthat, you know, I I've reading
the paper.
tell me more.
What I would be getting with aninsurance policy, covering all
the cyber risks.
Uh, we certainly get that.
we've had some with verysophisticated it departments,
that have done some checks andbalances and gone through a
(03:09):
number of tools and, and presentthemselves very well to an
insurance company.
And that's gonna go a long way,with respect to their premiums.
It's that they're going to beoffered.
So, uh, you know, in, ingeneral, uh, people are becoming
more cyber conscious, cyberaware, uh, it's in the paper
almost daily.
(03:29):
it's very topical and yes, thathas improved dramatically, uh,
over the last few years.
Moderator (03:37):
Describe for us the evolution in the cyber threats
and techniques used by the badguys.
David Gray (03:42):
Well, if we were to look back to 2016 or so, and the
hackers were a lot lesssophisticated, as you say, and
less organized, and we'regenerally looking for three to
10 Bitcoins, or anywhere from 10to$20,000 from the businesses
that they hack.
They were also usingpre-packaged malware of the dark
(04:05):
weapons.
Oftentimes they didn't know evenhow to use it and sometimes how
to fix the.
That they may have installed onsome of these businesses,
computers, uh, that said the badactors have always been actively
exploiting vulnerabilities inthe standard software that's out
there.
Uh, that could cause widespreadissues similar to what a, the
(04:27):
WannaCry ransomware was in 2017,but by 2019, they were asking
for$300,000 after they lockedup.
Uh, businesses network usingvery clever fishing techniques
that can fool even the seasonedbusiness people.
They were also becoming verywell organized into multi-level
(04:49):
of criminal groups who each takea cut of the proceeds.
And of course they're wellhidden behind layers.
Fake IP addresses and multiplecountries today, the hackers
even put a chat feature on theirransomware and they're available
24 7 to talk to you.
Um, and there's now a corporateespionage with, uh, you know,
(05:14):
nation state, bad actors thatmay even have government
funding.
They also are not just lookingfor one business to breach, but
to take down multiple businessesin a supply chain, like using
ransomware, like the solarwinds, um, of two years ago,
Moderator (05:30):
Is there a favorite industry for hackers or ones
that they purposely avoid oreven countries that are
preferred or avoided.
David Gray (05:38):
Yeah.
Some of these criminal groupshave a bit of a moral code.
but, but in some ways they do,some, they obviously like to
have four.
they know that any government,uh, agencies that they tackle
are going to bring aboutInterpol and the RCMP.
And I have a lot of police worktrying to locate them.
(05:59):
So they generally avoid that.
They leave that up to the nationstate to bad guys.
and they, they even will, uh,try and avoid some non-profit
education.
Obviously there's not a lot ofmoney in that.
They've even recently, althoughthere's a lot of information,
the healthcare industry, startedto shy away from that, as well,
(06:21):
it's just an overwhelming task.
Uh, and so it's so much volumeof information that they're
actually looking for the smallto medium size companies that
haven't maybe done all of thethings that they could be doing,
to install on their computers.
And there's also.
The last two years in particularwith everyone being remote, how
(06:46):
are those remote desktopprotocols, being used and how
many sign-ins procedures do youhave to go through to get into
the network?
Some have been rather weak andthat's been a weak point in the
last couple of years.
and, and I'll pinpoint Canadacause it's, it's been one of the
poster children of, the badguys.
(07:07):
They.
Canada, certainly the U S andAustralia and Europe.
Those are their top four, butthey, they look at Canada as
some small to mid-sizedbusinesses that just have
installed all that they canthere's costume to doing,
getting your it up to snuff.
Moderator (07:26):
when you talk to businesses about their cyber
insurance needs, what is thebiggest misconception that you
encounter?
David Gray (07:35):
Yeah.
The biggest misconception isthat a security breach is
something that happens is aquick, and it's a short
duration, like a break in, onyour home.
And it, it sort of goes alongwith the myth that, oh, if we
could do daily backups we'rewe're okay.
and the issue is that these badactors may have been sitting
(07:55):
quietly in your system formonths, watching all of the
activity.
Including how and where thebackups are stored banking,
information, et cetera.
they may even be using yournetwork to run ransomware into
other businesses, to hack, orthey could be harnessing your
computer power to mine forcryptocurrency for that matter.
(08:19):
So it's a misconception that,um, it's a quick and short
duration.
These security breaches.
Moderator (08:28):
I was digging around on this.
I found an IBM study from 2021.
It's called the cost of databreach report.
And it estimated that theaverage total cost of a cyber
breach is four and a quartermillion dollars.
With the average cost for thefinancial industry is
substantially higher at closerto$6 million.
Those are big numbers.
What's driving them.
David Gray (08:49):
So there, there's a number of factors that play in
those driving the numbershigher.
I mean, first due to thesophistication of these
breaches, and the time toidentify the breach and the time
to contain the problem, that'sgrowing that timeline.
In fact, there was a net 2019study by Ponoma that, The
(09:11):
meantime to identify a breachwas 203 days and 72 days to
contain it.
That's a very large length oftime and a long time for a
business to be potentially outof business.
Uh, let alone the cost torestore the data, uh alone can
be very costly.
there are also, Increasing costsin the litigation by customers
(09:34):
or shareholders.
and if there was any personalinformation still.
The businesses may have tomonitor a customer's credit
ratings for a couple of years,depending on the province or the
state that it happened in.
Uh, cause there's all sorts ofregulatory requirements around
that.
and it goes without sayingransom demands of.
(09:55):
And while the largest one I'veheard of was around$40 million
demand.
a recent cyber webinar that Ihad with a key insurance company
in north America, they actuallyhandled a$10 million demand.
So those are driving thesecosts, uh, exponentially.
Moderator (10:17):
Well, that was a fascinating discussion.
David Gray.
Vice-president at Gallagher.
Thanks for joining us today andsharing your insights on
Canadian and equities.
David Gray (10:26):
Thanks for having me, Rob.
Note that this podcast is notmaking an investment
recommendation on any companiesdiscussed.
We welcome your comments ontoday's episode or any other
episode.
Connect with us at AcumenCapital dot com.
Welcome to Canadian equities with Acumen Capital.
Today, we're joined by DavidGray.
Vice-president at Arthur J.
Gallagher, Canada.
David is a vice-president in theinsurance group, serving small
and medium-sized businesses.
He also sits on the and cybercommittee at Gallagher.
Cyber security is a materialrisk for businesses of all
sizes.
Today we will be discussing thechanging landscape with respect
(00:22):
to cyber threats, how insurancecoverage has changed and where
the market is going.
David, welcome to Canadian
David Gray (00:30):
equities.
Okay.
Moderator (00:33):
What's been the biggest change in cyber
insurance over the past severalyears?
David Gray (00:37):
Well, actually Rob with the increased frequency and
severity of security claims inthe past few years, the
insurance industry is in a bitof a tailspin.
most insurers are cutting backon the limits being offered.
They've changed their appetiteto some industries that have.
Are also required.
So minimum security controls orelse they may not even insure
(01:00):
you.
Um, it's often hard to get exactstatistics, but, um, uh, a
calculation give you somebackground in the mid, 2019 from
the insurance industry.
Canada showed that for everydollar of premium that came in
for cyber insurance.
The insurers actually paid outabout$5.
(01:21):
So it's not rocket science tofigure out why the cyber
industry is in a bit of a stateof flux these past few years.
Moderator (01:30):
How are the cyber insurance products being
offered?
Evolve?
With the needs of businesstoday?
Well,
David Gray (01:37):
looking back, I think the sales approach to
cyber insurance was initiallyfocused on the increasing
regulatory changes aroundprivacy laws and making sure
that if you were hacked, thatyou could pay the penalties and
protect the personal informationof employees and clients, at
least initially.
Uh, and, and while that.
(01:59):
Was instill is a concern.
It really wasn't viewed as a bigenough reason to buy cyber
insurance.
the insurance product itself hasactually always been quite
broad, uh, by covering most ofthe costs after a breach to get
your business back up andrunning.
the broadness of the policywordings, however, may have
contributed to the currentissues.
(02:20):
Uh, since the bad actorsdemands, uh, for ransom, have
increased significant.
And they're becoming moresophisticated.
Moderator (02:29):
Are you finding that your customers are becoming much
more sophisticated and aware oftheir potential vulnerabilities?
Or is it still a little bit ofwhere you find there are some,
babe in the woods kind ofattitude towards the cyber risk
and their cyber profile?
David Gray (02:47):
I think there's a little bit of each, for sure.
there are still some sayingthat, you know, I I've reading
the paper.
tell me more.
What I would be getting with aninsurance policy, covering all
the cyber risks.
Uh, we certainly get that.
we've had some with verysophisticated it departments,
that have done some checks andbalances and gone through a
(03:09):
number of tools and, and presentthemselves very well to an
insurance company.
And that's gonna go a long way,with respect to their premiums.
It's that they're going to beoffered.
So, uh, you know, in, ingeneral, uh, people are becoming
more cyber conscious, cyberaware, uh, it's in the paper
almost daily.
(03:29):
it's very topical and yes, thathas improved dramatically, uh,
over the last few years.
Moderator (03:37):
Describe for us the evolution in the cyber threats
and techniques used by the badguys.
David Gray (03:42):
Well, if we were to look back to 2016 or so, and the
hackers were a lot lesssophisticated, as you say, and
less organized, and we'regenerally looking for three to
10 Bitcoins, or anywhere from 10to$20,000 from the businesses
that they hack.
They were also usingpre-packaged malware of the dark
(04:05):
weapons.
Oftentimes they didn't know evenhow to use it and sometimes how
to fix the.
That they may have installed onsome of these businesses,
computers, uh, that said the badactors have always been actively
exploiting vulnerabilities inthe standard software that's out
there.
Uh, that could cause widespreadissues similar to what a, the
(04:27):
WannaCry ransomware was in 2017,but by 2019, they were asking
for$300,000 after they lockedup.
Uh, businesses network usingvery clever fishing techniques
that can fool even the seasonedbusiness people.
They were also becoming verywell organized into multi-level
(04:49):
of criminal groups who each takea cut of the proceeds.
And of course they're wellhidden behind layers.
Fake IP addresses and multiplecountries today, the hackers
even put a chat feature on theirransomware and they're available
24 7 to talk to you.
Um, and there's now a corporateespionage with, uh, you know,
(05:14):
nation state, bad actors thatmay even have government
funding.
They also are not just lookingfor one business to breach, but
to take down multiple businessesin a supply chain, like using
ransomware, like the solarwinds, um, of two years ago,
Moderator (05:30):
Is there a favorite industry for hackers or ones
that they purposely avoid oreven countries that are
preferred or avoided.
David Gray (05:38):
Yeah.
Some of these criminal groupshave a bit of a moral code.
but, but in some ways they do,some, they obviously like to
have four.
they know that any government,uh, agencies that they tackle
are going to bring aboutInterpol and the RCMP.
And I have a lot of police worktrying to locate them.
(05:59):
So they generally avoid that.
They leave that up to the nationstate to bad guys.
and they, they even will, uh,try and avoid some non-profit
education.
Obviously there's not a lot ofmoney in that.
They've even recently, althoughthere's a lot of information,
the healthcare industry, startedto shy away from that, as well,
(06:21):
it's just an overwhelming task.
Uh, and so it's so much volumeof information that they're
actually looking for the smallto medium size companies that
haven't maybe done all of thethings that they could be doing,
to install on their computers.
And there's also.
The last two years in particularwith everyone being remote, how
(06:46):
are those remote desktopprotocols, being used and how
many sign-ins procedures do youhave to go through to get into
the network?
Some have been rather weak andthat's been a weak point in the
last couple of years.
and, and I'll pinpoint Canadacause it's, it's been one of the
poster children of, the badguys.
(07:07):
They.
Canada, certainly the U S andAustralia and Europe.
Those are their top four, butthey, they look at Canada as
some small to mid-sizedbusinesses that just have
installed all that they canthere's costume to doing,
getting your it up to snuff.
Moderator (07:26):
when you talk to businesses about their cyber
insurance needs, what is thebiggest misconception that you
encounter?
David Gray (07:35):
Yeah.
The biggest misconception isthat a security breach is
something that happens is aquick, and it's a short
duration, like a break in, onyour home.
And it, it sort of goes alongwith the myth that, oh, if we
could do daily backups we'rewe're okay.
and the issue is that these badactors may have been sitting
(07:55):
quietly in your system formonths, watching all of the
activity.
Including how and where thebackups are stored banking,
information, et cetera.
they may even be using yournetwork to run ransomware into
other businesses, to hack, orthey could be harnessing your
computer power to mine forcryptocurrency for that matter.
(08:19):
So it's a misconception that,um, it's a quick and short
duration.
These security breaches.
Moderator (08:28):
I was digging around on this.
I found an IBM study from 2021.
It's called the cost of databreach report.
And it estimated that theaverage total cost of a cyber
breach is four and a quartermillion dollars.
With the average cost for thefinancial industry is
substantially higher at closerto$6 million.
Those are big numbers.
What's driving them.
David Gray (08:49):
So there, there's a number of factors that play in
those driving the numbershigher.
I mean, first due to thesophistication of these
breaches, and the time toidentify the breach and the time
to contain the problem, that'sgrowing that timeline.
In fact, there was a net 2019study by Ponoma that, The
(09:11):
meantime to identify a breachwas 203 days and 72 days to
contain it.
That's a very large length oftime and a long time for a
business to be potentially outof business.
Uh, let alone the cost torestore the data, uh alone can
be very costly.
there are also, Increasing costsin the litigation by customers
(09:34):
or shareholders.
and if there was any personalinformation still.
The businesses may have tomonitor a customer's credit
ratings for a couple of years,depending on the province or the
state that it happened in.
Uh, cause there's all sorts ofregulatory requirements around
that.
and it goes without sayingransom demands of.
(09:55):
And while the largest one I'veheard of was around$40 million
demand.
a recent cyber webinar that Ihad with a key insurance company
in north America, they actuallyhandled a$10 million demand.
So those are driving thesecosts, uh, exponentially.
Moderator (10:17):
Well, that was a fascinating discussion.
David Gray.
Vice-president at Gallagher.
Thanks for joining us today andsharing your insights on
Canadian and equities.
David Gray (10:26):
Thanks for having me, Rob.
Note that this podcast is notmaking an investment
recommendation on any companiesdiscussed.
We welcome your comments ontoday's episode or any other
episode.
Connect with us at AcumenCapital dot com.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.