Making Insurance Simple and Accessible for Canadians

| Member Login
Back to Events

Summary of CAFII’s Webinar: A Conversation on Cyber-Security Challenges in the Insurance Industry— The Risks and How to Mitigate Them

by

May 6, 2025

BOXX Insurance’s Website: www.boxxinsurance.com

On May 6, 2025, CAFII hosted a webinar titled A Conversation on Cyber-Security Challenges in the Insurance Industry— The Risks and How to Mitigate Them. CAFII’s Research Analyst, Robyn Jennings, moderated the webinar and was joined by leading cybersecurity expert, Neal Jardine, BOXX Insurance’s Chief Cyber Intelligence and Claims Officer. The crux of the conversation focused on the prevalence of cyber threats and explored ways in which financial institutions (FIS) can safeguard against security breaches and cybercrime.

Many representatives from CAFII’s 14 member companies and 12 Associates attended the webinar, as did representatives from allied industry associations such as the Canadian Life and Health Insurance Association, or CLHIA, and the Travel and Health Insurance Association, or THIA. Many insurance and financial services regulators and policy-making authorities attended as well, including the following government organizations:

  • The Insurance Council of British Columbia;
  • The Government of British Columbia;
  • The Government of Alberta;
  • Québec’s Autorité des marchés financiers, or the AMF;
  • The Financial Services Regulatory Authority of Ontario, or FSRA;
  • The Financial Consumer Agency of Canada, or FCAC; and,
  • The Federal Department of Finance.

R. Jennings began the webinar by expressing gratitude to Neal Jardine and inquiring about what attracted him to cybersecurity. He elaborated that he has long had an interest in this subject; however, when he entered the insurance sector in 2005, it wasn’t yet a matter of interest. This changed in 2014, when cyber claims began to surface, many of which were initially managed by lawyers. Jardine was curious about how hackers were gaining access to various mainframes, what they were doing, and whether new attack vectors were emerging. This marked the beginning of his gradual shift towards cybersecurity and the facilitation of recovery for attacked companies. 

N. Jardine explained what traditional cybersecurity is and how BOXX Insurance differs from other companies in this space. In the 1980s, the traditional cyber market focused on application-based cyber insurance, posing a series of questions to companies to evaluate the controls they had in place. This was a point-in-time verification process; however, the problem with this approach is that attack vectors in the cyber market are continuously changing. The threats are evolving, and the safeguards a company had in place a month ago may become ineffective in the future. He compared traditional cyber insurance to multifactor authentication (MFA). Five years ago, the industry believed MFA would protect against everything. While MFA is still beneficial, it is not as powerful as originally thought, as hackers have discovered ways to circumvent it.

Traditional insurance was initially based on a question-and-answer format, followed by underwriting. Now, underwriting has evolved into a more dynamic approach that utilizes both technology and traditional models. Clients still work through a broker to understand and apply for cyber insurance. Arguably, the most valuable aspect of the application is the client’s domain, as it enables insurers to adopt a more modern style of insurance where they scan the client from an external port. Port scanning is a security assessment that evaluates leak sites, data breaches, internet keyword sweeps, and more. Thus, where traditional insurance is a point-in-time question-and-answer system, BOXX Insurance has moved towards an underwriting model that conducts scans and checks throughout the entirety of a client’s policy, not just at the time of purchase. This is about proactive rather than reactive models.

Insurance should not merely function as a loss transfer; it must serve a preventative role. Many cyber policies now equip clients with tools to manage potential future attacks. BOXX Insurance is progressing towards an interconnected ecosystem, positioning itself as a component of its clients’ cyber prevention services. This approach is particularly beneficial for small to medium-sized businesses (SMEs), of which there are many in Canada. N. Jardine pointed out that, in the future, most cyber buyers will be SMEs lacking access to those services independently.

R. Jennings asked whether larger financial institutions (FIs) or small and medium-sized enterprises (SMEs) are more at risk of a cyber attack, or if the risk is equal. N. Jardine explained that larger FIs were once considered the primary targets for cyber attacks, but this is no longer the case; these organizations already have robust cybersecurity controls in place. Recently, BOXX Insurance has observed larger organizations seeking to strengthen their supply chains, including the SMEs they work with, because this area is vulnerable. Breaches at the supply chain level can impact the FIs’ reputation and affect its business, as they depend on those smaller at-risk organizations. Furthermore, there are fewer large businesses in Canada than small ones. Consequently, hackers have more options and opportunities with SMEs.

Applying this to CAFII, N. Jardine explained that the Association’s members would likely be interested in contingent business interruption exposure. CAFII members are exposed because of their suppliers, not because of their network failings. Large FIs are interested in monitoring and identifying leaks in their entire supply chain to determine if they want to continue working with that business or diversify.

R. Jennings asked N. Jardine to provide a real-life example of a cyber attack and discuss how organizations should or should not respond. He noted that several types of cyber attacks exist, but financial crime and fraud is the most common. This type is the most lucrative without requiring significant sophistication. One such example is email fraud; hackers will identify that one company is working with another, either through social media posts or online advertisements. They will then craft an email chain that appears to come from the president of one of the companies to the other company, detailing a conversation that confirms payment for a service or technology voice. This email chain will be forwarded to the accounts payable group, with the fake presidential email CC’d, requesting payment. If the accounts payable staff decide to check with their president, they often use the CC’d email, which will be almost identical to the president’s real email. In short, those employees are speaking to the threat actor posing as the president. Years ago, hackers broke into emails looking for real invoices; now, with MFA, hackers are taking a step back and crafting emails and invoices designed to look legitimate.

What should FIs do then? BOXX Insurance recommends that clients send yearly notices to their clients confirming that their banking information has not changed. The client must call the FI at a designated, pre-specified number to provide this updated information if financial information has changed.

Previously, ransomware groups would infiltrate an organization’s backend or data system, encrypt everything, and steal the data. The problem with this method is that stealing data requires significant time and effort; one must have the appropriate system to conduct an operation of that scale. As this cyber attack progressed, many companies recognized what was occurring and began utilizing redundant backups outside their backends to store data. This prompted ransomware groups to transition from ransomware as a service to ransomware as data exfiltration. Now, ransomware groups deploy small programs that can be embedded into software components, such as email, that infiltrate a company’s system and siphon off its data. The hackers then extort the company for that data by threatening to release it online, often on the dark web. 

Decades ago, hackers often operated as individuals. Today, hackers, or cybercriminals, are more likely to be part of organized groups. Although individual hackers still exist, the majority of these criminals function like businesses. They often have a president, various divisions, and a coding team. According to information gathered by the FBI in the U.S., some of these organizations even have HR departments and employee retention bonuses. R. Jennings inquired whether these criminals operate as established organizations and if that makes them easier to locate. N. Jardine clarified that it makes them both easier and harder to find. Many of these criminal organizations maintain a presence on the dark web, including sites that list who they’ve hacked and where the information is for sale. This information is readily available, but locating the physical group is challenging. They often mask their IP addresses or target regions of the world different from their actual location. Some countries have less stringent laws concerning cyber crimes; in fact, some of these groups are state-sanctioned because governments see it as a means to generate revenue as well. The issue is that when an individual from one of these groups is taken down, the remaining members disperse and form their own organizations, thereby increasing the number of active criminal organizations.

Some of these organizations describe themselves as gangs. They believe that if you pay an invoice or change your banking details because you were targeted, you have made a mistake and are therefore at fault.  Decades ago, the world was told that email was the safer form of communication; now, we need to do the opposite: that email is no longer a secure form of communication.

R. Jennings asked, what is the balance between government regulations on cybersecurity and organizations’ own protective frameworks? Is one more important than the other? N. Jardine responded that both are essential to addressing this issue. Financial institutions have a role internally, as does the government. People have asked him whether he believes the government should legislate cyber insurance for companies by making it a requirement. He does not think this would be an effective way to protect organizations. Instead, he recommends that the government outline requirements that companies must follow so those companies can decide how to manage risk. R. Jennings asked a follow-up question regarding the international aspect of cybercrime in relation to governmental versus organizational protection frameworks. N. Jardine commented that while cybercrime is borderless, some countries or regions within a country are more frequently targeted than others; the U.S. is the most attacked country in the world for cybercrimes. Cybercriminals aren’t necessarily choosing one location over another unless it benefits them to do so. Regarding global cybercrime regulation, the General Data Protection Regulation (GDPR) in the E.U. was excellent and prompted some others to develop better controls. The U.S. has strong reporting requirements, which elevate the issue to the Board level. Canada is also performing well with its privacy bills. He noted that, around the world, BOXX Insurance has observed better controls being implemented. Companies are becoming increasingly cautious about information gathering and handling, including proper employee training. N. Jardine expressed that he is pleased companies are being criticized less for simply experiencing a breach and more for what was stolen and how. He gave the examples of Google, Amazon, and Microsoft, all massive companies that experience data breaches and security failures. Should they be punished for being attacked or for having inadequate controls to protect against such an event, and were those controls reasonable at the time of the attack?

N. Jardine commented that every company will experience a cyberattack at some point. R. Jennings asked him to elaborate on how concerned insurers and FIs should be on a daily basis. N. Jardine reiterated that it is not a question of if but when. He then explained that the fast-growing sector of cybercrime includes cloud outages due to issues with third-party software providers. This echoes earlier comments about the supply chain. An event like this isn’t necessarily malicious, though it can be. For example, CrowdStrike experienced an outage that was not malicious but resulted from a code error that managed to bypass their controls. The silver lining is that as more individuals purchase cyber insurance, we achieve a better spread of risk; with improved risk distribution, we can collect more data, and the more data we have, the better premiums we can develop.

Where are insurance companies most vulnerable? R. Jennings listed issues such as legacy systems and the hesitancy to adopt emerging tech. N. Jardine replied that these are inherent hindrances because we will always have to deal with the aforementioned problems. AI has enabled more creative cyber attacks, but there are no restrictions within cyber policies. The industry is already starting to see losses stemming from AI; it understands that and is okay with it. Vulnerabilities have emerged in areas such as accountability and privacy. Air Canada, for instance, created a chatbot that provided a passenger with incorrect information regarding a refund. The passenger sued. Air Canada argued in court that they were not responsible for this misinformation, but the courts disagreed, ruling it was blameworthy since it was Air Canada’s chatbot. N. Jardine cautioned that risks may arise from completely rejecting AI and emerging techs, as employees are likely to use them secretly without proper protections.

R. Jennings commented that a lot of cybercrime seems to succeed by taking advantage of human error. How can organizations protect against this, given that there will always be a human component to work? Companies need to build a supportive and transparent culture. Upper management must let their employees know they can question and second-guess decisions, so that when an attack happens, an employee feels comfortable contacting their manager to confirm, for example, payment details. Companies should avoid blaming their employees, the victims of an attack, since these cybercrimes are so sophisticated. R. Jennings commented that it is ironic that human interaction is crucial to circumventing cyberattacks amidst all these emerging technologies and security protections. N. Jardine agreed.

N. Jardine spoke about businesses that are not typically considered at-risk for cyberattacks. Some cybercrimes are not about data extraction but halting a company’s ability to operate. Cybercriminals can use this kind of leverage to extort money from non-FIs, like hydro companies or hospitals. Speaking of hospitals, N. Jardine commented that many threat actors avoid hospitals because it can damage their reputations. Reputation matters for these criminal organizations to operate.

While there isn’t one sector within the insurance industry, sectors and organizations with large amounts of data tend to be attacked more often.

R. Jennings concluded the webinar by asking N. Jardine if he is optimistic or pessimistic about the future of cybercrime. He replied that he is optimistic. More and more people are talking about cybercrime and cyber insurance. Education matters. The worst thing that happens when a cyberattack occurs is that no one talks about it. We need to continue spreading awareness of this issue without any shame or stigma attached.

R. Jennings thanked N. Jardine for his time and the insightful conversation and invited K. Martin to conclude the webinar.