The day my brokerage was hacked: What I learned

Brokerages should use standalone policies for cyber coverage, and should counsel their clients do the same, says a prominent Canadian property and casualty insurance broker whose brokerage experienced a cyber breach.

Traci Boland, a partner and manager of Ontario West Insurance Brokers and Bill Blaney Insurance Brokers Ltd., appeared before the Insurance Brokers Association of B.C.’s AGM and Leaders’ Conference in Whistler, B.C., on June 11 to provide a first-hand account of what it was like to have her brokerage hacked. The experience left her shaken, she said, but she learned something very important as a result of the ordeal.

“I am so thankful that I have a standalone cyber policy,” she told brokers attending conference seminar, Reality Check: The Day My Brokerage was Hacked.

“I have spoken to many brokers across this big country of ours who are relying on an endorsement on their office [commercial insurance package],” Boland said. “I’m here to tell you, I would have blown through that $20,000 in the first four days.

“Nobody in this room should have a [cyber] endorsement. You need to have a standalone policy. And you need to sell standalone policies to your clients.”

Beazley Canada handled the brokerage’s response to the breach, which happened a year ago.

Beazley claims manager Andres Hinojosa, who accompanied Boland onstage, was directly involved in the brokerage’s cyber claim. He referenced Boland’s comment about spending $20,000 on a cyber claim in four days.

“Twenty thousand [dollars] actually lasts you probably two hours,” he said. “Because the moment you need a forensic investigation, an IT/computer expert, depending on how big your systems are…the cheapest [expert] we will find in a single-business compromise, which is the most standardized type of computer security review, is about 10 grand [$10,000] in Canada.

“And if you have a ransomware, or your environment is larger, you can be upwards of $500,000.”

Boland gave a personal account of what happened at her brokerage, which she described as “the worst thing that happened in my career, ever.”

She credited two people involved in her brokerage’s breach response, services available through the brokerage’s standalone policy, for helping her make it through the breach. Flanking her on stage were Hinojosa and Mouna Hanna, national chair of the cyber, privacy and data protection group of Whitelaw Twining LLP, neither of whom she had met in person until the conference.

“If it had not been for the two people sitting on this stage [with me], I would not have survived it, and neither would my business,” Boland said.

The hack

Boland recalled driving her mother to an appointment when she received a call from her business partner letting her know that none of the staff could access the company’s systems. Challenge Number 1 was trying to contact the IT people to check it out, since all of the contact information was on the computer systems they couldn’t access.

Boland had the information stored on her phone, and made the call. Her business partner phoned back and said IT reported it was a hack. She said there was a ransom note, but it took a while to find it. They were able to get their office systems up and running for clients within 24 hours.

But that was just the beginning. Challenge 2 was trying to get in touch with Beazley, since the cyber policy and claims information was also on the computer systems that were down.   

Challenge 3 was trying to keep emotions in check while navigating through the breach response. Boland said many people don’t account for the emotional impact of the event.

“I’m really trying not to instill fear in everybody, but I was having nightmares of people outside of my house because of this cyberattack,” Boland said. “And I was alone, trying to deal with this, and keep my staff safe [and deal with], the immense guilt to my clients that their information was now on the dark web.”

Also in the news: Brokers say tariffs are affecting co-insurance terms in business policies

Notification requirements

At the same time, Hanna said, Boland had to deal with very thorny issues such as breach notification requirements. And not just to regulators, but with insurers, too.

“I would venture to guess that some of you may not know there are potentially very strict notification obligations in your contracts with carriers that would force you to be transparent about it very early on, unless you start thinking about this kind of stuff in advance,” said Hanna. “This is what we’re reminding you of in the first week of the incident.

“We’re trying to throw 8,000 different balls in the air, making sure none of them are dropping. Traci did a phenomenal job at being able to navigate the different challenges while being a strong force for her staff.”

One of Boland’s more difficult calls was when to tell her clients that their private information had been breached. Some prefer to delay notification until they have a clearer picture of exactly what data was stolen. Boland, on the other hand, chose to disclose sooner rather than later. She said she and her business partner were on the phone constantly, notifying clients about the breach.

She said about 2% of the brokerage’s clients were “extremely mad.”

“One guy was extremely upset that his Netflix account was hacked because of my hack,” said Boland. “Honestly. I asked him if he used the same password with Netflix and Ticketmaster and he said yes, and I said, ‘Well, it wasn’t me.’”

Overall, Boland said, “I feel good about my decision to tell all of my clients. I feel that reputationally, and sitting up here on the stage now, I feel like getting in front of it and speaking about it and telling my clients was the right decision to make.”

Lessons learned

Because of the standalone cyber policy, Boland had access to Hanna’s counsel during the breach response, which Boland said was invaluable to her.

Hanna noted she has access to experts who negotiate with threat actors. She suggested one thing learned from these discussions is that brokerages should protect information stored in their computer systems about their cyber insurance policies. Cybercriminals will use things such as policy limits as leverage in a negotiation.

“We were dealing with one incident where the threat actor would not budge from [a ransom demand of] $1-million,” Hanna said. “And we thought, ‘This is really weird. Usually this group, we know their behaviours. We know that they generally negotiate down 50%.’

“Thankfully, our threat negotiators have all this intel because of all the work they do in the area. So, we’re getting advice from the threat negotiators that this threat actor was not budging from $1 million.

“And we came to find out the cyber policy is on the system. [The cybercriminals] found it, and they knew [the company] had $1 million in coverage. But guess what? [The company was] stuck. They were sunk. They had to pay. They had no backups.”

On the subject of backups, Hinojosa urged brokerages to make sure their data is backed up. Also, they must be able to access their backups when all other systems are down.

“The reason why I’m saying this is because we had this one big organization that had a ransomware [attack], and they had backups. They were not going to pay the threat actor because they were able to, in their mind, get the data, restore it, and get back to normal. However, someone along the line in the organization forgot to pay Amazon Cloud, and so the data they thought they had….”

Hanna said sometimes the legal counsel provided on a file can sound much like psychological counselling. She said organizations will always come out “the other side” of a ransomware attack, but the experience will leave a mark on someone after it’s over.

“You will get to the other side, I promise,” Hanna told brokers in the room. “It may not look the same as when you started. You may be wiser. Really, this will stay with you for awhile, but you will get to the other side.”