A person would have to be on a deserted island to not be aware of the increasingly frequent occurrence of cyber-attacks in the world of politics and business. Whether it is Russians hacking into American elections and the World Anti-Doing Agency, activists disclosing secrets of the Central Intelligence Agency through Wiki-leaks, or internet-based businesses like Yahoo and Amazon experiencing the theft of millions of customer records – cyber risk is now very real. It would seem that no computer system is safe from a determined hacker or digital thief. As I write this piece, just as Canadians begin their income tax filing, the Canada Revenue Agency has shut down all its online services to address “internet vulnerabilities” (which may be code for “hackers”).
From my vantage point of teaching a 4th year sport risk management class at Brock University and liaising regularly with a colleague in the specialized sport and recreation insurance market (Nancy Au of Pearson Dunn/Jones Brown), I have recently concluded that cyber risk has now gone mainstream and should be on every sport administrator’s radar. Just a year ago I would have said that a typical sport organization’s insurance needs were very well-served by a comprehensive general liability policy (CGL – the essential insurance policy that protects you against the catastrophic loss), a Sport Accident policy (to deal with minor sport injuries), a Directors and Officers liability policy (to cover the ‘indemnity’ granted to board directors under corporate legislation) and maybe a Property Policy if the sport organization had an established office and owned a sizeable amount of equipment. Today, I would say that a typical sport organization has to also think about cyber risks and corresponding cyber insurance.
What is cyber risk? The dictionary defines it as any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems. ‘Failure’ can be many things: accidentally contracting a virus that corrupts data and systems, someone in your office carelessly clicking on a phishing link and letting an outsider into your network, an outside person deliberately hacking into your network to paralyze your operations, or an outside person stealing data from your network for their own purposes or to sell to others. Some hackers are now so bold as to seek (and receive!) a ransom payment from an organization, business or individual in return for getting their data restored and their systems up and running again. The perpetrators of cyber-attacks have also included disgruntled ex-employees who are familiar with their former employer’s internet systems and who did not have their access revoked as part of the termination process.
Recently in Major League Baseball, a scout for one team stole scouting data from another team, resulting in a cyber-espionage conviction, a lifetime ban from working in the league, the team’s loss of two 2017 draft picks (which went to the team that had its data stolen), and a team fine of $2 million USD (also payable to the team that had its data stolen). Closer to home, the Canadian Centre for Ethics in Sport (CCES) had its computer systems attacked in the Fall of 2016, resulting in significant interruptions to its normal operations under the Canadian Anti-Doping Program (CADP) for over three weeks. This interfered with the management of athlete whereabouts data, the issuing of the necessary paperwork that accompanies the doping control process, and DCO online training in paperless doping control. If there was any compromising of confidential information, the CCES is not saying. As well, staff of the CCES were prohibited from using office email for the entire time. (Some staff have relayed to me that there was a small silver lining to this – it was nice to pick up the phone and actually TALK to people).
My insurance colleague Nancy has shared with me the results of a recent study of cyber-attacks done by Chubb Insurance Company. Out of 900 claims studied, 9 out of ten of the attacks were discovered by an outside party (embarrassing!) and 97 percent of the attacks could have been prevented using simple precautions. Eight of ten resulted from the actions of outsiders, meaning that about 2 in ten of the cyber-attacks were perpetrated by insiders, which I find startling.
From a risk management perspective, what I think is unique about cyber risks is the multiple layers of potential losses and damages. These form a series of concentric circles not unlike ripples that would spread across the watery surface of a pond into which you have thrown a pebble. Initially, cyber-attacks will cause problems to your own computers, network and data. These are called "first party” damages. These will usually, in turn, cause problems to other organization’s computers, networks and data. These are "third party” damages. Moving on, these damages will usually lead to privacy breaches including theft of personal or financial information belonging to customers or members, and loss of valuable corporate data. This can lead to lawsuits. But it doesn’t end there – Canada’s privacy laws allow the government to impose hefty fines and penalties. But even after this your woes continue! – because all of these layers of harm that you have experienced mean that your normal operations are being disrupted and your image and reputation are in tatters. You are operating in full crisis management mode, possibly all because someone connected with your organization carelessly clicked on a harmless-looking link in an innocent-looking email.
The FBI has said “There are two types of organizations today: those who have been hacked and those who will be hacked”. I have also read a quote in a risk management article suggesting that soon the greatest risk an organization may face is the one that lies between the “finger tips and the keyboard” (or the thumbs and teeny-tiny screen of a smartphone). Cyber risks are on the rise because of a shift to ‘BYOD’ (Bring Your Own Device – meaning that because most people don’t want to carry two mobile devices, employers allow them to use a personal device for professional purposes), a rise in e-commerce across the board, expanded use of social media platforms by everyone and the trend towards cloud computing. All of these factors are rapidly changing the cyber landscape. As well, there are legislative and regulatory pressures and we will soon see throughout Canada a legal requirement to report ALL cyber breaches to the Office of the Privacy Commissioner who will in turn determine if the organization or business must report the breach to its members or customers. To date, except in Alberta, there has been no legal duty to report and many organizations and businesses have not done so, even when large volumes of private data has been lost or stolen.
I am no digital or security expert, but what I have learned so far supports the following recommendations for a small sport organization:
#1 – Understand that cyber risks are real and that they require your attention. While large organizations and businesses may have the technology and human capacity to manage this issue, most small organizations do not. A first step is to consult with your insurance broker. These are insurable losses and your insurance broker can also direct you to other helpful resources in addition to insurance.
#2 - Educate your employees, as they may pose the greatest threat to your cyber security. Employees need to be aware of ‘phishing’ scams (emails that look harmless and that invite you to click on a link) and of the importance of strong passwords and other good personal digital habits. Don’t forget about volunteers either, if they are accessing your computer systems. My employer, Brock University, requires me to change my password every 90 days and also requires a robust password which must include both upper and lower case letters as well as numbers and symbols. It’s a hassle to do this but I now understand why I do. And, next week I am attending a 30 minute seminar so I can learn more about phishing and how to avoid being a victim of it.
#3 – Be sure that all desktops in the office, and your employees’ laptops, tablets and personal devices are locked. Best to assume that they will be left unattended or will be lost at some point in time, and having them passcode protected might just save everyone a lot of grief and expense. When I had my iPad stolen at a campground in 2015, I changed all my passwords to everything (which was exhausting!) and also immediately advised my colleagues at the Sport Law & Strategy Group so that their passwords could be changed. My iPad was locked and the thief may not have been able to get past that, but I wasn’t taking chances.
#4 – Consider engaging the services of an IT security expert to review your systems and practices, if you do not have this expertise in-house.
We are planning to offer a future webinar on this topic, so stay tuned.
Note: The views in this blogpost do not reflect the opinions or views of the Canadian Centre for Ethics in Sport, an organization for which I work part-time as a Doping Control Officer Level 1 under the Canadian Anti-Doping Program.