Phishing is a technique where cybercriminals send fake emails, texts or websites that look like legitimate correspondence to manipulate employees into gaining access to corporate systems or information.
Key characteristics include: &bull; Tries to trigger a quick reaction from you &bull; Provides a link to a separate website &bull; Typically asks you to "update", "validate" or "confirm" private information &bull; Often imitates an official sender (e.g. your company or government or financial institution)

Spot a phish, protect your business

Cyber attacks are a growing concern for organizations across all sectors&mdash;and with good reason. Globally, the average number of security breaches experienced by a company in the last year grew by 11% from 130 to 145, according to 2019 &ldquo;Cost of Cybercrime&rdquo; study by Accenture and the Ponemon Institute.1 As the number of attacks increases, so too does the cost: CyberSecurity Ventures predicts that global losses related to cyber attacks will reach US$6 trillion by 2021, up from US$3 trillion in 2015. 2 A new report from Aon, &ldquo;Prepare for the expected: Safeguarding value in the era of cyber risk,&rdquo;3 notes that business face financial loss in the form of immediate crisis expenses, regulatory fines and lost revenue from disruption to the business. There&rsquo;s also reputational risk, as an attack can erode a company&rsquo;s market value, destroy brand loyalty and limit a company&rsquo;s digital transformation, notes Aon. Businesses are wisely investing in cyber security&mdash;CyberSecurity Ventures predicts more than US$1 trillion will be spent from 2017 to 2021&mdash;but no measures are 100% effective. That&rsquo;s why it&rsquo;s also critical to have a cyber resilience plan in place, which covers how your organization withstands, responds to, and recovers from a cyber attack or data breach. While cyber resilience plans will look different at every organization, one commonality is the importance of testing those plans. A stress test allows organizations to see how quickly and effectively they react and respond to any given cyber risk. As Deloitte notes in the report, &ldquo;Five essential steps to improve cyber security,&rdquo;4 most organizations have a security management process in place, but few have tested it. Globally, the average number of security breaches experienced by a company in the last year grew by 11% from 130 to 145, according to 2019 &ldquo;Cost of Cybercrime&rdquo; study by Accenture and the Ponemon Institute.1
The report outlines key questions organizations should ask, such as &ldquo;Who should be contacted during and after an incident?&rdquo; and how quickly can you contain a security breach and restore your organization to normal operation?&rdquo; &ldquo;But answering the questions is just part of the equation,&rdquo; Deloitte states. &ldquo;Testing your answers is critical.&rdquo; Here are four best practices for testing your cyber resilience plan: 
<ul>
<li>Get everyone on the same page: As with any large undertaking, C-suite support is the first&mdash;and most essential&mdash;step in creating and testing a cyber resilience plan. As one cyber-security expert notes, without C-suite support, it&rsquo;s impossible for cyber-security leaders to effectively plan for and defend against threats.5 And since cyber security affects every employee, everyone in the organization needs to be aware of the plan and understand their roles and responsibilities.</li>
<li>Conduct a vulnerability scan: In the computing world, a vulnerability is a weakness in a device or system that can be exploited by cyber attackers. A vulnerability scan (or assessment) allows businesses to identify which parts of their system are the weakest and most likely to be targeted, and therefore the most relevant to the cyber resilience plan.6</li>
<li>Carry out cyber simulations: As Deloitte notes, cyber simulations are interactive techniques that immerse participants in a simulated attack scenario to help organizations evaluate their response and preparedness. Some specific attacks organizations may want to test for are phishing emails&mdash;fraudulent emails designed to get people to unwittingly share passwords or financial information, or malicious attachments&mdash;documents that appear to be legitimate, but are actually a virus or malware.</li>
<li>Review and make improvements to your plan: &ldquo;There&rsquo;s absolutely no point running simulated attacks if they&rsquo;ll play no role in optimizing the incident response processes,&rdquo; says another cyber-security expert.7 Determine what worked well and what didn&rsquo;t in your response plan. Identify areas for improvement and adjust the necessary processes.</li>
</ul>
&nbsp;
If you&rsquo;ve followed these steps but feel like you still need some support or guidance, your insurer may be able to help. At Sovereign Insurance, insurance is just one strategy within our broad risk management solutions that can help you protect your business&rsquo;s bottom line and reputation in the event of a cyber attack. For example, in addition to the financial protection typically provided by technology or cyber policies, Sovereign will provide you with access to breach preparation and crisis management services to help you navigate the complexities of data security. The possibility of a cyber attack doesn&rsquo;t have to be overwhelming when you&rsquo;ve stress tested your plan and know it stands up.
&nbsp;
1 Research Report: "Ninth annual cost of cybercrime study." Accenture, March 6, 2019 2 <a href="https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021">"Global Cybercrime Damages Predicted to Reach $6 Trillion Annually By 2021". </a>Cybercrime Magazine, December 7, 2018 3 Media Release <a href="https://aon.mediaroom.com/csuitecyberreport">"Aon report shares C-suite insights as losses from cyber attacks set to reach all-time highs"</a>,&nbsp;accessed December 4th, 2019 4 <a href="https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-risk-cyber-5-steps.pdf">"Five essential steps to improve cybersecurity",</a>&nbsp;Deloitte, accessed December 4th, 2019 5 Burley, Ron "<a href="https://www.cpomagazine.com/cyber-security/how-cybersecurity-leaders-can-best-navigate-the-c-suite/">How Cybersecurity Leaders Can Best Navigate the C-Suite"</a> CPO Magazine, September 13, 2019 6 "<a href="https://blog.rsisecurity.com/best-practices-for-testing-your-cyber-incident-response-plan">Best Practices for testing you Cyber Incident Response Plan"</a> RSI Security, February 8, 2019 7 Reichenberg, Nimmy "<a href="https://www.siemplify.co/blog/testing-incident-response-processes/">Putting Your Incident Response Processes to the Test"</a> Siemplify, July 8 , 2018

How to stress test your business for cyber resiliency

Despite the rise of automation and artificial intelligence technologies, the vast majority of business that gets conducted relies on some sort of human interaction or connection. Employees are an organization&rsquo;s greatest asset, but also remain every organization&rsquo;s weakest link when it comes to defending against a cyber breach. You can implement the latest firewall technology and employ a genius Chief Information Officer, but if all staff members aren&rsquo;t aware of the types of scams that cyber criminals are trying to pull, then chances are your organization could fall victim to a social engineering attack.
<h4>What is social engineering?</h4>
Simply put, social engineering is a form of psychological manipulation that targets the user rather than the computer itself &ndash; and it&rsquo;s proving to be very effective for cybercriminals. It plays on our universal human traits of fear, trust and conformity to get access to information, all without hacking into a system or cracking a code or password.
Your first line of defense might be to invest in antivirus software and firewall (software and physical versions) with intrusion detection capabilities &ndash; and that&rsquo;s a great start. But that won&rsquo;t account for human weaknesses, like a lack of attention to detail or an all too trusting nature.
<h4>The impact on your business</h4>
If organizations don&rsquo;t take measures to educate and train their employees on social engineering tactics, it&rsquo;s more likely that they&rsquo;ll fall for scams, get hacked, experience a breach and become the victim of fraudulent wire transfers. Any of these events can be incredibly costly and could impact the company&rsquo;s reputation. And this can be repeated multiple times if the bad guys find a &lsquo;good victim&rsquo;. In addition to the monetary impact, being scammed doesn&rsquo;t feel good and can take an emotional toll on your employees.
<h4>Phishing tactics</h4>
Phishing is a technique where cybercriminals send fake emails, texts or websites that look like legitimate correspondence to manipulate employees into gaining access to corporate systems or information. It uses social engineering tactics by deceptively preying on employees&rsquo; emotions and relying on them to mistakenly hand over access to target information.
A phishing breach usually occurs when a hacker gets the structure of an organization&rsquo;s email addresses and then sources a list of names of company employees, usually from LinkedIn or the company&rsquo;s own website.
Similarly, a cybercriminal could get the log in details to a company executive&rsquo;s email address and send out emails to other employees directly from that account. They could then either request sensitive information or ask them to send wire transfers on behalf of the company. In many cases, the employee receiving that email will think the request is legitimate and provide the sensitive information or transfer the funds.
Another form of phishing sees hackers send out emails &ndash; again appearing to be from a legitimate email address &ndash; containing a link or attachment.
That link can do a couple of different things: it can send them to a web page with a form which asks them to provide personal information, it can include spyware to gather information on the company (and its employees and clients), or it can include a ransomware file attachment which activates when downloaded. That file will encrypt the files on the user&rsquo;s computer and only unencrypt them when a ransom is paid to the criminal&rsquo;s bank account.
<h4>Tips to protect your business</h4>
Social engineering is something that can be mitigated if employees are well educated. Your first line of defense might be to invest in antivirus software and firewall (software and physical versions) with intrusion detection capabilities &ndash; and that&rsquo;s a great start. But that won&rsquo;t account for human weaknesses, like a lack of attention to detail or an all too trusting nature. That&rsquo;s why it&rsquo;s so important to educate employees on social engineering and phishing, and the specific tactics they should look out for. This can help foster a culture in which employees are alert and cautious with information whether they&rsquo;re online or in-person.
Encourage employees to follow the steps below to reduce the chances of social engineering impacting your organization:
<ul>
<li>Avoid opening emails from unknown email addresses</li>
<li>Create better, stronger passwords &ndash; and change them regularly</li>
<li>Avoid less than reputable internet sites, web and smartphone applications</li>
<li>Cut down on the amount of biographically accurate information you divulge online (e.g. listing your birthdate on social media)</li>
<li>Only use trusted sites when online</li>
<li>Don&rsquo;t click on links you&rsquo;re sent. Instead, open the webpage on your own by typing in the URL yourself to make sure you&rsquo;re going to a legitimate site and not a phishing scam site</li>
<li>Log out of Facebook and other social media accounts when you&rsquo;re not using them and before you close your browser window</li>
<li>Don&rsquo;t choose &ldquo;save my password&rdquo; or &ldquo;remember me&rdquo; when logging onto any type of account, as these credentials can be stolen by hackers</li>
<li>Follow the company&rsquo;s &ldquo;new vendor/account change&rdquo; protocol to verify clients before sending wire transfers above a certain predetermined threshold. This could involve requiring employees to call vendors (using the phone number in your files, not the one in the email) before making the transfer.</li>
</ul>

Social engineering: your business is at risk from human blunders

Managing Risk

Infographic

About us

Diversity and Inclusion

Newsroom

Claims

Contact us

As accountability in corporate leadership continues to broaden across a wider range of issues, legal challenges remain a significant concern for businesses. In Sovereign Insurance&rsquo;s annual Q&amp;A series, <a href="https://www.sovereigninsurance.ca/our-team/toronto/eduard-lecker" title="" target="">Eduard Lecker</a>, Senior Underwriter, &nbsp;Management Liability, shares his insights on key loss trends and exposures in this area in 2024 and what organizations should be aware of in 2025 as new risks take shape.&nbsp;
What were the key loss trends and exposures you saw in 2024?
The key loss trend in 2024 remained consistent with the previous year: an increasing number of claims focused on environmental, social and governance (ESG).1 These legal actions&mdash;which can be initiated by consumers, shareholders and investors, and environmental advocacy groups&mdash;are typically centred on allegations related to greenwashing and climate change. For example, a company might make misleading claims about its environmental strategies or fail to disclose climate-related risks, which can expose them to significant legal and financial risks.&nbsp;
What are some emerging risks to keep an eye out for in 2025?&nbsp;
One emerging risk is claims related to artificial intelligence (AI). As more companies use AI, there&rsquo;s a growing risk of misrepresentation about what these systems can do. Some tech companies may overstate AI&rsquo;s capabilities. Companies using AI for hiring, financial reporting, or ESG decision-making are especially vulnerable, as they could face legal action if the technology doesn&rsquo;t live up to expectations. For example, AI systems that filter job applicants can have unintentional biases, and companies may claim that AI can replace human decision-making&mdash;when, in reality, there&rsquo;s still a lot of human oversight involved. If AI tools generate inaccurate reports&mdash;like pulling up the wrong numbers&mdash;and those figures influence critical decision-making, legal claims can arise. Similarly, when companies use AI to track their environmental impact, inaccurate data could also expose them to risk.
There are a couple of emerging issues in the U.S. to keep an eye on, as developments there often follow suit in Canada. Under the new U.S. &nbsp;leadership, there are rollbacks in climate policies and diversity, equity and inclusion initiatives. For example, the U.S. has pulled out of the Paris climate agreement, which could prompt companies to scale back their own sustainability effects. This could expose them to legal challenges from groups that feel misled by these changes.&nbsp;
With the current trade war between the U.S. and Canada, there&rsquo;s growing sentiment around &lsquo;Buy Canadian,&rdquo; but labelling what qualifies as Canadian-made is complicated. For instance, a product might contain American apples processed in Canada but is labelled as being made in Canada. If a product doesn&rsquo;t meet legal definitions of terms like &lsquo;Product of Canada&rsquo; or &lsquo;Made in Canada,&rsquo; this could lead to claims. &nbsp; For example, if incorrect labels lead to misrepresentation of a product or its origin, it could lead to claims of misrepresentation or breach of contract.&nbsp;
We&rsquo;re also keeping an eye on U.S. cases in which directors and officers are facing personal liability in lawsuits. Holding directors personally liable for their decisions could lead to more legal challenges and impact decision-making at the top level. &nbsp;
How can organizations mitigate these risks?&nbsp;
For AI, it really comes down to transparency. Don&rsquo;t overstate, misrepresent, or overpromise what AI can do, and understand the legal consequences of any claims you make. It&rsquo;s similar to how companies should approach environmental strategies&mdash;be transparent about your actions and results. Like the saying goes, &lsquo;understate, overperform.&rsquo;
For the developments that we&rsquo;re watching in the U.S., it&rsquo;s difficult to say how to mitigate against them because there are still a lot of unknowns. When it comes to labelling Canadian products, it&rsquo;s important to be aware of the legal requirements. Transparency is key here, too&mdash;if there&rsquo;s any uncertainty, you can direct customers to your website where you outline your process, which some companies are starting to do. If you&rsquo;re not misrepresenting your actions, you&rsquo;re far less likely to face legal issues.&nbsp;
Sources 1 Jan. 31, 2025: Moodys, &ldquo;D&amp;O series &ndash; Evolving risks in the boardroom: A new era of D&amp;O liability &ndash; Part 3&rdquo; 1 Aug. 22, 2024: McCarthy Tetrault &ldquo;Greenwashing and AI Washing: Emerging Trends in D&amp;O Claims Across North America&rdquo; 1 Oct. 22, 2024: &ldquo;The Insurer: Greenhushing &ndash; An emerging D&amp;O liability?&rdquo;

Loss trends and emerging risks in 2025: Management liability 

Hot Topics

As businesses continue to rely on essential machinery and equipment, the risk of damage and breakdowns remains a significant concern. These incidents can disrupt operations, lead to costly repairs and result in extended downtime. &nbsp; As part of our annual Q&amp;A series, <a href="https://www.sovereigninsurance.ca/our-team/calgary/razvan-ionescu">Razvan Ionescu</a>, Manager, Equipment Breakdown Underwriting, Large Accounts &amp; Operations at Sovereign Insurance, shares insights into key loss trends from 2024 and emerging risks that organizations should be aware of in 2025.&nbsp; What were the key loss trends and exposures you saw in 2024? If we were to look for trends in the equipment breakdown insurance industry, the most notable phases would be the heating season and the cooling season. In colder months when heating systems are activated, for example, boilers that are used for heating buildings might experience breakdowns. This happens because they haven&rsquo;t been used for an extended period and when they&rsquo;re restarted, can fail due to improper shutdowns or lack of maintenance during the off-season. Similarly, with cooling systems, a lack of ongoing use and maintenance can lead to mechanical failures. In addition to seasonal concerns, we continue to see typical breakdowns of production machinery, transformers, and other equipment that businesses rely on day in and day out. This can be caused by issues like aging equipment, wear and tear, and lack of preventative maintenance.&nbsp; What are some emerging risks to keep an eye out for in 2025? One emerging risk I&rsquo;ve seen is a shift from traditional generators to electric or lithium-ion batteries as backup power sources or to reduce the on-peak service use. While generators have been in use for a long time, some businesses are turning to electric batteries. This shift brings new risks, especially when it comes to maintenance and exposure. With traditional generators, you typically need a mechanical specialist on-site to keep things running smoothly. But with electric batteries, the high-capacity maintenance is usually handled by the OEM (original equipment manufacturer), who monitors the battery&rsquo;s performance in various ways, for instance, through remote monitoring. So, the whole approach to upkeep is different. A big concern here is fire risks. Batteries are prone to something called thermal runaway, which is a chemical reaction inside the battery that causes it to overheat and potentially catch fire. This can happen without the presence of oxygen, which makes it more dangerous than other types of fires. If a thermal runaway event happens, it could damage the entire battery system, which might cost a company hundreds of thousands to replace. And of course, there are significant human safety risks with any type of fire. In contrast, if something in a backup generator breaks down, it&rsquo;s typically a mechanical issue that can be fixed &ndash; similar to how you would repair a car. How can organizations mitigate these risks? To keep machinery and equipment running smoothly and safely, the best approach is to follow the OEM recommendations. For example, if the OEM advises performing thermal scanning on batteries on a regular basis, it&rsquo;s important to stick to that schedule. There&rsquo;s a well-known saying: &ldquo;If you don&rsquo;t schedule maintenance, your equipment will schedule it for you.&rdquo; By regularly scheduling maintenance, you can ensure it&rsquo;s completed on time and reduce the chances of delays in sourcing spare parts. When it comes to batteries, there are also specific best practices to follow around proper use, storage, transportation, and disposal. Organizations should familiarize themselves with these guidelines to minimize risks. For any type of equipment, preventative maintenance is essential. Although insurance policies are designed to cover profit losses during downtime, the key is to maintain uninterrupted service to customers.

Loss trends and emerging risks in 2025: Equipment breakdown

From distracted driving on busy highways to the explosive rise of quick e-commerce deliveries on city streets, the landscape of risk is rapidly shifting for the transportation sector. As part of Sovereign&rsquo;s 2025 Q&amp;A series, Kevin Dutchak, Senior Risk Specialist, Commercial Auto, provides insights into the key loss trends of 2024 and offers practical advice on how businesses can mitigate risks to protect their operations this year and beyond.
<h4>What were the loss trends and key exposures you saw in 2024?</h4>
Distracted driving is still a big issue and it&rsquo;s becoming even more significant with the growing use of technology in the industry. Technology can be great, but it can also be distracting. For example, some drivers try to map out routes on the fly, and in the e-commerce delivery space, drivers are constantly looking at addresses along residential streets. These kinds of distractions may lead to a lot of loss incidents.
Additionally, traffic seems to get busier all the time. During rush hour and with ongoing construction, it&rsquo;s like that old video game, Frogger, with drivers switching lanes back and forth, speeding, suddenly cutting in front of other drivers, and trying to get ahead of everyone. Statistics show that road travel continues to be the riskiest form of transportation, from property loss and minor fender benders to serious injuries and fatalities. When you add distracted driving and traffic congestion into the mix, it can increase the risk significantly.
Driver controls are another ongoing issue. For example, there are cases where drivers took short cuts to try to save time. But that winding two-lane highway with limited passing lanes, for instance, can put you more at risk, especially in winter conditions.
<h4>What emerging risks should businesses be aware of in 2025?</h4>
Climate change and severe weather events are becoming more of an issue for the transportation sector. We&rsquo;re seeing more frequent storms and extreme temperatures, which can cause delays and put drivers in unsafe situations.
While cybercrime is becoming more of a risk in many industries, I don&rsquo;t see much of that in trucking yet. But as more companies integrate artificial intelligence into their operations, they should ask what they&rsquo;re doing to protect themselves so people can&rsquo;t hack into that and use it to their advantage.
<h4>How can organizations effectively mitigate these risks?</h4>
When it comes to distracted driving, the key to mitigation is the constant reminder that driving is your job 100% of the time. You can&rsquo;t afford to compartmentalize your thinking&mdash;you have to concentrate on the road because it&rsquo;s such a fluid situation.
Sound defensive driving practices are also critical. I&rsquo;m surprised at the number of fleets that don&rsquo;t provide that training, assuming that because their drivers have a licence, they don&rsquo;t need it. But despite our best efforts, we can all become complacent, distracted and forgetful. So, companies need to get the focus back on training. It&rsquo;s an investment in your drivers that can pay dividends.
In terms of driver controls, trip management programs can mitigate risks. Managers should have discussions with drivers to outline expectations: Here is when we expect you to be on the road, this is the route we expect you to take, here&rsquo;s when we expect you to stop. When there is an interruption to the plan due to situations such as poor road and weather conditions, traffic delays on route and driver fatigue, protocols should be in place for drivers to communicate with dispatch and operations staff to keep them advised, which in turn can be communicated to their clients. The safety of drivers and other road users is always the top priority. Telematics can also be used to monitor drivers&rsquo; routes and ensure drivers are following the proper procedures, such as speed limits and safety protocols.
If a driver does have a significant loss event, it&rsquo;s critical for companies to take effective corrective action, such as retraining or a driver interview. Often, a lack of corrective action can lead to further and more significant losses.
For weather events, fleet operations should focus on forecasting models, if they aren&rsquo;t doing so already. When severe weather conditions are imminent, companies should consider shutting down operations in the affected areas; all drivers should find the first safe place to park, advise dispatch of their status and stay in place until the shutdown order is lifted.

Spot a phish, protect your business

Spot a phish, protect your business

You may also like

Connect with us

Let's stay in touch