TORONTO — A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.
The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.
The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.
“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.
If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.
However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy — a newer but increasingly common insurance.
“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.
The multinational advisory firm said in its 2018 cybersecurity report that many industries — including those with points programs — will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.
In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.
“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”
So-called bug bounties — a way to reward ethical hackers who find bugs so they can be exterminated — have been used to good effect by tech companies.
Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences — following the lead of tech companies and financial services providers.
Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet — and for good reason: “I think there’s bugs in the bug bounty program.”
One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.
“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”