It's not the kind of news a retail giant wants to make. In May 2017, Target agreed to a $18.5-million settlement to resolve a 47-state investigation into a massive 2013 hack. This settlement put Target's total cost of the breach at $202 million. More than 40 million customers had their credit or debit card information compromised after hackers accessed Target's server. Access was gained through credentials stolen from a third-party vendor.

Companies can be more vulnerable than they think when it comes to cybersecurity—and dangerous assumptions can lead to serious consequences. Bennett Jones’ Cybersecurity group hosted panel discussions where firm members joined insurance and security experts to discuss emerging patterns and threats in cybersecurity. Panels were held in Toronto and Calgary. Key takeaways were:

1. Cyber insurance can be a part of the solution, but there are potential pitfalls. It's a developing market and not everything is covered or well-integrated with other coverage elements. It's also essential to identify the scope of the coverage and tailor it to a company's needs. It's not typically an off-the-shelf product.
2. Third-party vendors are a critical piece in cybersecurity. Companies must make them a part of their overall strategy, ask the right questions and monitor their performance. Ultimate responsibility cannot be delegated to a third-party, but third party risks can be managed.
3. Employees who are properly trained and motivated are in some ways the firm’s “intelligent agents,” and one of the strongest lines of defence. The obverse is also true—insiders, whether by accident or purposefully, have proven to be a main cause of serious cyber breaches.
4. Directors can face exposure. There is the possibility for personal exposure of directors in cybersecurity breaches. Further, in some claims against a breached organization, plaintiffs may not need to prove actual damages to succeed based on the new tort of “intrusion upon seclusion.”
5. A comprehensive understanding of the organization's information assets and systems, risks and vulnerabilities is needed to protect it. This includes knowing who has access to confidential information—and if everyone who does really needs it.