‘Employee benefits data has become really high value identity data,' says Norton's Laurie Gatch
On April 20, Canada Life issued a statement noting stakeholders and its members that it “identified a cyber incident involving unauthorized access to certain applications through an employee account.”
The insurer said the breach had been contained and that its operations remain unaffected. They also brought in external cybersecurity experts and notified the relevant authorities.
While the incident notably rattled plan sponsors across the country, it also forced a reckoning with a question the benefits industry hasn’t really answered.
“What happens after the toothpaste is out of the tube?” said David Krieger, regional vice president, benefits consulting at BFL CANADA. “Maybe you can never get the toothpaste back in the tube, but you can manage what you've done with the toothpaste that escaped… It doesn't matter what business you're in. Whether you're an insurance company, a pension administrator, a trustee, a third-party administrator, a bank or you're a real estate company, you're an accountant, or you're a consulting firm, or you're a media conglomerate, everybody faces the same cyber issues.”
He believes the threat of cyberattack is keeping C-suite executives awake at night.
"If you asked most of them, ‘What is your biggest threat?’ I bet it's in the top two or three," he added.
Laurie Gatch, strategic relationships leader for benefit solutions at Norton LifeLock, agrees the problem is universal, though, the risk, she says, starts with individual behaviour.
"I think in the age of digital first and AI, we just trust too much as consumers," she said. “I don't think we rely on the wealth of resources that are out there to help us.”
Gatch said Canada Life’s data breach should be lesson learned for the entire benefits industry, as the data held within benefits systems, including medical records, employer details and income levels, makes it a prime target for cybercriminals.
“Employee benefits data has become really high value identity data, if you think about it. I mean, why else would a Canada Life be targeted? There's so much high greater value identity data that exists in benefits,” she said.
Still, Krieger argues that Canada Life should not be blamed for the breach as he’s confident the insurer invested heavily in cybersecurity, including hiring firms to test its own defences. The attackers, he says, are simply that good.
The real issue, in his view, is what comes next because once personal data reaches the dark web, employees face real and lasting exposure.
"It’s just not good. There's just all kinds of bad that happens when your stuff is on the dark web and you suddenly have a vulnerability," he said.
Drawing on his own experience after a breach at Casino Windsor, Krieger underscored the only viable response is getting protective tools in place before a breach occurs, not scrambling after the fact. He also flags company data sitting on personal phones and employees connecting through weak VPNs as underappreciated risks.
"It doesn't take much really, to hack you. If you are on an unsecured VPN, if you're at the airport using their system, you're vulnerable because, for $100 bucks, someone's got a gizmo to hack you," he noted.
Krieger said concern about cyber risk is widespread, and with good reason. In his view, both individuals and companies should be worried not just about stolen corporate data, but also about the everyday ways information slips beyond formal controls, especially when employees store or share work-related material on personal phones. That kind of behaviour may be against policy, he suggests, but it still happens in practice.
He also sees a strong case for identity and device protection services that cover employees and even their families, but questions whether employers always view the cost as worthwhile when stacked against other benefit spending priorities. That, he suggests, is one of the main barriers to wider adoption.
More broadly, he argues that cyber protection should be treated as a basic necessity, with a larger role for public education and perhaps even government-backed support to help Canadians protect themselves.
From a benefits standpoint, though, Krieger is less certain about how much more insurers can realistically be expected to do. In his view, carriers already have security protocols in place and are doing what they can, even if that cannot eliminate the risk entirely.
Furthermore, Krieger notes that the Canada Life breach was reportedly contained to its CSR system and did not compromise client data directly, which he sees as a relative positive. He also credits the insurer for disclosing the incident quickly. Beyond that, he argues the key takeaway for employers and plan sponsors is preparation.
Late last week, Canada Life issued a statement that confirmed the breach is fully contained, with no signs of continued unauthorized access. The insurer completed a detailed data analysis and has notified all individuals whose sensitive personal information was affected, offering them free credit monitoring.
Advisors and plan sponsors whose clients or members were impacted have also been informed.
“Canada Life takes the protection of personal information extremely seriously. Cyber threats continue to affect organizations across all sectors. We have always invested significantly in our systems, processes and people and are committed to continue to do so to safeguard the information entrusted to us,” the provider said in its statement.
While affected members should accept free credit monitoring, Gatch underscored plan sponsors should treat it as only one layer of defence. Notably, plan sponsors and members should also place fraud alerts with the credit bureaus, be skeptical of calls, emails and texts, and verify any request through official channels.
She argues that stronger device security, including antivirus, anti-malware tools, VPNs and password managers, is also critical, especially across family devices. She added that people should proactively protect financial accounts by changing passwords and enabling multi-factor authentication.
When it comes to what companies should offer after a breach, Gatch suggests the strongest response goes beyond credit monitoring alone. Ideally, it would combine monitoring with practical guidance, stronger device security, access to remediation support and some form of financial protection if losses occur.
Consequently, she acknowledged that providing a full suite of services at scale may not be realistic for every organization. Still, she argues that companies should at least pair credit monitoring with clear education on the extra steps members can take themselves because credit monitoring on its own is not enough.
“There's no downside to not offering a really robust protective layer,” she said. “A premium service is really a comprehensive layer to have even on top of some of this free stuff. There's no downside to it at all. It ensures your families are safe and it has goodwill.”
Rather than treating breaches as one-off crises to be managed reactively, Gatch argues that employers and their benefits consultants should be helping employees develop ongoing digital safety habits. That investment, she says, pays off in both directions: employees who practise good cyber hygiene at home carry those habits into the workplace, strengthening corporate security in the process.
"The safer you make an employee in their own day to day life and habits, the safer your corporate infrastructure is," she said.
