The Insurance Bureau of Canada (IBC) states that any organization selling products through e-commerce channels or maintaining electronic customer records is exposed to cyber liability. Companies hit with hacks and breaches could face cyber liability lawsuits besides exposing thousands of records that can cost them millions of dollars to remediate.
What is cyber insurance?
Cyber insurance came on to the market in the early 2000s, though there were few providers and the main threats covered were unauthorized access, viruses, and network security. The coverages also looked a lot different then than they do today.
“Earlier iterations of cyber policies focused more on third party indemnity coverage and defense. As it continued to evolve, markets began adding first party coverage for notification, credit monitoring, identity restoration, crisis management, and public relations,” said AmWINS’ executive vice president of professional lines Richard Fernandez.
“In the beginning, these first party coverages were sub-limited and now, the vast majority of markets will provide full limits on their forms. Regulatory fines and penalties, PCI fines and penalties, cyber extortion and first party business interruption followed soon after. Over the past few years, system failure coverage, social engineering, dependent business interruption and property damage to hardware and devices have been added. Typically, 12 months have not gone by without some sort of advancement in the scope of cyber coverage.”
Why do companies need cyber insurance?
Air Canada’s mobile app, the town of Midland, ON, and Google+ are among those to have fallen victim to cyberattacks and breaches in recent months, revealing the cybersecurity risks that all businesses need to take heed of and prepare for as threats rapidly evolve from standard viruses to zero-day vulnerabilities and polymorphic malware.
With the new mandatory breach notification regulations enforced in Canada, businesses should also have a heightened awareness of the need to comply with guidelines around record-keeping of data breaches and customer notification set out by the federal government, as should their brokers.
The Ponemon Institute’s most recent study around the costs of data breaches in Canada stated that the average total cost of a data breach for companies in the country was $5.78 million in 2017 based on actual data loss incidents that affected 27 companies across 12 industry sectors. Cyber insurance can keep companies, no matter their size, from feeling the heavy weight of a data breach on their bottom line.
What does cyber insurance cover?
Cyber liability insurance, which is often excluded from a general liability policy, can offer a variety of coverages to businesses for breaches involving sensitive customer information. This includes:
- First party coverage to reimburse them for expenses incurred from the cyberattack
- Third party liability to protect insureds in the case of a hack of their data that impacts another business
- Other coverages can also include business interruption, privacy liability, costs of notifying customers, legal expenses, recovering compromised information, and repairing damaged computer systems
Some products will also offer risk management tools to help businesses mitigate against cyberattacks and ensure they’re in the best position possible to deal with a breach when it occurs. This can involve guidance on incident response planning and coverage for crisis management expenses, if forensics teams and public relations consultants need to be called in to address the breach and determine its source.
How can brokers help clients determine their cyber insurance needs?
Brokers advising commercial clients about cyber insurance can help them determine their exposures by asking a set of questions outlined by IBC:
- How many records containing personal information does your organization retain or have access to?
- How many records containing sensitive commercial information does your organization retain or have access to?
- What security controls can you put into place that will reduce the premium?
- Do all portable media and computing devices need to be encrypted?
- What about unencrypted media in the care, custody or control of your third-party service providers?
- Could you make a claim if you were not able to detect an intrusion until several months or years had elapsed?
How can insurance brokers sell cyber insurance?
With more than one in five Canadian companies reporting that they were hit by a cyberattack in 2017 according to a Statistics Canada survey, brokers can help educate their clients on the importance of cyber insurance, the changing regulations, and the range of options available on the market today to suit each customer’s needs. Matthew Davies, VP and product manager for professional, media and cyber liability at Chubb Canada, recommends they do a deep-dive of their clients’ risk profiles to find the best coverage.
“It’s sitting down and doing an analysis with the client as to what they think their exposures are – if you handle private information, customer credit card numbers or account numbers, then you need to think about why are you collecting that information, what are you doing with it, who are you sharing it with, what are you doing with it when you finish with it, and how are you getting rid of it,” he said, adding that business interruption is another factor that should be considered in this discussion.
“What would be the consequences if you couldn’t use your computer at your business for an hour, for a day, for a week, and being able to measure with the client what would be the financial
consequences to the organization if you had a ransomware event that led to a business interruption event or that led to your private information being breached.”
Small and medium-sized businesses can be a particularly hard sell on cyber, but being clear that there are affordable choices is one strategy that brokers can use.
“It’s very much a tug of war of education and preparedness, and getting them aware of the exposures, aware of their liabilities,” said Michael Kalakauskas, national underwriting specialist for Trisura Guarantee Insurance Company, and while many SMEs might think that they don’t have an exposure or that because they don’t hold on to financial records, they don’t need coverage, brokers can be ready to change their minds with this comeback. “You definitely have an exposure – it may not be as much as you think, but let’s see what would price out now for a standalone $250,000 or $500,000 policy.”