Cyber risk is not just an IT problem; it’s an enterprise problem. When a company suffers a cyber breach, the impacts stretch far beyond the technology or the systems that were compromised. Cyber events can result in business interruption (both primary and contingent), productivity loss, reputational damage, physical damage, and significant legal repercussions and recovery expenses.
Often, hackers will steal information like customer and client data, which is held for ransom, sold, or used to gain an unfair competitive advantage. Ransomware – a type of malware that threatens to publish a victim’s data or perpetually block access to it unless a ransom is paid – is one of the most prominent issues that the cyber security community is dealing with today. In recent years, the frequency and severity of ransomware attacks have increased significantly, prompting heightened awareness of cyber risk and the need for cyber insurance.
According to the Canadian Centre for Cyber Security, cyber criminals are increasingly engaged in big game hunting, focusing their attacks on large enterprises that “will not tolerate sustained disruptions to their networks and are willing to pay large ransoms to quickly restore their operations”. This trend has resulted in a dramatic uptick in the value of ransom demands, with multi-million-dollar ransom events becoming increasingly common at the upper end of the spectrum.
This has had a significant impact on the cyber insurance industry in Canada and around the world, where insurers are seeking more rate, introducing coverage restrictions, and tightening up their underwriting guidelines to ensure the sustainability of the cyber insurance business as the threat landscape expands.
Cyber insurance is a comprehensive solution, explained Cindy Huang (pictured), Senior Underwriter, Cyber and Professional Liability at CNA. There are two parts to a cyber policy: first-party coverages, which pick up expenses associated with responding to and remediating a breach; and third-party coverages, which pick up liability arising from a cyber incident or breach.
“First-party expenses could include hiring a forensic firm to come in and investigate where the breach originated from, how to fix it, and the removal of that malware,” said Huang. “It also includes notification costs, as companies must notify individuals if their personal information has been compromised, and the cost of hiring a public relations firm to manage and deliver communication about the breach. Cyber policies also provide coverage for extortion, including ransomware payments and hiring breach coaches to negotiate with bad actors, as well as covering costs associated with business interruption as a result of a cyber breach.”
The key thing for brokers and clients to understand, according to Huang, is that cyber insurance is not just a policy; it’s a risk management solution. Almost all cyber policies in the market today come with value-added services to assist clients with pre-breach mitigation, post-breach response, and general cyber hygiene. For example, CNA recently expanded its broad suite of cyber liability insurance products and risk control resources with the launch of CNA CyberPrep, a proactive program of cyber risk services designed to help companies take a holistic approach to cyber threat identification, mitigation and response.
Taking a holistic approach to cyber risk management is important for all businesses, regardless of the size of the sector. Huang commented: “Hackers aren’t picky around who they target. Nowadays, they’ll hit any system they can get into, so it’s no longer a matter of if a company gets breached, but when.”
There are different things that companies can and should do to mitigate their cyber risk, depending on their size and their risk management resources. For example, Huang explained that a “good” enterprise risk to CNA is: “any organization that has invested in a cybersecurity program, which can include hiring an experienced Chief Information Security Officer (CISO) and having an adequate IT budget allocated to improvements to their security posture.”
While smaller businesses may not have the same resources to dedicate to cyber security, there are plenty of basic and cost-effective actions that they can take to improve their cyber hygiene. This is something that the insurance broker force can help with, according to Huang.
“It’s important that brokers educate their clients that cyber isn’t just an IT problem; it’s an enterprise problem, and it requires continuous investment to increase their security posture,” she told Insurance Business. “This includes things like improving their technical controls, using the most up-to-date firewalls, and implementing multi-factor authentication (MFA). Brokers should also advise their clients to prepare an incident response plan, so when they do experience a breach, they know exactly what to do and who to contact. Usually, when an incident response plan is implemented and tested, the claims are less severe because the insured knows exactly what to do.”
Regular cyber awareness training is also key. Huang commented: “Employees are usually the weakest link to an organization’s network. Just one click of a button can release malware into a network, so investing in formal cyber awareness training is important.” That’s especially true in this day and age, with the majority of employees working remotely due to the COVID-19 pandemic, and perhaps are slightly less diligent with their cyber security than they would be in a formal office setting.
There are various vectors that hackers are using to get into networks, and as Huang stressed, no business is immune to this risk.