Mikel Pearce, insurance defence and coverage lawyer at Strigberger Brown Armstrong LLP recently delivered a webinar all about cyber insurance for CIRA. Here are a few of the key takeaways.
1. The #1 reason businesses seek cyber insurance is to cover the expenses to recover and respond to an attack
The costs of a cyber-attack aren’t as simple as just the, for example, ransom that is being demanded. Breach recovery costs include expenses related to forensic investigation, legal, PR, notifying those affected, credit monitoring, identity theft restoration, getting your business back up and running, reputation management and more.
2. What else does cyber insurance cover?
Social engineering and fund transfer fraud coverage can also be arranged. These, along with breach recovery costs, are examples of first-party coverage. Cyber insurance is a bit of an oddity compared to other types of insurance, because also cyber policies include coverage for the costs of, and potential damages arising from, lawsuits whether they are class actions or brought by organizations with which you do business (this is referred to as third-party liability).
3. Everyone – even small businesses – are a target for cyber attacks
It’s not if you’re hacked, it’s when. Smaller breaches are out there, but they do not get the same media coverage. In fact, smaller companies can be easier for criminals to attack. This is especially true since so many hacks are automated and so do not discriminate based on the size of your business. If they can find your network, they can execute.
4. Every business has different data and therefore different risk
How many clients/customers you have, how many data points you have on them, and how sensitive the data is are all factors in determining risk levels for your organization.
For instance, healthcare data has a different risk profile than perhaps a financial account. You can change a password or monitor your credit after a breach, but there’s nothing you can do if something like a medical diagnosis gets out.
5. The COVID-19 pandemic has changed the cybersecurity landscape
Attackers have taken advantage of the crisis, ransomware incidents and the amount of ransom requested increased, and with more people working from home, there are more vectors to attack.
6. Security controls affect your policy pricing
The presence or absence of security/technical features such as MFA and encryption are underwriting considerations – meaning they will affect your premium.
7. Some security controls may even be required to obtain or renew cyber insurance
Insurance companies are losing money paying out cyber claims, so some are starting to require things that will help prevent a breach, like MFA (read more in ITWC) and employee phishing training programs such as CIRA Cybersecurity Awareness Training.
Regardless of insurance requirements, SMEs should be implementing baseline controls, like those described by the Canadian Center for Cyber Security.
8. If you can’t afford cyber insurance, you can’t afford a breach
The costs to mitigate cyber risks – including technical controls, employee training, and cyber insurance - are magnitudes lower than a cyber loss, which can bankrupt SMEs. And again, it’s not if you’re hacked, it’s when.
9. Cybersecurity insurance is evolving quickly
While it isn’t new, there has been a flurry of options entering the market. It can be hard to keep track of the changes, and what coverage you can get with a cyber policy.
10. Talk to a broker if you’re interested in purchasing cybersecurity insurance
There are many options on the market, a broker will help you find a policy that meets the needs of your business.