It’s little wonder that cyber insurance is among the fastest-growing types of coverage. Not only are cyber attacks and breaches occurring with increased regularity, the nature of cyber threats is also changing. Although the high-profile breaches impacting larger organizations are most heavily discussed in the media, small and medium-sized organizations are just as likely to be hit by a cyberattack.
Accounting for 87% of enterprises in Canada, small and medium sized organizations have fewer resources to protect themselves, which makes them an attractive target for cyber criminals.
Research conducted by the Ponemon Institute in 2017 discovered the most prevalent attacks against smaller businesses to be phishing/social engineering (48% of respondents) and web-based (43% of respondents). Respondents said that cyberattacks in 2017 were more targeted, severe and sophisticated compared with the previous year.
It is estimated that approximately 60% of small to medium enterprises that have experienced a cyberattack did not have adequate cyber coverage.
“The increase of high profile cyber events has really piqued the interest of business owners,” says Suzanne Tavaszy, Regional Underwriting Manager (Quebec/Atlantic) at RSA Canada. “I am in regular communication with broker partners, especially those who specialize in cyber, and they tell me that conversations on cyber insurance are now being initiated by clients. This is a real shift from a few years ago, when it was up to the broker to open those conversations and convince clients of the value of cyber coverage.”
A comprehensive cyber policy features both first and third-party components. The third-party aspect is triggered when an insured business faces litigation as a result of a network security event or data liability event. The first party component covers business interruption and costs incurred to manage, contain and resolve a breach, which could include, but are not limited to, IT forensics, PR fees and access to an Incident Manager, who can immediately assess the situation, triage the response and initiate any mitigating process that is required, such as arranging for experts to attend the scene.
While the third-party component is clearly important, in reality, a client may not necessarily face a lawsuit after being targeted by a cybercriminal. First party features, however, are crucial in the aftermath of almost any cyber-related event. Although the vast majority of cyber coverages have some form of first party component, it’s critical for the broker and their client to know exactly what first party coverages their policy provides, Tavaszy explains.
“In an overwhelming number of cases, a small to medium-sized business will need the expertise of an IT forensics professional following a breach and is likely to lose some revenue due to business interruption,” she says. “The strength of the first party cover is key in order to get back up and running as quickly as possible and eliminate any potential lingering threat or “back door” left by the hackers. Furthermore, if the business can mitigate and manage the first party aspect as efficiently as possible, they are significantly reducing the chances of a subsequent lawsuit from affected parties.”
There are various cyber products available to small and medium-sized businesses. A common offering is what Tavaszy describes as a “reimbursement-type endorsement”, a first-party only coverage which is generally offered as an add-on to property or other types of policies, with a limit of up to around $25,000. There typically has to be a known and confirmed breach for this type of cyber add-on to be triggered, which is problematic because anyone who is not an IT forensics expert may find it difficult to ascertain if a network or computer issue can actually be attributed to a breach.
“That means it is the role of the business to establish and prove that the breach has occurred, which takes time and resources,” says Tavaszy. “The business is also responsible for finding the IT forensics professional or any other service required in order to resolve the breach and notify affected parties as necessary. So, their network is down and they have to source a suitable IT person and arrange for them to come and address the issue. Only then can they submit the claim.”
Tavaszy instead advises brokers to seek out cyber policies that are triggered in the event of an actual or suspected breach. She also reiterates the importance of business interruption coverage, which can turn out to be critical for small businesses operating on thin margins. Examining the added services offered in conjunction with the cyber coverage is another important step when searching for the ideal cyber policy.
“Many of the cyber coverages available in the market, such as the RSA cyber product, come with additional services and resources to facilitate the quick and effective resolution of a breach. An example of this is the provision of an Incident Response Plan with 24/7 access to a breach coach who can guide the business through the process and involve the required professionals, whether it be IT forensics, public relations etc.,” Tavaszy says.
“The accessibility to these services, usually offered by large, global, and highly-specialized firms empower the business. They provide them the peace of mind that comes with having 24/7 support and access to the useful tools and experts that will protect their business and minimize any damage.”
Help clients understand the importance of cyber coverage:
Hiring a dedicated IT professional overseeing the company’s systems and networks does not replace the need for a policy that will protect a business in the event of a cyber liability event.
Storing third party data in the cloud through an external service provider is certainly common, but in the event of a breach, the company collecting the data is responsible for first party costs. Liability may be increased depending on the specific contractual agreements in place between the business and the cloud provider.
Cyber coverage for any business that employs humans and has computers on-premise is just common sense, just like getting property insurance as a result of purchasing a sprinkler system.