Cybersecurity insurance has become a popular tool among Canadian businesses for managing risk, a recent survey conducted by the Canadian Internet Registration Authority (CIRA) has found.
The study, which involved a national representative sample of 500 IT specialists, has revealed that almost 60% of Canadian businesses have taken out cyber coverage amid the rising threat of cyberattacks. Half of these organizations have purchased cyber cover as part of their business insurance policies, while the other half bought a separate “cybersecurity-specific” policy.
The findings also showed that more respondents felt that the volume of cyberattacks has increased during the pandemic. According to the research, 36% of businesses believe that COVID-19 has triggered a rise in cyber incidents last year, up from 29% in 2020 when the coronavirus outbreak began.
“[In 2021, the] adoption of cybersecurity insurance is growing in parallel with the growing number of cyberattacks,” CIRA wrote in its analysis of the survey results. “At the same time, expenses are soaring due to hefty ransoms paid to hacker groups and massive fines paid to regulators policing the storage and transfer of personal information online.”
From the insurers’ perspective, the analysis noted that the spike in cyber insurance applicants and their perceived levels of risk has created a situation where “the insurance providers can be pickier about who they cover and what requirements they can ask of their clients.” These requirements include having cybersecurity measures in place and these being regularly audited by third-party specialists.
CIRA’s survey also revealed that most businesses reported their brokers making at least one change in their cyber insurance policies the past year. Increased premiums topped the list of changes at 35%, followed by “requests for new forms of proof/verification of cybersecurity measures being in place” (34%), and revised eligibility requirements for obtaining or renewing coverage (29%). About a quarter of respondents also said that the reimbursement amounts for ransomware attacks were reduced.
“Stepping back and taking a wider perspective of the cybersecurity insurance picture shows an industry that’s still emergent and still agreeing on the standards,” the group explained. “The increased risk environment puts the power in the hands of insurers, who can demand higher premiums from customers while putting more escape clauses in their contracts.”
“That leaves some companies either wondering if it’s worth it to buy cybersecurity insurance, or if it’s worth it to continue paying rising premiums,” CIRA added. “Considering the potential impacts of a cybersecurity attack against the difficulty in securing it and the costs of recovery might help factor into the calculus of buying a policy.”
What does cybersecurity insurance cover?
Cyber criminals do not discriminate based on a company’s size, MicroAge, a Fort McMurray-based IT products and services provider, pointed out in an article posted on its website.
“If they can find your network, they can attack,” the firm wrote. “For this reason, every business, no matter what size, needs to be prepared and look at cyber insurance.”
MicroAge added that each business faces a different set of risks as each also holds different data.
“The number of clients a business has, the data that is collected from these clients, and the sensitivity of the data collected are all factors that influence the risk levels of the business,” the company noted. “The risk level will influence the requirements from insurers as well as the type of cyber insurance coverage and premiums businesses can apply for.”
The firm also listed down several key coverages under cyber insurance policies that Canadian businesses need. These include:
Edmonton-based brokerage firm Foster Park Brokers classified businesses into two categories – “those that have been breached and know it” and “those that have been breached and just don’t know it.”
The company added that with the number of businesses experiencing data breaches rising in recent years, the market for cyber insurance has also grown substantially. However, unlike other forms of insurance, the firm noted that cyber coverage does not entail a “one-size-fits-all approach.”
“Most cyber policies are offered a la carte, allowing policyholders to negotiate terms and conditions and purchase the coverage that fits their needs,” Foster Park wrote on its website. “To ensure your business has best-in-class cyber coverage, it is critical to assess your business and consider the specific risks you wish to insure. The level of coverage your business needs can vary depending on your range of exposure.”
The firm then listed down several items relating to cyber insurance policies that businesses need to consider when building the ideal coverage. These include:
A cyberattack can cost businesses millions of dollars. Because of this, Foster Park recommends that companies first ensure that their overall limits are in line with their risk level. This can be done by comparing the anticipated costs associated with a data breach to the limits of liability available. After this, examining the sublimits is the next critical step, the company adds.
“Many cyber insurance policies impose sublimits on specific areas of coverages, including crisis management expenses, notification costs, and regulatory investigations,” the firm explained. “So, while your policy may provide you with $5 million of coverage, specific areas could feature considerably less protection.”
“The sublimits found in cyber policies are often inadequate, but they are easily negotiable,” the firm added. “Just be sure that your organization secures sublimits that make sense in relation to your specific exposures. Finally, make sure that the policy’s aggregate limit applicable to all coverages is not less than the total of all sublimits.”
A standard cyber insurance policy often places a limit on coverage for breaches that occur prior to a specified date, even if the claim is made during the policy period, according to Foster Park. Typically, this date is that of the policy’s inception, which means businesses will not be covered for any breaches that happen before the policy period.
However, the firm added that cyber breaches can go undetected for months or even years, this is why getting retroactive coverage that goes earlier than the policy’s inception date is crucial in ensuring that businesses are protected against unidentified cyber incidents. Retroactive coverage is commonly available for periods of one, two, five, or 10 years but some insurance companies offer unlimited retroactive coverage, the company noted.
Foster Park also advised businesses to evaluate new insurance policies to find out what the standard exclusions are and how these could impact coverage. Among the common exclusions in cyber liability insurance, according to the brokerage firm, are outdated software, unencrypted mobile devices and data, card issuer fines and penalties, bodily injuries, and acts of foreign governments.
Most organizations enlist the services of cyber experts and legal professionals to assist them with their cybersecurity needs. However, this may become an issue as insurers often require policyholders to use preapproved investigators, consultants, and legal professionals in the event of a cyber breach. This could prevent businesses from using their preferred or “trusted” professionals, with whom they have a pre-existing relationship with, because these experts are not on the preapproved panel.
According to Foster Park, organizations can typically negotiate the terms of their policy upfront to include preferred third parties although in most cases, the preferred professionals will have to work with their insurers to get approved during the underwriting process.
Most cyber insurance policies also contain consent provisions that require businesses to obtain the insurer’s consent before incurring certain expenses related to cyber claims.
“If prior consent provisions are included in the policy and cannot be removed, policyholders should at least change them to ensure that the carrier’s consent cannot be unreasonably withheld,” Foster Park suggested.
The third-party vendors that companies use to process or store their data also present a potential exposure. Because of this, Foster Park recommends that businesses make sure that their cyber liability coverage includes breaches caused by their vendors.