by the Insurance Bureau of Canada
Cyber crime is on the rise and is no longer a threat only to large enterprises. According to a report by IBMNote 1, the average total cost of a data breach to Canadian organizations in 2022 is an estimated $7.3 million. While larger organizations may be able to invest in sophisticated security systems, cyber criminals are beginning to target smaller organizations that may be less prepared to guard against cyber attacks. As the demand for cyber insurance increases, so are the frequency and severity of claims. Without a proper cyber security plan, some small business owners may find it challenging to secure cyber insurance coverage.
Knowing what insurance companies are looking for before you start shopping around can help you get the coverage your business needs. Here is an overview of some cyber insurance basics and what you can do to help you secure cyber insurance coverage for your business.
What is cyber insurance and what does it cover?
Cyber insurance is a specialized product intended to help businesses manage losses caused by computer networking threats such as data breaches and cyber extortion. Cyber insurance can cover a range of cyber events, including:
- breaches of confidential data: the loss of and unauthorized access to confidential or personal information
- cyber extortion: a demand for payment under the threat of restricting your access or compromising your data; for example, a ransomware attack
- technology disruptions: a technology failure or denial-of-service attack, which prevents access to your online services
Cyber insurance can help cover many costs from a successful cyber attack, including legal representation, notifying affected parties, hiring a firm to investigate the cause of the breach and restoring damaged or corrupted data.
The most common cyber policies in Canada are stand-alone policies that are specific to your cyber risks. But, for specific needs, some business owners may opt for an endorsement (also known as a rider) that can add, remove or exclude cyber coverage, as needed.
What does an insurance company need to know about your business?
When applying for cyber insurance coverage, insurers will want to assess your risk of experiencing a cyber attack. Questions an insurance representative might ask you include:
- How would you describe your operations (e.g. how many employees you have, who your customers are and a breakdown of your revenue)?
- When was the last security and privacy audit performed and were all recommendations implemented?
- Do you have a dedicated Chief Privacy Officer or Chief Information Officer?
- What information do you collect and do you need to collect this information? (Tip: consider reducing the information collected to reduce your exposure to a privacy breach.)
- What security measures do you have in place to prevent access to your facility and systems?
- What is the annual budget for all cyber protection controls?
In general, if you can demonstrate you have implemented strong risk management strategies, insurers may be able to offer you coverage at a lower premium, compared to businesses with a higher risk of a cyber attack.
Get started by self-evaluating your current cyber security practices
You can develop a sustainable and effective cyber security program by doing a self-evaluation on your current cyber security posture. The Canadian Centre for Cyber Security (the Cyber Centre) offers information on the following resources to improve your cyber security critical infrastructure. They are as follows:
- Educate: It is important for your organization to offer guidance and awareness on cyber security for employees. Ensure employees have access to tailored cyber security training to recognize their responsibilities and help manage risks to your organization’s systems, assets, data and capabilities.
- Prevent: Ensure there are safeguards in place for all systems and data that are critical to your business’ services. For example, enforce multi-factor authentication (MFA) on all accounts and devices to help protect information from being accessed by unauthorized users.
- Detect: Develop procedures and use software logging tools to detect breaches and alert management as soon as a cyber security incident occurs. Detecting incidents will help reduce the spread to other devices and data for an effective response and recovery.
- Respond: Create an incident response plan that includes containment and mitigation strategies, informing affected individuals and reviewing audit logs to understand the root cause (some of the costs of these activities will likely be covered by your cyber insurance policy.)
- Recover: Restore areas and services that were damaged during the cyber security incident and record mitigation and recovery strategies for future cyber attacks.
(Note: This is not a complete list of cyber security strategies. You should consider hiring a cyber security specialist to discuss the full range of strategies that are appropriate for you.)
As cyber attacks become more common, businesses of all sizes can no longer afford to ignore the risks. All businesses, but especially those that have an online presence and use e-commerce, are encouraged to contact their insurance representatives. They can help you determine if cyber insurance is right for your business and to make sure that you have the appropriate insurance coverage to help cover your risks.
Most importantly, a cyber insurance policy is just one component of an overall risk mitigation strategy, not a replacement for cyber resilience. Visit Cyber.gc.ca for more information on protecting your business against cyber risks and IBC.ca for more information on cyber insurance.
IBM (2022). How much does a data breach cost in 2022?