The stakes are rising for Canadian and US firms alike.
Cyber threats are on the rise, and companies do their best to protect against them. But it is also possible to insure yourself against the financial fallout, should the worst happen. Is it something you should consider?
Cyber-insurance has taken off since the mid-2000s, as cybercrime itself became a more commercial enterprise. Botnets emerged as a real threat, criminals began swiping credit card numbers by the millions, and advanced persistent threats – in which bad actors lurk within systems for months, or even years – gained prominence.
Even after all those threats, companies typically don’t pay as much attention to cyber-insurance as they do to other kinds of protection. In a recent report on the subject, the Insurance Institute of Canada said that global cyber-insurance premiums represent less than 0.5% of the estimated cost of cybercrime. It compares this to global auto insurance premiums, which exceed international estimates of vehicle collision damage.
The difference? One of these kinds of insurance is mandatory, and the other isn’t.
Still, word is catching on, and cyber-insurance seems to be a growing market. In April 2014, reinsurance company Marsh identified a rising interest in cyber-insurance. The number of clients purchasing it increased 21%, it said. Finance was a particularly hot growth area, with a 29% increase. These figures were US-based, though.
Clearly, big-ticket breaches are a key driver here. No one can watch the Targets and the Home Depots suffer such destructive attacks without feeling a chill. Increased threat awareness is also an issue, as is requirement for coverage by third parties, such as your own customers.
What kind to buy
So, what kind of cyber-insurance can you buy? There are two main kinds of coverage: first party, and third party. The former covers the internal costs that a company will typically incur during a cyber breach. These are many, and varied.
For example, a security breach may destroy critical business data that must then be recovered. And system downtime may cost the company business, which can be seen as an internal cost.
As soon as a breach is detected, many companies will bring in third-party experts to forensically analyse the attack. These experts will typically need to work with the legal team, because the artifacts left on the system by the attackers may need to be used in evidence. And of course, there will probably be lawsuits against the company that an external attorney may need to deal with. Then, there is customer notification to think about, along with reputation management.
Third party coverage typically covers the other costs, which fall outside of the victim’s own domain. For example, if the privacy breach causes damage to other peoples’ data such as client information, then this would typically fall under a third-party policy. And if an industry regulator takes an interest, perhaps levying a fine, a third-party policy should handle this, as well.
Recent events in Canada will make cyber-insurance a more appealing sale. In June 18 2014, the Digital Privacy Act became law. It introduced significant fines for companies that violated individual privacy, ranging up to $100,000 per violation. It also included mandatory data breach notification rules, forcing companies to notify the Federal Privacy Commissioner of a privacy breach.
The stakes are definitely rising. Will risk managers begin factoring cyber-insurance into their protection strategies?