The growing need for a cyber insurance ‘backstop’
“The cyber market is growing,” said Mahan Azimi, research analyst policy development with the Insurance Bureau of Canada, during a telephone interview from his office north of Toronto. In fact, in the provinces of Alberta, British Columbia and Ontario, it is the “fastest growing” sector of insurance. It is “a small but rapidly growing line of business,” he said.
Seismic shift
When the pandemic first hit in 2020, many found themselves suddenly shifting to working from home and “digital processes moved online,” he said. With that, “incidents of cybercrime, like ransomware, has significantly increased.”
Even now, as the pandemic appears to be passing, “the cyber criminals are getting more aggressive going after businesses,” the need for cyber insurance remains just as important.
“Cyber insurance is a great backstop in terms of a cyber loss,” he said. There is “more awareness” of the problem, with workers “waking up to the risks of remote work.”
In fact, that very day, the bureau had released its new “Cyber Savvy Report Card.”
Among the takeaways:
Seventy two per cent (72%) of respondents reported at least one behaviour that could potentially compromise their employer’s cyber security or data, like allowing family members or friends to use their work computer (7%), share their work login or password by email or text (5%), use the same password to access multiple websites for their work (27%) and use public Wi-Fi while using their work computer (23%).
Thirty per cent (30%) of surveyed employees do not believe cyber criminals would target them at work and 28% of respondents say their employer is solely responsible for protecting their workplace from cyber threats.
Only 34% of respondents report that their employers provide mandatory cyber security awareness training.
According to a bureau press release, the survey polled 1,525 Canadians working at small and medium-sized businesses (defined as businesses with fewer than 500 employees) and their employers.
But cyber insurance should be seen as a “compliment” to a company’s cyber security policy, “not the be all and end all” to that policy, Azimi cautioned.
By taking strong steps to “improve their posture” when it comes to preventative actions to protect the business online, those businesses “will be eligible for a broader coverage” of insurance.
He pointed to a 2021 cybersecurity survey by the CIRA (Canadian Internet Registration Authority) which found that, in relation to cyber insurance:
“Fifty-nine per cent (59%) of organizations have cybersecurity insurance coverage as part of their business insurance…29% have a cybersecurity-specific policy.”
“Most organizations with cybersecurity coverage say their provider has increased premiums or requested new forms of proof of the corporate cybersecurity measures in place.”
More generally, between the summer of 2020 and 2021, “almost one in five organizations have been the victim of a successful ransomware attack. Of that group, a majority, 69%, say their organization paid the ransom demands, while 59% report that data was exfiltrated.”
When trying to find the right coverage for your business, Azimi told leaders to ask this question: “What are you protecting (yourself) against? No one size fits all.”
Policies
There are cyber insurance policies “covering a range of events,” he said, with some “advanced coverage” including any legal costs from a ransomware attack, for example, or any civil damages that may come out of a hack, and even forensic investigation or public relations help that may be needed. A cyber policy may even come with a 24hr phone line to call if you think you have been a victim of a cyberattack and need advice.
“It gives you that peace of mind that you have someone you can call,” Azimi said. “A good policy is one that responds to the needs of the business…we encourage organizations to speak with their insurance representatives.”
Co-operation
The bureau is working with the federal government on cyber education: “We see it as a shared responsibility…to educate consumers. We want Canada to be cyber safe,” Azimi said.
He pointed to the Canadian Centre for Cyber Security in Ottawa as a great “resource for business.” The centre can be contacted via 1-833-CYBER-88 (1-833-292-3788) or [email protected]
“A business can call if they have any questions,” he said.