As cybersecurity attacks and data breaches have become increasingly prominent and costly, it is essential that organizations have the proper policies and procedures to protect themselves against significant financial and reputational harm. However, these attacks and breaches cannot be eliminated entirely, even with the most robust security safeguards. Therefore, cybersecurity insurance can act as a last line of defense by protecting an organization from significant financial harm when a breach ultimately occurs. Effectively, businesses can use cybersecurity insurance as part of a holistic approach to managing cybersecurity attacks and data breaches. This article will discuss the importance of cyber insurance policies by providing an overview of the serious threats organizations commonly face today, what cybersecurity insurance is and what it offers, and the limitations of cybersecurity insurance policies.
Serious threats to organizations
According to a report prepared by an American telecommunications company, the most common threats organizations currently face are hacking and network intrusions,1 social attacks,2 and malware and end user attacks.3 Moreover, 69 percent of these attacks were perpetrated by third parties or “outsiders”. The industries most affected by these attacks were public sector entities, healthcare organizations, and financial and insurance organizations.4 Ultimately, the report indicates that all organizations are at risk and can fall victim to these breaches, regardless of size, industry or level of security measures.5 Therefore, it is essential that organizations have a last line of defense to mitigate the significant financial harm an organization will face when security measures fail and a breach occurs.
In general, traditional business insurance products do not provide coverage for losses resulting from cybersecurity attacks or data breaches.6 Instead, insurers’ offer specialized insurance products to businesses as protection against cyber-related threats, either as stand-alone policies, or as components of larger suites of coverage. Cybersecurity insurance policies typically provide coverage for both first party7 and third party losses8 suffered as a result from a cybersecurity attack or data breach.
Although there are coverages commonly offered across the industry, the scope of this coverage varies from insurer to insurer, and policy to policy. By identifying what specific risks affect the business, an organization can effectively negotiate with insurance companies to ensure they receive an appropriate policy that is refined and tailored to the organization’s risks. When analyzing an organization’s potential exposure, some questions to consider include:
- Is the company a data vendor or data owner?
- Are there overseas operations or call centres?
- What is the extent of the company’s internet operations?
- What is the extent of reliance on cloud storage computing?
Limitations of cyber insurance
Although cybersecurity insurance is an important tool for businesses in protecting against significant financial harm, it is important to understand its limitations. By understanding these limitations, businesses can ensure they have the appropriate internal practices and procedures to integrate with the insurance coverages, and minimize any gaps where coverage may not be available. The most significant limitations of cybersecurity insurance policies are: (1) no standard form within the industry; (2) over-bearing exclusions; 9 and (3) expensive policy premiums.
Unlike traditional insurance products, there is no standard form for cybersecurity insurance products. The terms and language of these policies vary from insurer to insurer, and create a lot of confusion and uncertainty within the industry. Moreover, the language used in the policies can be quite confusing, making it difficult to understand the scope of coverage provided.10 The confusion and lack of clarity amongst these policies ultimately deter businesses from either finding the appropriate policy or purchasing it altogether.
Furthermore, it is quite common for cybersecurity insurance policies to respond to negligent acts only; not deliberate ones. Thus, where a loss occurs resulting from a breach that arose out of an intentional act, the business may be excluded from receiving any coverage from the insurance policy. This is a major concern for businesses, as there has been a significant rise in individual and class action lawsuits relating to privacy breaches intentionally made by employees.11
Lastly, cybersecurity insurance policies tend to be quite costly as cyber threats continue to evolve and increasingly occur. In fact, the policy premiums in comparison to the coverage amount offered can be significantly disproportionate. This often deters businesses from purchasing cybersecurity insurance, even where it is in their best interest to do so.12
- By understanding what particular cyber threats and data breaches an organization is likely to face, an organization can effectively negotiate with insurer’s on a policy to include provisions that will specifically address their risks, and therefore, maximize their coverage.
- Always pay close attention to the policy wording of an insurance policy and any defined terms or exclusions.
- Always “shop around” for cybersecurity insurance, as no two policies or products are the same. There are coverages that are commonly offered across the industry, but the scope of coverage ranges from insurer to insurer, and policy to policy. Knowing what losses the organization is specifically at risk for can help an organization decide on what policy to purchase.
- An organization should not rely upon cybersecurity insurance solely, or use it as a substitute to its security measures. Instead, cybersecurity insurance is an important but limited tool that can help prevent the organization from significant financial harm when all other lines of defense fail.
In short, once an organization establishes what type(s) of coverage it requires, it can effectively identify which product is the most desirable option. Moreover, it is important for organizations to shop around, compare the insurance products each carrier offers, and review each policy’s wording to understand the full scope of the coverage being offered. By doing the legwork at the outset, businesses will maximize their protection under the insurance policy and fully reap its benefits.
Although cybersecurity insurance policies are important, an organization should not rely upon them exclusively. Instead, businesses should consider them a last resort when the internal practices and security measures fail. This is especially important for directors and officers of an organization who may be personally liable when an attack or breach occurs. The next article will discuss how directors and officers can be personally liable in the event of a breach, the evolving body of case law in Canada and the US surrounding this issue, and best practices.
A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.
1 According to this survey, it made up 52 percent of all breaches. Companies continue to transition to more cost-efficient cloud-based solutions, and thus there has been a corresponding increase in hacking cloud-based email servers via the use of stolen credentials.
2 According to this survey, it made up 33 percent of all breaches. Cyber threats via social engineering techniques against businesses are rampant according to the Canadian Centre for Cyber Security. The most common method is “Whaling,” which refers to spear-phishing aimed specifically at senior executives or other high profile recipients with privileged access to company resources. Whaling occurs when an executive with authority to issue large payments receives a message appearing to come from a relevant department or employee, urging them to direct funds to an account controlled by a cyber threat actor.
3 According to this survey, it made up 28 percent of all breaches. According to the Canadian Centre for Cyber Security, this is particularly common in the retail and hospitality sectors. Actors attack out-of-date IT systems by installing malware that steals customer information, interferes with business operations, makes fraudulent purchases or causes other forms of disruption.
4 According to this survey, 43 percent of these breaches involved small business victims.
5 The level of risk varies across businesses and typically depends on the company’s business model, the type of data transmitted and retained, the company’s customer base, and the measures required to secure their environment effectively.
6 In fact, many CGL policies exclude “electronic data” from the policy or specifically exclude all cyber-related losses.
7 Typical cyber coverage options for first party losses include: fines or penalties the business may receive because of the breach (under federal and provincial privacy laws and regulations), damages to computer systems by the breach, including the cost to restore data, damages from disclosure of information to a competitor, expenses related to the restoration of any intellectual property, business interruption or loss of use, and any direct or extra expenses relating to the response of the breach (e.g., identity theft resolution services).
8 Typical cyber coverage options for third party losses include: defense costs, damages to third parties, and any fines or penalties associated with the breach under federal or provincial privacy laws and regulations.
9 Common exclusion provisions found in these policies include: contractual liability exclusion, criminal conduct exclusion, exclusion of terrorism, and exclusion for unauthorized collection of customer data.
10 See Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 AB QB. This case involved interpreting the wording used in the policy to establish the scope of coverage. An employee was tricked by a malicious third party pretending to be an employee to transfer funds. Employee was found to have permitted or consented to the fraudulent fund transfer even though he was unaware of it. Moreover, because the funds were transferred by the employee and not directly by the third party, it did not meet the definition of ‘third party’ within the policy. The court held that the insurance company was justified in denying coverage. This case demonstrates the importance of understanding the exclusionary language and scope of coverage within insurance policies.
11 This was discussed in our previous article, “Legal Framework of Cybersecurity”. See the following cases for employees who intentionally—or were deemed to intentionally—cause a breach: Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 AB QB; John Doe and Suzie Jones v. Her Majesty the Queen, 2015 FC 916; Evans v. a Canadian multinational bank, 2014 ONSC 2135.
12 Key factors driving policy premiums include: industry, coverages and limits sought, deductible amount, security and privacy controls implemented within the business, past claims and loss experience, and location of all of the company’s operations.