Practical Primer for Insureds and Insurers on Cyber Law

Key takeaways for the insured

Consider industry standards and best practices

  • Identify company’s legal obligations under federal and provincial privacy laws, securities laws, and policies and guidelines set out by industry regulators;
  • Develop and test an incident response plan;
  • Involve senior management, directors and officers, and legal counsel in creating the effective response plan for cybersecurity-related risks;
  • Train employees and educate staff so they are aware of their legal obligations;
  • Develop and enforce an information security policy; and
  • Participate in cybersecurity information sharing programs.

Determine your exposure

  • The most common attacks are social attacks (e.g., whaling), hacking and networking intrusions, and malware and end user attacks;
    • Social attacks are among the most common for senior business executives who have access to the company’s funds; and
    • Directors and officers may be held liable in the event of a cybersecurity attack or data breach if they failed to oversee and implement reasonable cybersecurity measures for the company, or failed to comply with any disclosure requirements after a breach occurred. 

Obtain cyber insurance coverage

  • Businesses should determine what risks are most relevant to their company and ensure they are adequately covered under their insurance policy. It is important to understand the full scope of the coverage, and identify any limitations or exclusions;
    • Losses resulting from cybersecurity attacks or data breaches are not typically covered under traditional insurance policies (e.g., property and casualty insurance, or commercial general liability insurance). This type of loss is only covered under specialized cybersecurity insurance products;
    • In a recent case, a third party tricked an employee by pretending to be another employee of the company, to diverge the company’s funds. ”File transfer fraud” was a coverage offered under their insurance policy, but it was denied on the grounds that the employee consented to the third party’s transfer, and therefore, did not fall within the scope of the coverage (i.e., only applied when no consent was given). Even though the employee did not know it was fraudulent, the court held that it met within the original meaning of the word consent, and therefore, the insurance company was in its right to decline coverage. This is a warning to all companies to ensure that not only they have the appropriate coverages, but also fully understand the limits and scope of the coverage;
    • It is common for insurance companies to exclude losses resulting from a breach that arose out of an intentional act. This is a significant risk for businesses, as evidenced by the number of cases involving intentional privacy breaches by an employee; and 
  • Insurance companies consider several factors when determining premiums for their cybersecurity insurance policies. A company’s internal policies and procedures for managing cyber threats is one of them, and can significantly reduce a policy’s premium.

Key takeaways for the insurer

Litigation trends

  • In Canada, third party claims relating to cybersecurity attacks and data breaches have been on the rise. Consequently, there has been a significant rise in individual and class action lawsuits against companies who have suffered a breach. As insurance policies typically offer both first and third party coverage, insurers may see a rise in litigation costs;
  • Damage awards for these third party claims are not insignificant, especially when the claims are aggregated in class actions; and
  • Recent settlement in the US for a derivative action relating to cybersecurity could also affect litigation in Canada and encourage shareholders to pursue similar claims.

Educate clients

  • Cybersecurity insurance products vary across carriers, and the lack of standardization can be confusing for potential insureds. Ultimately, this can deter them from buying the appropriate policy or a policy altogether;
  • It is important for insurers to educate their clients on what cybersecurity insurance is, why it would be beneficial for them to have it, and to provide a detailed explanation about the coverage options available;
  • Insurers should sit down with their clients and understand more about the client’s business. Identifying what the company’s top exposures are will ensure the client is protected properly, and they understand the value of the policy being purchased;
  • Depending on the wording of the policy, insurers may deny coverage to a company that failed to implement necessary security measures or failed to take the proper steps to protect the company from a breach.

For more information about this case, please contact Deepshikha Dutt or another member of Dentons’ Insurance group.

A special thank you to Emeleigh Moulton (summer student) for her assistance with this article.

Subscribe and stay updated
Receive our latest blog posts by email.
Deepshikha Dutt

About Deepshikha Dutt

Deepshikha Dutt is a commercial and civil litigator in Dentons’ Litigation and Dispute Resolution group. Her practice focuses on professional liability, class actions and insurance-related matters primarily dealing with directors and officers (D&O), and errors and omissions (E&O) liability.

Full bio