Is it time to shop for cyber insurance?
There is no shortage on how organizations can beef up their computing infrastructure against cyber attacks. However, many businesses are still struggling to get a handle on how they can protect their organization from the legal fallout of a cyber security breach.
The number of cyber attacks against Canadian firms might fail in comparison to those that American companies have to deal with, but recent reports about ransomware incident this side of the border provide ample reason for local businesses to be more cautious, according to two Toronto-based lawyers whose activities focus on litigation, insurance, and technology.
“All the reports we read indicate that ransomware will only become more prevalent in the future,” Brent Arnold, practicing partner at Toronto’s Gowling WLG firm. “While cyber criminals are frequently able to avoid prosecution, their corporate victims are most likely to be left to deal with the consequences…the impact to their customers, the damage to the company’s reputation, and possibly legal action.”
Ransomware refers to malware used to essentially “kidnap” a person’s or an organization’s digital data by encrypting the information so that it cannot be retrieved by its owners. Attackers using ransomware demand payment for decrypting the key.
A survey by Santa Clara, Calif-based anti-malware company Malwarebytes, which looked into the Canadian ransomware landscape, found that Canadian organizations are more likely (75 per cent) to pay ransomware demands than their counterparts in the United States, United Kingdom, and Germany.
“Those who faced demands of ‘only’ $650 or less constituted around nine per cent of organizations surveyed, while 30 per cent of organizations have seen demands upwards of $13,000,” the survey said.
More than eight in 10 Canadian organizations admitted to losing their data when they didn’t pay cyber attackers.
Businesses might worry about being sued by impacted customers or perhaps facing a derivative suit from shareholders.
Arnold said organizations and organization’s defences need to focus on two key points: cyber security, and cyber security insurance coverage.
“The fact that you’ve been breached doesn’t necessarily mean you’re liable,” he said. “The courts will look at what you’ve done to prevent the breach and mitigate its impact.”
It would help a company in persuading the court if the business:
- Implemented a robust and pro-active policies, procedures and monitoring to ensure proper data security and employee adherence
- Adheres to generally recognized cyber security technical standards
- Has post-breach remediation of security policies and procedures to mitigate the impact on customers
- Appointed officers to specifically deal with data security and cyber breach planning and response
Having the right type of cyber security insurance is also important, noted Belinda Bain, partner and head of the Toronto insurance group for Gowling.
“Canadian companies, in general, are not prepared for a cyber attack,” she told ITIC. “When it comes to cyber insurance, American organizations tend to be far ahead than their Canadian counterparts.”
Part of the reasons, she said is that instances of Canadian companies being sued due to a cyber security breach are not that many.
“There are no Canadian ransomware cases in court that I know of. There are some class action suits, but there are no actual court decisions that have been publicized,” she explained. “This is likely because most civil lawsuits are settled.”
But this is no reason for Canadian firms to remain complacent because things are bound to change, Bain pointed.
Demand for cyber insurance is skyrocketed as more cyber attacks are publicized.
PricewaterhouseCoopers predicts annual premium worldwide premiums will be around US$5 billion by 2018 – double the current $2.5 billion. By 2020, the number could grow to $7.5 billion.
The cyber threat landscape continues to evolve and grow. And it is affected in the insurance industry as well, as more and more businesses take notice of the implications of cyber attacks.
The number of insurance firms offering cyber coverage in Canada has grown in the last few years and the cyber insurance is still in its early days, Bain believes it could grow into a major practice in the near future.
Here are some of the things to keep in mind when shopping for cyber coverage:
First party liability coverage This covers the cost of loss of business due to a cyber attack, pays for any digital content damage, pays for any data stolen or held by a cyber extortionist, pays for the cost of equipment replacement or installation due to the attack.
Third party liability coverage This covers liability to the insured customers, clients, and employees affected by the cyber attack. This takes into account the breach of their private information, misuse of private data, damage to reputation or image due to spreading of information on the Internet, social media, and the like.
It’s not a matter of whether you will be hit by a cyber attack or not but rather, are you prepared to face the aftermath, she said.
“Organizations should be asking themselves: Do I have cyber insurance? Am I going to be found by the courts to have done enough,” Bain said.