Relying on cyber infrastructure to operate has become fundamental to most businesses. Critical infrastructure, such as the power grid, hospitals, emergency response, water and transportation (land, water and air) rely heavily on cyber infrastructure that is often networked with many other systems. Attacks on cyber infrastructure are increasing in frequency, together with such attacks’ sophistication and scope. The attacks range from those that deny access to data (ransomware), to those that target and steal data and those that shut down or manipulate operations which, in the case of critical infrastructure, is significant to the general public.
While the number of cyber security experts continues to increase, the majority of business people are still unsure of how to protect against this increasing risk. For instance, a recent report by the analytics firm FICO (the “Report”) revealed a discrepancy between the perceived risk of imminent cyber attacks in Canada and the level of preparedness of Canadian organizations. The Report contains the results of interviews with senior security and IT specialists at firms in different industries and in different countries.
According to the Report:
- 76% of Canadian organizations are expecting to see an increase in cyber attacks
- Only 44% of Canadian organizations have a tested data breach response plan
- 36% of Canadian organizations have not purchased cyber risk insurance
- Only 18% of Canadian organizations have purchased cyber risk insurance that provides coverage for all likely risks
Cyber risk management is not just of concern for large organizations that store vast quantities of data. Smaller companies (between 50 to 100 employees) are often seen as easy targets by cyber attackers. As we noted recently on the Spotlight, 75% of insurance brokers and legal experts expressed in a recent U.S. report that their small business clients were either ‘not prepared at all’ or ‘not very well prepared’ for cyber attacks. Unfortunately, even as 62% of the smaller companies in Canada saw an increase in the number of cyber attacks against them this past year, only 8% of smaller companies expect to increase their investment in cyber security measures. Understandably, the capital available to these smaller companies is limited, and many of these smaller companies may feel (rightly or wrongly) that there is no need to make cyber security a priority.
Breach response needs to be immediate. The first minutes and hours after an attack are critical to mitigating damage. All businesses that rely on cyber infrastructure for a core element of their operations should have a “go team” to respond to the breach. The “go team” should include representatives of management, IT, legal, public relations and possibly insurance. The “go team” should be knowledgeable in the business’ systems, risks of cyber attacks to the systems, and know the breach response protocol. The “go team” members should not be creating or learning the breach response protocol after a breach occurs.
What are the Risks?
Cyber crime can take many forms, as cyber attackers are continuously finding new ways to target customer data and interrupt business operations.
According to a recent white paper released by The Canadian Chamber of Commerce, “Cyber Security in Canada: Practical Solutions to a Growing Problem”, Canada loses 0.17% of its GDP to cyber crime each year, or $3.12 billion per year. Financial losses for organizations may result from many factors, including reputational damage, fines for failing to comply with federal and provincial privacy legislation, costs associated with notification, forensic experts, legal costs, shareholder claims and remedy, law suits against directors and officers as well as business interruption.
Should Cyber Risk Insurance be Part of Your Security Strategy?
All organizations should have a tested data breach response plan, provide regular cyber risk training to employees, and have ongoing monitoring and reporting of cyber risks. That being said, even with these measures in place, preventing cyber attacks with 100% certainty is simply not possible. With that in mind, people often ask if they should invest in cyber risk insurance.
Cyber risk policies can provide certain coverage for various liabilities:
- Data breaches that expose the personal information of an organization’s customers
- Business interruption caused by a cyber attack
- Loss or destruction of data
- Computer fraud
- Ransomware attacks and other forms of cyber extortion
The Report revealed that the main deterrent for organizations considering investment in cyber risk insurance is the lack of clarity and transparency in pricing in the cyber risk insurance industry. The majority of those surveyed believe that the cyber risk insurance industry could do more to help organizations understand costs. However, the Report also noted that organizations can assist in improving transparency and clarity in the industry by using cyber risk assessment tools to help insurers more accurately determine pricing structures.
Aside from the costs, it should also be noted that cyber risk insurance is still a relatively new product. The scope of what the insurance should cover, the conditions to coverage and the carve outs are still being refined. It is important to deal with companies who have a good track record in cyber insurance and it is also important that the IT people in your business review the policy. This is important not only because they are in a better position than most business people to tell you whether the policy will cover the biggest risks to the organization, but also because conditions of cyber insurance often impose obligations on IT systems and its maintenance and upgrades, and you want to ensure your IT folks are onside with that.
It is anticipated that the mandatory data breach disclosure requirements under Canada’s Digital Privacy Act will come into force within the next year. These disclosure requirements will require organizations to notify affected individuals and the Officer of the Privacy Commissioner about data breaches where there is a real risk of significant harm. Those organizations who do not presently have a comprehensive cyber risk management strategy should seek to develop one, with the assistance of industry experts, as soon as possible. Organizations should implement preventative measures and prepare detailed data breach response plans to mitigate financial loss and reputational damage.