Cyber liability insurance can’t stop online criminals but it is an important part of your business recovery plan when you suffer a cyber breach. With most businesses now working from home due to the COVID-19 pandemic, the risk of leaking sensitive client and business data is even greater.
When it comes to cyber crime, there are the high profile hacking attacks on companies like Equifax and Home Depot which dominate the news cycle for months. Then there are the thousands more every day that happens to individuals and businesses of all sizes that you don’t hear about.
Collectively, Accenture and the Ponemon Institute estimate that cyber crime costs Canadian businesses an average of $12 million each! And according to that same piece of research, companies recorded an average of 75 cyber attacks in 2018.
What used to be the domain of sophisticated cyber criminals or nationstates can now be purchased online for $10 a month effectively democratizing cyber crime allowing anyone with an internet connection to engage in this behaviour. Attacks favoured by criminals around the world include:
- Ransomware: This type of attack is becoming more popular and involves a piece of malware that encrypts your files and forces you to pay a ransom for their safe recovery.
- Phishing: An attacker tricks a user or employee into taking an action such as opening a malicious attachment or entering login information on a fake web page.
- Denial of service: An attacker floods your company’s website with more traffic than the servers can handle effectively blocking access for legitimate users.
As businesses continue their digital transformation and evolve their business models to conduct more business over the internet, that number is sure to climb over the next few years. When business leaders decide on how to manage this risk, cyber liability insurance must be part of the conversation.
What Is Cyber Liability Insurance?
Cyber liability insurance is sometimes referred to as cyber risk insurance or simply cyber insurance. While it doesn’t prevent an attack from happening, it does help you mitigate the financial and reputational consequences of a breach.
Despite being a relatively new product launched in the mid-2000’s it has quickly caught on and PwC estimates that 1 in 3 US companies now carry some form of cyber insurance.
What Does It Cover?
Cyber liability insurance policies cover expenses incurred by first parties (damage to your systems) and claims from third parties (ie. customers and employees) after a breach occurs.
First Party Coverages
First party coverage takes care of damage incurred by your business due to a cyber incident including: • Loss or Damage to Data
→ Preserving and restoring data after a breach can be expensive. This covers the cost of restoring electronic data damaged, destroyed, or stolen in a breach. • Cyber Extortion
→ This coverage pays the ransom you make to recover your data following a ransomware or denial of service attack.
• Business Interruption and Extra Expenses
→ In my opinion, this is by far the most important coverage. Most organizations would not be able to conduct business if their network was taken down. This helps you pay for loss of income and extra expenses you incur.
• Notification Costs and Credit Monitoring
→ This pays for costs involved with notifying affected parties of the breach and offering free credit monitoring services as was the case with the famous 2017 Equifax hack.
• Reputation Management and PR
→ Insurers understand the important role you play in being stewards of your customer’s sensitive data and will pay marketing and PR costs involved in protecting your company’s reputation following a data breach.
• Third Party Coverages
→ In the aftermath of a cyber incident, it’s not just your own systems you have to worry about. You can also face legal consequences from third parties. Common examples include allegations from customers that you failed to adequately protect their data or regulatory proceedings resulting in fines or other penalties if they determine that you breached data privacy laws.
→ The third party coverages are the “liability” portion of your cyber liability insurance policy. It covers the cost of your legal defense and pays damages or settlements from third party claims.
Who Needs Cyber Insurance?
The short answer is that most businesses these days need some form of cyber insurance. This is doubly true if you rely on an online presence to conduct business, sell products or services online, or keep sensitive business and client information.
Cyber liability insurance can’t stop online criminals but it is an important part of your business recovery plan when you do suffer a security breach.
How Much Does Cyber Risk Insurance Cost?
Premiums vary based on your risk profile and insurers will look at the type and number of data records you keep and the security systems you have implemented.
Costs can be as low $1000/year for smaller organizations such as tax prep firms or as high as $100,000 for large corporations with millions in revenue.
Cyber Risk Management
Cyber liability insurance is an important part of every business’ IT risk management strategy, but as the old saying goes, an ounce of prevention is better than a pound of cure. Cyber criminals are opportunistic hunters and will seek to attack the weakest animal in the herd so by making yourself hard to attack in the first place, you can convince many would-be cybercriminals to simply move on.
Antivirus & Firewalls
Most devices these days come with free antivirus and firewall software already installed but depending on your needs, you may want to upgrade to more powerful systems. The best systems will even automate management and automatically ensure your operating systems install the latest security patches as soon as they become available.
CIRA Canadian Shield
The Canadian Internet Registration Authority (CIRA) is the non-profit organization that manages the .CA domain names on behalf of all Canadians. And CIRA Canadian Shield is their free service available to all Canadians providing enterprise-level threat protection at the DNS level for all devices.
This service securely routes you and your company’s traffic through Canadian DNS servers which ensures privacy and blocks malware, phishing websites, and other malicious code from getting through to your devices.
Encrypted Devices & Strong Passwords
Another important way to protect client data is to encrypt all of your work devices and enforce the use of strong passwords.
Most mobile phones these days have encryption enabled by default but you will need to speak with your IT department to enable encryption for your other devices.
According to Google, a strong password is one that is 8 characters or longer and includes the use of letters, numbers, and symbols. Contrary to popular belief, it is not a good idea to force employees to change their passwords regularly as it encourages employees to pick simple passwords or write them down in unsecure places.
Another important tip is to enable multi-factor authentication (MFA) wherever possible. Services such as Google Authenticator are particularly useful here.
Not only is implementing these other systems as part of a defense-in-depth strategy a good idea, it will also help you lower your cyber liability insurance premiums as you’re presenting a lower risk profile.