INSURANCE RESPONDS TO CY BER ATTACKS WITH MUCH MORE THAN RISK TRANSFER
The WannaCry cyber attacks that affected almost 300,000 computers worldwide earlier this year were just the tip of an iceberg. Every day, businesses are subject to crippling attacks that disrupt operations and hold data hostage. Increasingly, the insurance industry is stepping up to the plate, helping protect businesses against losses and liability due to cybercrime, assisting them to boost their defences and also acting as crisis managers, helping affected companies negotiate and recover from a cyber attack.
About 20 years ago, insurance clients began to ask whether they were covered for cyber-security breaches under traditional insurance products, notes Marc Lipman, chief operating officer at AIG Insurance Company of Canada.
“We realized that there was a need for something beyond what traditional products were offering to underwrite the risks inherent in cyber,” he says. “Developing that coverage is an evolutionary process as we incorporate new and emerging perils that can impact operations.”
Cyber insurance offers a suite of coverage. It can include first- party insurance responding directly to a business loss. It can include third- party insurance for a business facing a lawsuit over damages caused by a cyber event, ranging from loss of data and intellectual property to exposing the health or credit card information released by a hacker.
Proposed regulations under the Personal Informa- tion Protection and Electronic Documents Act are not yet in force but would require mandatory notification to the Office of the Privacy Commissioner of Canada of any privacy- related issues, breaches or suspected breaches where they have the potential to cause harm. Businesses would also have to notify the potentially affected individuals.
“You can’t internalize these breaches any longer,” says Greg Markell, FCIP, CRM, CEO of Ridge Canada Cyber Solutions Inc., a managing general agent with a focus on cyber and privacy liability. “Any breach can be expensive to deal with, but these breaches are increasingly affecting medium-sized and smaller businesses with fewer resources than large companies. That’s not because they’re individually targeted but because they’re more vulnerable against broad- based attacks that throw everything against the wall and see what sticks.”
He notes that in many cases, smaller businesses never recover from the attacks.
“We often work on behalf of insurance brokerages to help get companies to take these risks seriously,” says Serge Solski, principal of AdviseAware Risk Consulting. “You can’t exclusively rely on technology to safeguard your business. Cyber criminals don’t kick down your door — they get your employees to open it for them. Focusing on educating your people is one of the most cost-effective ways of protecting your business from cyber attacks.”
Solski also recommends that businesses employ third- party consultants to assess the effectiveness of the company’s IT controls and then report directly to ownership. “You can’t have your own IT department assessing the system any more than you would have your bookkeeper analyze your financial risks,” he says.
In general, the more a company does to become proactive against cyber risk, the more competitive the quote it will receive for insurance, notes Lipman.
“We expect our clients to take reasonable precautions and to live up to the safeguards they’ve said they have in place,” he says. “We can also help our clients take those proactive steps. If they’re at Point A, but they should be at Point B, we can help get them there by providing them with the right resources and partnering with vendors who can help them face those risks.”
While businesses should already have a cyber- incident response plan in place, cyber insurance also helps companies access the services they’ll need to survive a data breach. AIG, for example, can provide a host of services, from a lawyer who can act as a cyber- breach coach to a forensics team that can determine the nature of the breach and whether the threat is still active. It can even provide a public relations team to communicate the nature of the breach and what’s being done about it.
“We’re typically involved early in the breach, delivering a business continuity plan and offering a whole suite of partner services,” says Lipman. “To be effective for our clients facing cyber attacks, insurance offers a solution that goes far beyond simple risk transfer.”