As new cyber-insurance products come to Canada, the demand for financial protection against data breaches is growing, according to a report from the Risk Management Society.
In its 2016 RIMS Cyber Survey, the Society found that 29 per cent of more of the 272 respondents from its North American member base had a cyber-insurance policy than last year. Many of them seem forced to take out insurance due to contractual obligations – 17 per cent reported that this was a factor.
Nearly a quarter of them were spending over $500,000 on premiums (suggesting that larger companies are particularly attracted to the products).
Cyber-risk insurance is a relatively new product that barely existed at all before 2000, say experts. But since then, things have grown rapidly. “The cyber market is somewhere around $2.5 billion with approximately 80 carriers,” said Ty Sagalow, CEO of cyber-risk insurance and consulting firm Innovation Insurance Group. Sagalow was chief operating officer at AIG e-Business Risk Solutions in 2000, and was responsible for introducing some of the first cyber-insurance policies.
Cyber-risk insurance policies usually fall into two broad categories: first party (the most common) and third party. The former focuses on expenses incurred by the company experiencing the breach, while the latter covers the effect of cybersecurity breaches on other companies, such as customers and business partners. If an organization’s network was used to infect another company’s or if it incurred a large fine from a regulator because of data loss, a third party policy would address those issues.
Among recent moves in the industry, insurance firm Chubb said earlier this month that Canadian organizations can now buy its Integrity+ error and omissions package against liability customer lawsuits. These lawsuits would be alleging people suffered damages to their products or services caused privacy violations, intellectual property infringements or other financial injuries including cyber attacks.
Among the options Integrity+ offers are
- Product or Service Financial Injury (E&O)– Liability insurance protection against claims or suits for financial injuries suffered by the insured’s customer due to defects or deficiencies in the insured’s products or services and the failure of such products or services to perform in accordance with a contract or agreement.
- Destructive Programming– Protects companies that are contractually engaged in streamlining the business operations of supplier, cloud service, and financial institution systems if a cyber attack occurs and results in injuries to those systems but the attack was not caused by a product or service defect or contract performance failure.
- Extended Cyber– Dedicated insurance for cyber attacks which covers damages and claimant costs sustained by a third party, other than the insured’s customers, for injuries caused by unauthorized access or use of software, data, or other information in electronic form.
- Intellectual Property (IP)/Disclosure and Reputation Disparagement– Insurance for injuries sustained by third parties, other than the insured’s customers, resulting from actual or suspected disclosure of confidential information, intellectual property infringement, privacy violation, or reputation disparagement.
Integrity+ also includes First Party Cyber insurance protection for expenses incurred in connection with a privacy data breach up to $500,000. Additional limits are also available.
The firm will also offer extended cyber-insurance designed to cover third-party risk. Significantly, its insurance service also includes access to cyber-response coaching, which helps companies with creating an incident response plan and managing the regulatory and legal fallout from a data breach.
Companies are likely to be more worried about the financial implications of data breaches in Canada following the passing of the Digital Privacy Act in June 2015. This included a mandatory requirement for companies to notify the federal Privacy Commissioner and their customer of breaches that cause a risk of significant harm.
Those provisions are not yet in force, but the government at the time promised to enact them at a later date. In the meantime, Alberta has its own data breach notification law that forces companies to report breaches to the commissioner where the lost data could cause harm.