Is Cyber Insurance for Small and Medium Businesses Worth the Cost?
More than one-third or 36% of Canadian firms don’t have cyber security insurance, this according to a survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO.
This number, however, is relatively high compared to the global average (40%) and the percentage of firms in the U.S. that have no cyber security insurance (50%).
Reasons Why Some Organizations Hesitate to Get Cyber Security Insurance
Here are some of the reasons why some organizations hesitate to get cyber security insurance:
1. Organizations Often Don’t Understand Cyber Risks or Their Insurance Options
In the report "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market", researchers from the Deloitte Center for Financial Services found that many organizations – including large, medium and small businesses – often aren’t aware of the cyber risks confronting them, let alone the insurance coverage options available to them.
2. Lack of Understanding as to What Type of Cyber Risk Is and Isn’t Covered under Existing Insurance Policies
For the Canadian firms that have cyber security insurance in the FICO survey, only 18% said their cyber security insurance covers all likely risks.
In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Court of Queen’s Bench of Alberta decided on June 29, 2017 that Brick isn’t entitled to recover its loss from insurer Chubb. The case arises from a social engineering cyber fraud scheme. In 2010, the accounting department of Brick received bogus calls and emails from an individual claiming to be a representative of Toshiba, one of Brick’s suppliers. The imposter asked a Brick employee that payment to supposedly Toshiba should be changed to a new bank account. A total of $338,322.22 was transferred into the “new” account.
Brick filed a claim with its insurer Chubb asserting that under its cyber security insurance policy Chubb will pay for direct loss resulting from funds transfer fraud by a third party.
“Certainly, the emails with the fraudulent instructions were from a third party,” the Court of Queen’s Bench of Alberta said. “The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.”
According to the Deloitte report, cyber security insurance policy terms and conditions in Canada have yet to be battle-tested as case law isn’t clear. The Brick Warehouse LP v Chubb Insurance Company of Canada is the first case decided by a Canadian court with respect to cyber crime insurance coverage.
3. Concern about Cyber Security Insurance Value
The Deloitte report showed that many organizations still wonder whether the cyber security insurance coverage being offered by insurers is sufficient for the risks they face.
The Deloitte report revealed that current cyber insurance policies are often capped with relatively low limits for the risks being covered, which may be discouraging more organizations in getting cyber insurance. The report added that cyber insurance coverage for emerging cyber risks may not yet be widely available or affordable.
Twenty percent of the FICO survey respondents felt that the premiums calculated based on their business don’t accurately reflect their risk profile.
4. Lack of Standardization around Cyber Insurance Offerings
Given that the cyber insurance market is relatively new, insurance coverage terms, conditions and exclusions are still not standardized.
The 2016 SANS Institute and Advisen, Ltd. study (PDF) found that information security officers of organizations and insurance professionals don’t speak the same language when defining and quantifying cyber risks, resulting in different expectations, actions and justification for outcomes. The 2017 “Cyber Insurance Market Watch Survey” (PDF) by the Council of Insurance Agents & Brokers found that cyber insurance companies have their own policy language which makes it difficult to compare coverage and terms.
More than a quarter or 26% of the FICO survey respondents felt that the introduction of an established industry standard to benchmark cyber security risk would be beneficial.
Importance of Getting Cyber Security Insurance
"While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” Lloyd's and Cyence said in the report "Counting the cost Cyber exposure decoded".
“Without cyber-risk insurance, organizations are leaving themselves in a very vulnerable position,” said Kevin Deveau, vice president and managing director of FICO Canada. “It’s important for businesses to assess the strength of their cybersecurity defences and to make sure they are covered if they are faced with a data breach.”
Legislation is expected to drive demand for cyber insurance cover, particularly surrounding data and privacy.
In Europe, the implementation of the EU law General Data Protection Regulation (GDPR) in 2018 is expected to drive the demand for cyber insurance as the EU law introduces new fines for failing to adequately protect sensitive data and mandating companies to notify the authorities and the individuals affected by the data breach.
According to Lloyd's and Cyence, “Demand for cyber insurance is also anticipated to increase penetration in Europe as a result of the General Data Protection Regulation coming into force next year, with the threat of penalties for breaches driving coverage.”
In Canada, the upcoming implementation of the Digital Privacy Act is expected to drive the demand for cyber insurance. It amends Canada’s Personal Information Protection and Electronic Documents Act. The Digital Privacy Act became a law in June 2015. The law’s implementation is held in abeyance until the government issues the implementing regulations.
The 2015 law requires organizations to report any significant, potentially harmful security breach of personal information to Canada’s Privacy Commissioner and to immediately inform the affected individuals and organizations. Non-compliance of the notification requirements may lead to fines of up to $100,000 per violation.
“The ripple effect of a breach can be felt throughout the organization for a very long time, especially now that Canada’s Digital Privacy Act will require organizations to report any breaches to regulators and customers,” the vice president and managing director of FICO Canada said.
Steve E. Driz