1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

8/27/2017

0 Comments

Is Cyber Insurance for Small and Medium Businesses Worth the Cost?

 
Cyber security insurance

Is Cyber Insurance for Small and Medium Businesses Worth the Cost?

More than one-third or 36% of Canadian firms don’t have cyber security insurance, this according to a survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO.
 
This number, however, is relatively high compared to the global average (40%) and the percentage of firms in the U.S. that have no cyber security insurance (50%). 

Reasons Why Some Organizations Hesitate to Get Cyber Security Insurance

Here are some of the reasons why some organizations hesitate to get cyber security insurance:
​
1. Organizations Often Don’t Understand Cyber Risks or Their Insurance Options
In the report "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market", researchers from the Deloitte Center for Financial Services found that many organizations – including large, medium and small businesses – often aren’t aware of the cyber risks confronting them, let alone the insurance coverage options available to them.
 
2. Lack of Understanding as to What Type of Cyber Risk Is and Isn’t Covered under Existing Insurance Policies
For the Canadian firms that have cyber security insurance in the FICO survey, only 18% said their cyber security insurance covers all likely risks.
 
In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Court of Queen’s Bench of Alberta decided on June 29, 2017 that Brick isn’t entitled to recover its loss from insurer Chubb. The case arises from a social engineering cyber fraud scheme. In 2010, the accounting department of Brick received bogus calls and emails from an individual claiming to be a representative of Toshiba, one of Brick’s suppliers. The imposter asked a Brick employee that payment to supposedly Toshiba should be changed to a new bank account. A total of $338,322.22 was transferred into the “new” account.
 
Brick filed a claim with its insurer Chubb asserting that under its cyber security insurance policy Chubb will pay for direct loss resulting from funds transfer fraud by a third party.
 
“Certainly, the emails with the fraudulent instructions were from a third party,” the Court of Queen’s Bench of Alberta said. “The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.”
 
According to the Deloitte report, cyber security insurance policy terms and conditions in Canada have yet to be battle-tested as case law isn’t clear. The Brick Warehouse LP v Chubb Insurance Company of Canada is the first case decided by a Canadian court with respect to cyber crime insurance coverage.
 
3. Concern about Cyber Security Insurance Value
The Deloitte report showed that many organizations still wonder whether the cyber security insurance coverage being offered by insurers is sufficient for the risks they face.
 
The Deloitte report revealed that current cyber insurance policies are often capped with relatively low limits for the risks being covered, which may be discouraging more organizations in getting cyber insurance. The report added that cyber insurance coverage for emerging cyber risks may not yet be widely available or affordable.
 
Twenty percent of the FICO survey respondents felt that the premiums calculated based on their business don’t accurately reflect their risk profile.
 
4. Lack of Standardization around Cyber Insurance Offerings
Given that the cyber insurance market is relatively new, insurance coverage terms, conditions and exclusions are still not standardized.
 
The 2016 SANS Institute and Advisen, Ltd. study (PDF) found that information security officers of organizations and insurance professionals don’t speak the same language when defining and quantifying cyber risks, resulting in different expectations, actions and justification for outcomes. The 2017 “Cyber Insurance Market Watch Survey” (PDF) by the Council of Insurance Agents & Brokers found that cyber insurance companies have their own policy language which makes it difficult to compare coverage and terms.
 
More than a quarter or 26% of the FICO survey respondents felt that the introduction of an established industry standard to benchmark cyber security risk would be beneficial. 

Importance of Getting Cyber Security Insurance

​"While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” Lloyd's and Cyence said in the report "Counting the cost Cyber exposure decoded".
 
“Without cyber-risk insurance, organizations are leaving themselves in a very vulnerable position,” said Kevin Deveau, vice president and managing director of FICO Canada. “It’s important for businesses to assess the strength of their cybersecurity defences and to make sure they are covered if they are faced with a data breach.”
 
Legislation is expected to drive demand for cyber insurance cover, particularly surrounding data and privacy.
 
In Europe, the implementation of the EU law General Data Protection Regulation (GDPR) in 2018 is expected to drive the demand for cyber insurance as the EU law introduces new fines for failing to adequately protect sensitive data and mandating companies to notify the authorities and the individuals affected by the data breach.
 
According to Lloyd's and Cyence, “Demand for cyber insurance is also anticipated to increase penetration in Europe as a result of the General Data Protection Regulation coming into force next year, with the threat of penalties for breaches driving coverage.”
 
In Canada, the upcoming implementation of the Digital Privacy Act is expected to drive the demand for cyber insurance. It amends Canada’s Personal Information Protection and Electronic Documents Act. The Digital Privacy Act became a law in June 2015. The law’s implementation is held in abeyance until the government issues the implementing regulations.
 
The 2015 law requires organizations to report any significant, potentially harmful security breach of personal information to Canada’s Privacy Commissioner and to immediately inform the affected individuals and organizations. Non-compliance of the notification requirements may lead to fines of up to $100,000 per violation.
 
“The ripple effect of a breach can be felt throughout the organization for a very long time, especially now that Canada’s Digital Privacy Act will require organizations to report any breaches to regulators and customers,” the vice president and managing director of FICO Canada said.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit