Cyber insurance: do you need it?

In a recent CBC article, the need for cyber insurance was highlighted as it is coverage that is rarely known by the general public but increasingly it has become necessary in the way we do business. 

According to the article, a Canadian insurance company suffered a ransomware attack last fall that saw 1,000 of its computers infected, raising questions about what sensitive data may have been accessed by hackers and whether the firm disclosed the breach to its customers. 

The case has only now come to light because of recent court filings in Britain, as the company’s U.K.-based reinsurer paid $950,000 (US) to unlock the hijacked files and is now fighting to get the money back from criminals, according to court documents stemming from a private hearing.

Cyber attacks have become more commonplace in our personal lives and in our businesses that specified insurance coverage is required to cover the losses stemming from such online attacks. About 70% of Canadian businesses have been victims of cyber attacks costing an average of $15,000 per incident.

Types of cyber attacks include:

  • Denial of service attack: The hacker floods a website with more traffic than it was built to handle, making it impossible for legitimate visitors to access the site.
  • Phishing: An attacker pretends to represent a trusted organization to trick a user into taking an action (such as opening a malicious attachment or clicking on a bogus link) that he or she would normally not take.
  • Malware: Harmful software takes control of a machine, monitors user actions and keystrokes, and/or sends confidential data from the infected computer or network to the attacker’s home base.
  • Ransomware: This software encrypts files to prevent users from accessing them and then demands payment for their safe recovery. These attacks can occur after clicking on a phishing link or visiting a compromised website.
  • Spoofing: A cyber criminal impersonates another user or device to attack network hosts, steal information, spread malware or bypass access controls.
  • Brute force: The attacker attempts to decode encrypted data by trying as many password combinations as possible, as quickly as possible.

“Organizations that rely on an online presence and use e-commerce as a distribution method or have employees who carry electronics that hold customers’ personal or commercial information should contact their insurance representatives, who can help them find coverage to best protect themselves,” according to the Insurance Bureau of Canada.

There are questions you should consider when looking into purchasing cyber insurance, such as:

  1. How many records containing personal information does your organization retain or have access to?
  2. How many records containing sensitive commercial information does your organization retain or have access to?
  3. What security controls can you put in place to reduce risk of having your system compromised
  4. Do all portable media and computing devices need to be encrypted?
  5. What about unencrypted media in the care, custody or control of your third-party service providers?
  6. Could you make a claim if you were unable to detect an intrusion until several months or years had passed?

For more information about cyber insurance, please feel free to contact Pacific Insurance Brokers Inc. at 416-494-1268 and speak with one of our seasoned, insurance professionals.