• Ottawa (613) 226-6590
  • Toll Free (888) 391-8379
  • Toronto (905) 513-7600

Cyber Insurance - Would Your Business Survive a Data Security Breach?

August 29, 2012

Presented here is a brief discussion on Cyber Insurance , one type of  business insurance, and does not constitute insurance advice. This is not intended to be a comprehensive description of coverage, and does not include details of the coverage nor the terms, conditions, qualifications, limitations and exclusions applicable. Policies should be reviewed in their entirety and related to your specific operations. Many insurers permit changes (Changes to insurance policies are usually called "endorsements" or "riders") in their limitations or exclusions to match your specific requirements. As insurance advice must be tailored to the specific circumstances of each situation, nothing provided herein should be used as a substitute for the advice of a competent insurance broker. IN NO EVENT WILL RHODES & WILLIAMS LIMITED BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE INFORMATION PRESENTED IN THIS DOCUMENT.

What is Cyber Risk?
Simply put, cyber risk is the exposure to financial loss for an organization that arises out of the use of computer networks and the internet.
Technology and Media have transformed the way we communicate.  As more and more organizations rely on technology to conduct business, it can significantly increase their vulnerability to cyber security threats.  This can result in substantial monetary and reputational costs that can wreak havoc with it's bottom line.
According to most recent technology related journals and articles, when speaking of data security breaches, it's not as much a matter of if a breach will occur, but when.
What are some types of Cyber Risk?
Your system could be sabotaged by disgruntled employees, malicious insiders, or criminals from the outside.  These individuals (internally or externally) might be motivated by theft for financial gain, identity theft, fraud, extortion, revenge, pride or believe it or not, just for fun - in order to identify weak points in the system.
There are two areas of loss an organization needs to consider when purchasing cyber insurance.
First Party Losses (the organization's direct loss) and
Third Party Losses (the organization's liability to others)
First Party Losses can occur as a result of loss, damage or destruction of data, network damage, system failure, theft of data, increased cost or working, lost business revenue, damage to your organization's reputation and cyber extortion.
Third Party Loss can arise from breach of confidentiality, invasion of privacy, defamation, misleading advertising, infringement of copyright and intellectual property, disclosure of private facts, misappropriation of name and brand and transmission of computer viruses.
Traditional Insurance
Traditional insurance policies contain significant gaps that can range from, but are not necessarily limited to, theft of data, destruction by hackers, cyber extortion, liability for privacy breach from the unauthorized disclosure of data through human error, system malfunction or hackers to name a few.
In order to evaluate the need for Cyber insurance, you might want to start off asking yourself the following questions.
ARE YOU PREPARED FOR:
 Identity Theft from lost or stolen social insurance or credit card numbers, driver's license or financial information?
 a hacking incident that could result in theft of this confidential information?
 a lawsuit alleging a technology error or alleged security failure that results in damage to your clients?
 a lawsuit alleging libel, slander, defamation, or product disparagement involving information contained in email, PDAs, servers, flash drives, the internet or on laptops?
 a lawsuit alleging infringement of intellectual property, trademark or copyright?
 interruption to your e-business resulting from an Internet virus, hacking attack or security failure?
 a cyber extortion threat?
 the expenses involved in securing a crisis management firm, privacy notification and disaster recovery?
 theft or loss of an employee's laptop or flash drive containing company or client email, private information / records or similar information?

Chubb Insurance Company offers the following list to help organizations identify the risks involved and some of the costs and repercussions that could result from a cyber breach.
What every business needs to know about data breaches:
• The culprit is often someone close to your business. A surprisingly large proportion of data breaches are carried out by insiders-over half by some estimates-or by business partners. A trusted employee could be the culprit.
• The perpetrator could live halfway around the globe. To vandalize your building, a criminal must be on site. But a hacker can operate from anywhere in the world. Organized cyber crime rings operate worldwide 24/7.
• Size doesn't matter. Half of all companies that suffer data breaches have fewer than 1,000 employees.
• Any company can be hit. Cyber criminals don't care from whom they steal private information.  It could be retailers, health care institutions, manufacturers, professional service providers, media and entertainment companies, and financial institutions; are all likely to be targeted.
• A breach can result from a simple mistake. An employee might misplace a laptop, Blackberry, or computer flash drive or leave these in an unsecured location, such as an unlocked car.
• Cyber risk is steadily increasing. Data breaches affect hundreds of millions of records a year and reports of breaches continue to rise at a dramatic rate.
The costs of data security breaches can be significant:
• Many US states, and now Alberta*, require organizations to notify all customers if a breach is even suspected and to take necessary steps to correct the situation-a cost estimated at up to $30 or more per customer. If you multiply these costs by the organization's total number of customers, you can get a pretty good idea of the costs involved in the notification process alone.
*To date, the Alberta PIPA is the only private-sector privacy legislation that imposes a statutory obligation on private-sector organization to disclose privacy-related data breaches.  However, proposed amendments to PIPEDA (Personal Information Protection and Electronic Documents Act), if enacted, would add a mandatory notification requirement to that statute.  Federal and provincial privacy commissioners have also published guidelines that suggest disclosure and notification should be made in certain circumstances.
• Often overlooked is the potential loss of confidence in your organization by your customers and potential customers when a security breach occurs. The fact is that a cyber security failure can significantly impact shareholder value, as well as corporate stability, reputation, and financial performance.
• Until a data breach occurs, there's really no way to know the extent of the leak or the financial devastation it can cause. Maybe that's why businesses often underestimate their data security breach risks.  Even if your business uses state-of-the-art security controls, your customers, shareholders, and corporate assets are still at risk from a determined criminal element that can bring operations to a grinding halt.
• When you stack up the potential costs brought on by a data security breach, risk mitigation, through insurance coverage and loss prevention, is more than a smart investment. It's business critical.

What is Cyber Risk?

Simply put, cyber risk is the exposure to financial loss for an organization that arises out of the use of computer networks and the internet.

Technology and Media have transformed the way we communicate.  As more and more organizations rely on technology to conduct business, it can significantly increase their vulnerability to cyber security threats.  This can result in substantial monetary and reputational costs that can wreak havoc with it's bottom line.

According to most recent technology related journals and articles, when speaking of data security breaches, it's not as much a matter of if a breach will occur, but when.

What are some types of Cyber Risk?

Your system could be sabotaged by disgruntled employees, malicious insiders, or criminals from the outside. These individuals (internally or externally) might be motivated by theft for financial gain, identity theft, fraud, extortion, revenge, pride or believe it or not, just for fun - in order to identify weak points in the system.

There are two areas of loss an organization needs to consider when purchasing cyber insurance.

First Party Losses (the organization's direct loss) and

Third Party Losses (the organization's liability to others)

First Party Losses can occur as a result of loss, damage or destruction of data, network damage, system failure, theft of data, increased cost or working, lost business revenue, damage to your organization's reputation and cyber extortion.

Third Party Loss can arise from breach of confidentiality, invasion of privacy, defamation, misleading advertising, infringement of copyright and intellectual property, disclosure of private facts, misappropriation of name and brand and transmission of computer viruses.

Traditional Insurance

Traditional insurance policies contain significant gaps that can range from, but are not necessarily limited to, theft of data, destruction by hackers, cyber extortion, liability for privacy breach from the unauthorized disclosure of data through human error, system malfunction or hackers to name a few.

In order to evaluate the need for Cyber insurance, you might want to start off asking yourself the following questions.

ARE YOU PREPARED FOR:

 

  • Identity Theft from lost or stolen social insurance or credit card numbers, driver's license or financial information?
  • a hacking incident that could result in theft of this confidential information?
  • a lawsuit alleging a technology error or alleged security failure that results in damage to your clients?
  • a lawsuit alleging libel, slander, defamation, or product disparagement involving information contained in email, PDAs, servers, flash drives, the internet or on laptops?
  • a lawsuit alleging infringement of intellectual property, trademark or copyright?
  • interruption to your e-business resulting from an Internet virus, hacking attack or security failure?
  • a cyber extortion threat?
  • the expenses involved in securing a crisis management firm, privacy notification and disaster recovery?
  • theft or loss of an employee's laptop or flash drive containing company or client email, private information / records or similar information?

Chubb Insurance Company offers the following list to help organizations identify the risks involved and some of the costs and repercussions that could result from a cyber breach.

What every business needs to know about data breaches:

  • The culprit is often someone close to your business. A surprisingly large proportion of data breaches are carried out by insiders-over half by some estimates-or by business partners. A trusted employee could be the culprit.
  • The perpetrator could live halfway around the globe. To vandalize your building, a criminal must be on site. But a hacker can operate from anywhere in the world. Organized cyber crime rings operate worldwide 24/7.
  • Size doesn't matter. Half of all companies that suffer data breaches have fewer than 1,000 employees.
  • Any company can be hit. Cyber criminals don't care from whom they steal private information.  It could be retailers, health care institutions, manufacturers, professional service providers, media and entertainment companies, and financial institutions; are all likely to be targeted.
  • A breach can result from a simple mistake. An employee might misplace a laptop, Blackberry, or computer flash drive or leave these in an unsecured location, such as an unlocked car.
  • Cyber risk is steadily increasing. Data breaches affect hundreds of millions of records a year and reports of breaches continue to rise at a dramatic rate.

The costs of data security breaches can be significant:

  • Many US states, and now Alberta*, require organizations to notify all customers if a breach is even suspected and to take necessary steps to correct the situation-a cost estimated at up to $30 or more per customer. If you multiply these costs by the organization's total number of customers, you can get a pretty good idea of the costs involved in the notification process alone.

*To date, the Alberta PIPA is the only private-sector privacy legislation that imposes a statutory obligation on private-sector organization to disclose privacy-related data breaches.  However, proposed amendments to PIPEDA (Personal Information Protection and Electronic Documents Act), if enacted, would add a mandatory notification requirement to that statute.  Federal and provincial privacy commissioners have also published guidelines that suggest disclosure and notification should be made in certain circumstances [1].

  • Often overlooked is the potential loss of confidence in your organization by your customers and potential customers when a security breach occurs. The fact is that a cyber security failure can significantly impact shareholder value, as well as corporate stability, reputation, and financial performance.
  • Until a data breach occurs, there's really no way to know the extent of the leak or the financial devastation it can cause. Maybe that's why businesses often underestimate their data security breach risks.  Even if your business uses state-of-the-art security controls, your customers, shareholders, and corporate assets are still at risk from a determined criminal element that can bring operations to a grinding halt.
  • When you stack up the potential costs brought on by a data security breach, risk mitigation, through insurance coverage and loss prevention, is more than a smart investment. It's business critical.

 

[1]  Blake, Cassels & Graydon LLP, "Doing Business in Canada"


RW_logo_web1

Rhodes & Williams Insurance Brokers is one of the largest independent insurance brokerage firms in Eastern Ontario. With offices in both Ottawa and Toronto, our insurance brokers have provided superior customer service and the right insurance coverage solutions since 1935.  We specialize in custom-designed business insurance for a wide variety of industries including High-Tech Insurance (TECHCOVER®), Construction, Retirement and Senior-Living, Not-for-Profit, Packaged Insurance Policy Solutions, and Specialty Solutions.

 

Bob_Burhoe.jpgBob's tenure in the general insurance field spans more than thirty years, and includes experience as an underwriter, commercial account inspector and insurance broker. As an insurance broker, he specializes in insurance solutions primarily for manufacturing, technology, construction and not-for-profit organizations.

Bob is a Registered Insurance Broker in Ontario and is licensed in most Canadian provinces and territories. He is a Chartered Insurance Professional (CIP) and Canadian Risk Manager (CRM). Past credits include instructing Insurance Institute students, RIBO accredited continuing education course provider, and guest speaker at insurance or risk management functions.

Bob Burhoe

Donna MorrisDonna started her career in the insurance business in 1984 after completing her Bachelor of Arts at Queen's University.  She has always worked in the commercial sector garnering experience over the years that enables her to assist clients with more intricate and complex accounts.

Donna is a registered Insurance Broker of Ontario and continues to expand her knowledge by attending seminars and classes to ensure her knowledge is in keeping with the ever changing insurance world.

Donna Morris

 

August 2012

Back to Articles Listings

After repeated problems with our current insurance broker I got in touch with @ottawainsurance from Rhodes & Williams Insurance Brokers who I had the pleasure of meeting on Twitter and then at a local get-together ... they actually came at a significant savings!

Sara McConnell

Read more »