All About Cyber Insurance: What is it, What’s Covered, and Why Do You Need it?
January 7, 2021
It’s no secret that cybercrime is on the rise. With widespread digitization, rapid technological change, and increased connectivity, information is quickly leaving the physical world. More data is being collected, stored, and shared online than ever before. But that also means more criminals are using the internet to deceive users, steal information, and commit fraud than ever before.
How can you balance working in a digital world with the threats of cyberspace? How will you keep your clients—and their private information—safe? More importantly, how will you keep your business safe? Cyber Insurance is your best bet. Read on to learn more about what it is, what’s covered, and what’s not!
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive nor will it apply to all policies, individuals, situations, or circumstances. The specific terms of your policy will always apply.
What’s a privacy breach?
Before we jump into Cyber Insurance, here’s a quick refresher on privacy breaches. According to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), a privacy breach refers to loss of, unauthorized access to, or improper disclosure, retention, or disposal of confidential data, resulting from the breach of an organization’s security safeguards or failure to establish adequate security safeguards.
Confidential data includes any kind of sensitive personal or financial information, like credit card numbers, bank details, health information, usernames and passwords, network credentials, trade secrets, intellectual property, and more.
In Canada, all privacy breaches must be reported to affected individuals, the appropriate governing body, and the Office of the Privacy Commissioner of Canada. Failure to do so can lead to regulatory compliance violations and any associated fines and penalties.
What’s the difference between a privacy breach and a cyberattack?
A cyberattack is a type of data breach that allows cybercriminals to spread malware (harmful software like viruses, worms, and spyware), infiltrate users’ devices, networks, or systems, and obtain valuable data.
Where do privacy breaches come from?
Threat actors employ many different strategies to disrupt organizations, but some of the most common methods include:
Physical Access: If devices are left unattended in public, hackers, fraudsters, and other threat actors can tamper with or steal them.
Phishing: When attackers try to trick, coax, or “phish” people into sharing sensitive information by clicking on fake links, opening infected attachments, or downloading malicious software.
Ransomware: A type of harmful software that locks users out of systems, devices, and files and demands payment for their safe recovery. Even if a ransom is paid, there is no guarantee that users will regain access or that data won’t be sold or leaked online.
Denial of Service (DoS) Attack: A form of traffic manipulation in which the attacker floods the bandwidth of a targeted system, like a VPN server or other web-based app, with hundreds of useless connections to crash the servers and gain access to valuable data.
Spoofing: When a cybercriminal impersonates another user, device, or network to attack hosts, spread malware, or bypass access controls. Spoofing also includes wireless hijacking, in which hackers create a fake Wi-Fi network that uses the same name as a legitimate one.
Password Spraying: A type of brute force attack in which hackers use bots (Internet robots that perform repetitive tasks) to submit as many passwords as possible until the correct one is guessed.
What’s Cyber Insurance?
Cyber Insurance (also known as Data Security & Privacy Breach Insurance) covers a variety of liability expenses following a privacy breach, cyberattack, or other security-related incident. That includes legal fees, damages, and any recovery costs for both first parties and third parties.
First-Party Cyber Liability coverage pays for any costs directly incurred by your firm due to the breach.
Third-Party Cyber Liability coverage applies to any claims made against your firm by people or companies that have been harmed or experienced a loss as a result of your actions or failure to act.
If your business suffers a breach, your general liability policies won’t protect you—they’re not specifically designed to address cyber risk. But a dedicated cyber policy can help you protect your digital assets and get your business back online in no time.
Depending on your policy, Cyber Insurance usually includes:
Legal Defense: Access to experienced defense lawyers and a legal privacy breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report, how, and when.
Legal Expenses: Funds to cover legal fees, third-party damages, settlements, regulatory fines, and related payments for any lawsuits brought against you and your company by individuals or organizations affected by a privacy breach. This may also include the cost of cyber extortion from any ransomware or social engineering attacks.
Remediation Costs: Funds to set up breach notifications to all affected parties and credit monitoring for individuals or organizations whose information may have been compromised.
Business Income Loss: Coverage for lost revenue or other monetary losses caused by an interruption in services, such as network downtime, information corrupted or deleted in an attack, and data loss recovery.
Forensic Investigations: Access to an IT forensic investigations team to help you determine the size and scope of a breach, how to repair the damage, and prevent any future occurrences.
Crisis Management: Access to a team of marketing and public relations consultants to help manage any reputational damage in the wake of a breach.
And much more!
In addition to Cyber Insurance, some carriers and brokers also offer risk management and cyber education tools that will help you mitigate your exposures and ensure that you’re in the best position possible to deal with a breach when it happens.
Generally speaking, Cyber Insurance policies do NOT cover:
Negligence: When it comes to cyber risk, ignorance isn’t bliss—it’s negligence. And your insurance won’t kick in for any incidents or claims that arise from deliberate inaction regarding cyber threats, poor security practices, or willful noncompliance with privacy legislations, regulatory requirements, or even security standards set by the insurance company itself.
Betterment: Cyber Insurance doesn’t cover costs related to improving internal technology systems, such as new hardware or software upgrade after a cyber event. Most policies will simply help restore the company back to where it was before the attack, old software and all.
Bodily Injury or Property Damage: In an increasingly interconnected world, cyberattacks often have very real and tangible consequences. For example, in production, shipping, and distribution businesses, a cyberattack could potentially lead to manufacturing defects, spoiled goods, and other business disruptions. However, claims of bodily injury or property damage arising from a cyberattack will only be covered by Commercial General Liability Insurance, not a Cyber policy.
We’ve said it before and we’ll say it again to be clear: Cyber Insurance isn’t a replacement for cybersecurity. You should still invest in preventative measures to reduce the risk of a cyberattack. After all, the best way to ward off a breach is to keep one from happening.
But in case that’s not enough, Data Security & Privacy Breach Insurance can provide you with the resources and support you need to recover your business and regain your clients’ trust.
Need guidance? We can help. With over 40 years of experience of serving professionals across various industries, you can rely on a broker like PROLINK to stay protected in the face of your unique cyber threats. We’ll take the time to listen, understand your business, and align you with a comprehensive plan that suits your professional needs—and your budget.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.