Cyber risks are very real and the damage to our companies is often very great. Since 2020, small and medium-sized businesses have been offered a new type of insurance for them. What is cyber risk insurance?
In this article we’ll answer that question and give you a list of actions you can take to pay only for the coverage you need.
A cyberattack on an insurer
On December 12, 2020, Promutuel, an established insurance company, suffered a cyberattack that as of this writing is still crippling their operations and customer service. Did she have a cyber risk insurance policy herself? Should your business also have one?
DEFINITION: INSURANCE AGAINST CYBERS RISKS
It is insurance to protect your business from financial losses due to the cost of cyber dangers and the loss of information on the privacy of its customers or those of its partners.
Cyber attacks are one of the top four sources of cyber risk which includes identity theft, data breach and degradation of your ability to operate.
Cyber attack is the broadest term of the four. It includes any disruption to operations, theft or destruction of data originating from or affecting a company’s IT resources.
Related to vendor fraud, corporate identity theft is when the owner’s identification information is used to fraudulently obtain a loan or to commit criminal acts. Scam and phishing are the means most often used for what is often called Whaling or CEO fraud.
This kind of situation is often highly publicized and is the subject of sharply increasing government almonds. Also associated with the protection of privacy, data breach is when company data is accidentally lost, stolen or disclosed. The source can be external like a cyberattack, but can also come from inside.
The government gets involved
On June 12, 2020, the Quebec government tabled a bill revising almonds for the protection of personal information. Currently under detailed study in committee, this law, which should be adopted shortly, will impose fines on the company found to be delinquent of $ 15,000 to 25 million or an amount of 4% of the company’s turnover if this amount is higher. Will our businesses be even more at risk with this law? Certainly.
Associated with the intentional degradation of your business operations, it results either from the introduction of a virus or malware into your network, or from a denial of service attack (Distributed Denial of Service, DDOS). Its purpose is to halt your operations in retaliation or to obtain a ransom payment.
What cyber risk coverage do you need for your business?
Cyber risk insurance does not protect the business against cyber risks, but provides funds for the business to recover from a disaster. The more you minimize the potential for these types of claims and the impact they can have on your organization, the less your coverage will need to be.
How can an alarm system, fire protection or a system to shut off the water inlet if a leak is detected, securing your IT can lower your insurance premium for cyber risk.
5 questions to measure the required coverage
Taken from a quote made in 2020, here are five questions asked by a Quebec insurer to an SME.
- Do you have firewall protections and anti-virus software or software that detects malware in place?
- Do you turn on automatic updates for your operating system and install critical updates on the software you use for your operations?
- Do you protect electronic equipment (computers, laptops, cell phones, tablets, etc.) used for your professional activities with passwords?
- Do you check at least every thirty days and have a recovery point that is less than 30 days old on your systems?
- I confirm that to the best of my knowledge there are no facts or circumstances that are reasonably likely to give rise to an allegation of a breach of privacy against my business due to an unauthorized breach of personal information protected?
Generally, risk insurance can include three types of guarantees. You can act on each of them to reduce the risk to be insured.
Guarantees and how to reduce their cost.
Cyber damage guarantees
Definition: They protect the activities of the company against operating losses and additional operating costs.
Risk reduction : Implementation of a resilience plan that reduces the time required for recovery after attack or disaster.
Cyber liability guarantees
Definition : They cover claims related to breaches of computer security and personal data.
Risk reduction : Establishment of a security monitoring center, fortification of systems and continuous training of personnel.
Crisis management guarantees
Definition : They are used to preserve the activity of the company in the event of a disaster, as well as its reputation with its customers and employees. In the event of an attempted extortion, they may also bear certain negotiation costs.
Risk reduction : Implementation of a system virtualization plan and protection against encryption of backup data.