With the frequency and severity of cyber-attacks continuing to increase, individuals, businesses and governments are finding cyber risks more challenging to navigate than ever. While the average cost of a data breaches in Canada decreased slightly from USD 5.64M in 2022 to USD 5.13M in 2023, according to the IBM 2023 Cost of a Data Breach Report 2023, Canada remains in the top 3 most costly countries in the world for data breaches and the financial and reputational impact on victims is ever-present. 
 
Organizations should be making a conscious effort to assess, quantify and manage their cyber risks on a continuous basis. Over the past several years, many organizations have turned to their cyber insurance broker for support in managing their cyber risks, including the placement of cyber insurance policies. Specialized cyber insurance brokers not only have the ability to help their clients assess risk, but they have been placing cyber insurance as a risk transfer mechanism for quite some time. While cyber insurance has proven more onerous & costly for larger organizations to purchase over the past 3-4 years, many buyers will agree that it forms a critical part of their overall risk management strategy and that the cyber insurance market has shown significant signs of improvement over the past few quarters.
 
Commercial cyber insurance provides expert resources and financial protection for organizations as they work to navigate through privacy & security breaches. Key elements of coverage include but are not limited to:
 
Cyber Event Management reimburses the policyholder for out-of-pocket expenses incurred to engage legal support, forensics, public relations & more, in the handling of a privacy or security breach. This part of the policy also reimburses clients for costs to notify and provide credit monitoring to impacted individuals. 

Digital Asset Restoration Costs covers the costs to restore and/or repair lost or damaged data in the event of a network security failure and to determine what data cannot be restored, recollected, or recreated. This coverage is sometimes extended to include bricking, which will replace network equipment, should it be rendered useless as a direct result of the information security breach.

Cyber Extortion, the area of coverage that has seen the highest severity of loss in recent years, reimburses the insured for reasonable and necessary expenses incurred in responding to a network extortion threat. This coverage includes negotiation costs and ransom payments to the party thought to be behind the threat, where permitted by law. Payment of ransoms generally require the prior approval of the insurance company.

Business Interruption Coverage reimburses policy holders for lost income and extra expense resulting from a network security breach that leads the actual and measurable interruption, suspension or impairment of an insured’s computer systems or business operations. Coverage is often also extended to loss of income resulting from impairment of a third party’s computer systems, SaaS, PaaS, IaaS on which the insured relies upon for regular operation of its business. The strongest policy wordings further expand coverage to include system failure as a trigger of coverage. While the standard business interruption coverage will only respond when the cause of loss is a malicious third-party attack, the system failure coverage goes further include loss of income resulting from any unplanned, unintentional, or unscheduled network outage.

Privacy & Security Liability covers defence costs and damages arising out of the failure to protect sensitive personal or corporate information in any format, for which the insured is legally responsible. This section would also cover defence costs and damages arising out of the failure of network security, including unauthorized use of corporate systems, a denial-of-service attack, or the transmission of malicious code.

The Regulatory Proceedings coverage in cyber policies responds to cover defence & investigation costs in the event of an investigation by a governmental or regulatory entity. Regulatory fines and penalties may be covered, but only where insurable by law. This is an aspect of coverage where we have recently seen more claims, with changes to privacy regulations in Canada and globally. 

When purchasing cyber insurance, it is critical for organizations to possess an understanding of what is covered but also the types of events that might not be covered. Cyber policies exclude things like telecommunications & critical infrastructure failure, misconduct or criminal acts of senior executives and bodily injury & property damage. Cyber insurance buyers should dedicate as much time to reviewing the exclusions under the policy as they do the insuring agreements. A good broker will take the time to walk through the various elements of coverage, while comparing the offerings from various insurance companies to pick the option that best aligns with your needs. 

Cyber insurance should be considered when developing or revising an organization’s cyber risk management strategy, as it can help to address the residual financial risk that exists after implementing the necessary governance & controls. We will likely see continued pressure from boards and trading partners for organizations to procure or considering procuring the coverage, so it is best to start the process sooner than later.