One in five risk managers surveyed not sure whether their cyber insurance policy covers data in cloud servers: RIMS

Four in five risk managers surveyed said their company has a stand-alone cyber insurance policy, though only three in four reported their policy covers network/business interruption, Risk and Insurance Management Society Inc. said in the 2016 RIMS Cyber Survey, released Monday.

There were 272 respondents to the survey, which was distributed to RIMS members via an Internet link, and was “in field between August 8 and September 9, 2016.”

When asked whether their company has a “stand-alone cyber insurance policy,” 80% of respondents said yes, 19.5% said no and 0.5% said they were not sure.

Respondents were asked whether their organization’s cyber insurance extends to data stored in cloud servers. More than two-thirds (69%) said yes, 9% said no and 22% said they were not sure.

RIMS also asked members which losses were included in their cyber insurance policies. More than nine in 10 (91%) said breach notification costs. About one in four (27%) said theft of trade secrets; 80% said data recovery; 50% said professional liability; 76% said network/business interruption; 78% cyber extortion and 63% said fines and penalties.

Among U.S. respondents, 48% the U.S. government should mandate breach reporting.

“Regulators and legislators in many countries have been debating whether or not to mandate and standardize cyber breach reporting,” RIMS said in the report.

In Canada, the federal Personal Information and Protection of Electronic Documents Act was amended to provide for mandatory breach notification.

However, amendments to PIPEDA “dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and in place,” a spokesperson for the Office of the Privacy Commissioner of Canada told Canadian Underwriter earlier.

The amendments to PIPEDA were tabled by the previous Conservative government, in Bill S4, the Digital Privacy Act. The Liberals were elected in October, 2015, four months after the Digital Privacy Act attained royal assent.

The breach notification regulations were not in force as of this past April, said Vance Lockton, senior analyst for stakeholder relations at the Office of the Privacy Commissioner of Canada. Lockton made his comments April 30 during a presentation at the Insurance Telematics Canada conference in Toronto.

“The most recent timeline that we are hearing is that it will probably be in force somewhere around the fall of 2017,” Lockton said during his presentation, titled Economics of Personal Information – Consent in the Digital Age.

Canada’s department of Innovation, Science and Economic Development published this past March a discussion paper intended to solicit input and views on breach notification regulations. Ottawa stopped taking comments May 31.

“Comments received will be taken into consideration in the preparation of the draft regulations,” the Innovation, Science and Economic Development department government in the discussion paper.

In the discussion paper, the government asks stakeholders whether information required, under a voluntary report form currently used by OPC, should be included in mandatory reports.

Under its voluntary privacy beach notification form, OPC asks organizations to include, among other things:

-Date and location of the breach and date of its discovery;

-Description of the incident;

-Cause of the breach;

-Estimated number of individuals affected;

-Relation of those individuals to the organization (employee, customer);

-Type of information involved;

-Measures taken by the organization to contain the breach; and

-Whether anyone else has been notified of the incident (affected individuals, law enforcement) and when.

Canada’s Digital Privacy Act “would require organizations to keep records of data breaches of any kind,” federal privacy commissioner Daniel Therrien said, in February, 2015, before the House of Commons Standing Committee on Industry, Science and Technology.

“We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individually,” Therrien said at the time.