April 4, 2020 by Emily Atkins, Freelance Writer
Data breach losses are predicted to cost more than US$5 trillion in 2024, and at least 7.9-billion bits of personally identifiable information (PII) were exposed through cyberattacks in 2019 alone.
These staggering numbers point to an alarming potential gap between insurance coverage and actual business continuity needs. Brokers may not be equipped to deal with the complexities of this new threat, and cybersecurity experts are warning that underinsurance is a big risk for many of Canada’s smaller businesses.
Katherine Kolnhofer, a cybersecurity expert and litigation partner at Bell Temple LLP, recently highlighted the coverage gaps that exist when a cybercrime incident occurs. She spoke about the topic at a recent Ontario Insurance Adjusters Association conference, where she suggested that brokers need to adapt to fully understand the issue.
“The challenge is that cyber is now a specialty space,” Kolnhofer said in an interview with Canadian Underwriter. “It’s an intimidating space. If you’ve done traditional property and liability work as a broker, the technology aspect of it is daunting. Brokers need to educate themselves on the technical aspects of cyber to be able to advise their clients on the proper limits and coverages.”
Neal Jardine, cyber practice leader and a senior general adjuster at Crawford and Company (Canada), said that limits on policies are growing. Like Kolnhofer, he believes brokers need to evolve their understanding of cybersecurity.
“If you’re quoting a building in downtown Toronto, brokers know that the distance to a hydrant will determine the severity of a fire loss,” he said. “The challenge we have today with cyber is we don’t have the same experience as we do with fire. We are still learning what are the best risk mitigation techniques.”
Businesses with traditional professional liability and property coverage may expect that the liability portion of their claims will be adequate to mitigate losses and cover the costs mandated responses to cyber incidents. But that’s not often the case.
The Insurance Brokers Association of Ontario is working with brokers to cover the knowledge gaps. Joseph Carnevale, the association’s president, notes the group has added cyber as a key topic at many broker events to help ensure members have the latest information.
“Many brokers and brokerages already specialize in cyber,” says Carnevale. “As with all lines of insurance, brokers only offer advice and sell insurance coverage they’re well-equipped to sell. Brokers active in the commercial space are well-versed to educate and sell cyber to their clients. Similar to other speciality lines, many brokerages have in-house experts to support their staff.”
Dedicated, standalone cybersecurity coverage products are hitting the market, although many businesses rely on their existing corporate liability policies.
“If businesses do not have an affirmative cyber policy, and they are relying on coverage for a cyber incident under a traditional property or liability policy, it could be the difference between surviving a cyber attack and going under,” says Kolnhofer. “If businesses have one of those silent-type policies, they may end up in a coverage dispute. But there are a lot of really positive initiatives by insurers to produce some clarity and certainty around these products,” she explained.
Kolnhofer feels that the increase in affirmative, standalone policies — policies that are dedicated to protecting against cyber risk — represent a good step forward for the industry. Jardine agrees, saying that writing explicit policies will help to avoid confusion and solidify the insurance.
A famous cyber insurance coverage dispute arose from the 2017 NotPetya ransomware attack, affecting dozens of major corporations, including Mondelez and Merck. In 2018, when the U.S. government declared the attacks the work of the Russian government, insurers — Zurich among them — triggered an exemption in their policies for acts of war. Mondelez and Merck are now in protracted legal disputes with their insurers over the incident, which cost them US$100 million and US$700 million, respectively.
Those numbers are frightening; the risk they represent applies across the gamut of businesses. In our increasingly connected world, almost every business risks becoming collateral damage. Small and medium-sized enterprises (SMEs) in any major industry run the risk of being caught in the digital crossfire. SMEs are increasingly the target for ransomware attacks. “Ransomware is going after SMEs and municipalities – that’s where the money is for hackers because they don’t have the same cybersecurity resources as large businesses,” Jardine said.
Although many businesses consider themselves exempt from cybercrime because they don’t use or hold valuable customer information, they’re still vulnerable, Jardine said. “It’s not about the information you have, it’s about how valuable that information is to you. The fact that you have designs for X-widget has zero value to most people, but your business depends on it. If all your data walked out the door tomorrow, how much would that cost? Buy that much coverage.”
This is where generalist brokers might not see the full picture. Consider, for example, the differences between business interruption and extra expense coverage in the context of cybersecurity. “You might be back up and running within a day,” says Jardine. “But then there are costs for the extra server space, temporary drives, and additional software.”
Jardine believes adjusters have a role to play in helping businesses and brokers understand the risks and protect against them. “Pre-breach protocols are very important,” Kolnhofer agreed. She added that she still sees businesses that lack even a basic security protocol. “They may not have a firewall or a password policy in place. It’s not expensive to implement those basic levels.”
A couple of years ago, it was common for an SME to take out a $50,000 cyber line. These days, however, Jardine is seeing limits that start around $250,000. Even then, it might not be enough. Older policies are inadequate when it comes to covering the obligatory response to a cyber attack under new regulations. “It can be a $65,000 investigation for something as simple as a lost email,” he said.
“The clients I am working with in the SME space are taking out coverage in the seven-figure range, especially where they have a lot of PII,” Kolnhofer noted.
She cited the example of a mid-sized financial services company that had the names and social security numbers of 200,000 affected individuals compromised. The total first-party loss to the firm was $3.5 million. That covered the forensic investigation, the incident response (including notification to those affected customers), and two years of credit monitoring for each of them. Those costs would cripple even the most robust SMEs.
“There are all these specialty lines being written,” Kolnhofer said. “With the quickly-evolving innovation of technology, the job of the underwriter to try and anticipate what sort of losses might arise from the result of a cyberattack is very challenging. As the space evolves, there will be increased standardization and certainty.”
Carnevale is working to increase the level of coverage. “I personally have had many occasions to educate my clients on the need for cyber coverage,” he said. “Many still believe a breach isn’t likely to happen, and most haven’t budgeted for a cyber policy. But as more businesses experience cyber hacks, and receive negative publicity as a result, cyber coverage will become a staple for SMEs.”
Emily Atkins is a freelance author based in Ontario. She is the past editor of Claims Canada.