Why brokers shouldn’t focus on breach notification law when selling cyber

The nation-wide mandatory data breach law that came into effect Nov. 1 is “a good way and a reminder to start the conversation with their clients,” but brokers should ultimately focus selling efforts on the crime and business interruption aspects of cyber insurance, an insurer suggested Monday.

The federal Digital Privacy Act requires organizations to disclose data breaches if they pose a “real risk of significant harm.” The act was passed into law in 2015 and amends some sections of the Personal Information Protection and Electronic Documents Act (PIPEDA).

“We don’t feel it’s the main tool that brokers should be selling cyber insurance through,” Lindsey Nelson, international cyber team leader with CFC Underwriting, said of the PIPEDA changes. “There should be a realization by brokers that cyber is relevant to every single client of theirs, regardless of what type of business they are.

“We hear a lot of buzz about PIPEDA in the market and notification costs and the $100,000 fine per offence,” Nelson said in an interview with Canadian Underwriter Monday. “We’d like that to be acknowledged, but it should be sold on the crime and business interruption [aspects], which is ultimately going to address more clients for them and act as a better return on their business conversion rates for their own portfolios.”

While there are still “big headline breaches” being reported in the news, “what we’re hearing less about are the small and mid-sized firms that fall victim to funds transfer scams or suffer systems outage problems,” Nelson said. “So those first-party losses naturally are only affecting the company who experiences them.”

As an example, one of CFC’s clients is a five-man engineering firm making less than $1 million in revenue annually. It ended up experiencing a six-figure loss as a result of recreating their data from scratch following a ransomware attack.

“Those are the events we are not hearing that much about,” Nelson said. “And yet there is still a lot of focus on PIPEDA and privacy and notification costs when the reality is that’s just not where the claims activity and the incidents are occurring. While PIPEDA is important to acknowledge in terms of potential notification costs, it’s a dangerous misconception to purely sell cyber insurance to clients on that basis alone.”

At CFC, privacy breaches as a result of a hack consist of only 12% of its claims activity, while cybercrime, including ransomware, is still its largest source of claims by frequency on the business interruption side. For organizations where data is more of an exposure – such as retail or healthcare operations – cyber insurance should really be looked at for the incident response services it can provide, particularly in terms of how those notifications are managed under PIPEDA.

“What we want to avoid under the new provisions are clients trying to manage the incidents themselves rather than turn to their cyber insurer or an outsourced third-party provider for guidance,” Nelson said. “Because notifying more individuals than necessary or incorrectly can ultimately lead to customer drop-off and loss of profits and damage to the insured’s own reputation.”

Nelson pointed to a property management client that had fallen victim to a ransomware event. The client was creating financial reports for their clients on a monthly basis. Due to the attack, the reports had to be created manually and contained errors.

“Eventually, their customers are getting fed up with the fact that their reports are coming back slow because of their systems being down,” Nelson said. “It was purely a ransomware event that resulted in lost customers and a drop off in their customers because of the way their services were being provided as they were trying to rectify the incident.”