‘The cost nobody talks about’ with cyber

Brokers are advised to factor in the cost of reputational harm for their commercial clients when discussing cyber policy, because that’s typically the most expensive aspect of a breach.

Clients typically focus on costs related to notifying clients and forensics, but reputational harm can include greater and more long-term costs such as a drop in share price and lost customers, explained Lindsey Nelson, cyber development leader at CFC Underwriting.

“When we’re talking about cyber claims, it’s typically the costs that nobody talks about that end up being the most expensive for the victim of the event,” she said. “I think that’s fairly understandable when it’s a cost that only affects the business rather than their customers and the larger public.”

She used the example of the Capital One cyberattack from 2019. The costs for notification, forensics, and credit monitoring amounted to about $150 million. But this was a highly-publicized event and “very little was [mentioned] about the 6% share drop that they experienced as a result, which is essentially reputational harm and inaction.”

Reputational harm is more relevant now because businesses have an obligation to notify their customers when their data has been compromised, Nelson told Canadian Underwriter.

Consequently, “customers are likely to either cancel their contracts or take their business elsewhere,” she said. “At CFC, we’ve seen several instances in which we’ve had insurance policyholders experiencing downtime of their systems, and they were actually forced to re-route their customers through their competitors in order to fulfill time-sensitive services that were required. So it’s not a position that any business envisions themselves being in.”

iStock.com/Christian Horz

About 90% of Canadian businesses out there don’t have a cyber policy, Nelson said. So a broker may be used to hearing their clients say their internal IT department can thwart an attack, or at least handle the effects of one. But it shouldn’t be an either-or scenario. A cyber policy works with an IT department and provides a different level of protection that the internal department cannot.

“A good proportion of clients still have the now-very-antiquated perception that a cyber event is never going to happen to them,” Nelosn said. “But I think actually a larger percentage feel that if they do have one, their IT department is going to handle it effectively. But as time has consistently shown, IT and incident response — though they’re very complementary to one another — are two very different things. Incident response gives you access to specialist experts who can project manage and triage forensics, negotiations with the criminals, legal response — and they can often work with IT departments.

A broker should warn their clients that, if not handled effectively, the cyber incident could quickly become a bigger problem.

“The ransom demand can work out a multiplier [and] get larger than it needs to be,” Nelson said. “The system rebuild costs can be even more expensive; what they offer their customers can be financially detrimental.”

Feature image by iStock.com/marchmeena29