Data breaches are all over the news, but convincing some corporate clients to spend in the neighbourhood of $1,000 a year for insurance coverage can be an uphill battle.
Some cyber insurance products cost around $100 a year, but those are “very rudimentary,” suggests Ray Arndt, president of Lyon & Butler Insurance Brokers Ltd., based in the community of Woodbridge north of Toronto.
“As you get into the more comprehensive packages, they can be a few thousand dollars” a year in premium, Arndt said in an interview.
When cyber insurance first became available years ago, “it was only a first-party coverage, so it was only for the cost to repair the breach on your end,” Arndt told Canadian Underwriter.
But with new breach notification regulations taking effect November 1, many insurers are offering coverage for the cost of protecting victims of a privacy breach. For example, Wawanesa says its cyber insurance covers the cost of notifying both individuals affected by a breach as well as regulators.
“Most of us have been touched by cyber crime, either personally or corporately,” Arndt said, adding there “is a growing understanding for the need” for cyber insurance. Small to mid-sized businesses recognize the need for such coverage, but the “cost discourages them.”
With the federal Digital Privacy Act, passed into law in 2015, it will be mandatory this November for any Canadian firm having a breach of personal information under its control to report it. If it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual,” then the organization will have to report that breach both to the federal privacy commissioner and to the affected individuals.
The Digital Privacy Act made several changes to the federal Personal Information Protection and Electronic Documents Act.
Once the rules are in place, if a data breach were to create a “real risk of significant harm to an individual,” that individual would have to be notified, Bradley Freedman, national leader of Borden Ladner Gervais’ cybersecrutiy law group, told Canadian Underwriter earlier.
To cover the costs of complying, all organizations “should definitely be looking at whether there is cyber insurance suitable for them,” Freedman said at the time. “Even if the decision, ultimately, is, ‘We are going to self-insure,’ that decision ought to be made in an informed way based on an assessment of the kinds of insurance products that are out there, the premium” and a risk assessment.
Organizations whose data is compromised can be hit with class action lawsuits. One taking place right now in Ontario is against consumer credit rating provider Equifax Inc., which announced last year that criminals were able to access some Canadian consumers’ names, addresses, social insurance numbers and credit card numbers.
Other Canadian organizations who have been subject to data breaches include Hudson’s Bay Company, which said this past April the firm had discovered some of its stores’ point of sales systems were infected by malware intended to collect cardholder names, payment card numbers and expiration dates.