Breaching the Divide - What You Should Know About Purchasing Cyber Insurance
By Rehana Moosa
This article was originally published by The Lawyer's Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.
Homer Simpson once said, "If something is hard to do, then it's not worth doing." Purchasing cyber insurance can certainly be a challenge, between trying to select the right coverage and ensuring your policy limits are sufficient. However, contrary to Homer's opinion, understanding how to buy the appropriate coverage is worth the effort.
Like many types of insurance, most insureds do not understand their cyber coverage until a loss occurs and a claim is filed. It is only then that the impact of the policy wording, exclusions and limitations becomes clear.
Since every business is unique, it is recommended that a broker or lawyer with experience in cyber insurance be consulted prior to purchasing coverage, as they can assist in determining the appropriate coverage for an insured's specific circumstances. In this article, we explore a few key factors (from an accounting perspective) to consider when purchasing cyber coverage or reviewing a current policy.
- Type of business — First party cyber coverage includes coverage for business interruption losses and extra expenses. While most insureds will incur extra expenses as a result of a cyber attack (e.g. employee overtime), not all insureds will experience a business interruption loss. Some businesses are able to mitigate or avoid losses of revenue by, for example, performing tasks manually, diverting work to subcontractors, or delaying work on a file or project until systems are restored. Businesses in this position may choose to purchase less business interruption coverage if losses of revenue can potentially be reduced.
- How revenue is earned — Most cyber policies provide coverage for a very short period of time, generally 30 to 120 days. If a business earns revenue primarily through long term contracts or over an extended period of time, any business interruption losses that occur beyond the period of coverage may not be covered. Some policies do provide coverage for longer periods, subject to certain conditions. These policies may be more suitable for businesses that earn revenue over a period of time.
- Ability to continue operating if systems are down — A few years ago, a health care organization was the target of a ransomware attack. Following the attack, the insured was unable to receive and transmit patient information electronically, and instead, had to rely on fax machines. The problem, however, was that their younger employees had never used a fax machine before. Although the insured was able to continue operating by using fax machines, several hundred employees had to be trained on the use of the equipment and the learning curve was steep, causing delays in completing patient treatments. It is important to consider how operations may continue if systems are down for a period of time, as this can impact the amount of coverage purchased. This may mean reassigning staff to work on critical tasks, working overtime, transferring orders to subcontractors, performing tasks manually, or taking orders over the phone instead of through the company website. Delays associated with these approaches should also be considered.
- Type of data stored / tracked — Several class actions have been launched against companies that have experienced a data breach. For example, after hackers stole personal information following a data breach at Equifax Canada in 2017, a class action was launched by several individuals who were impacted. This type of claim would fall under third party cyber coverage, where a third party suffers a loss as a result of an insured's actions, and seeks compensation from the insured. Understanding the nature of the data that is stored and tracked, and the risk associated with a potential breach of such data can determine the amount of third party coverage that may be required, and the likelihood an insured will face litigation in the event of a data breach. For example, a business that tracks customer social insurance numbers and bank account information may face a greater risk than a business that only tracks customer names and mailing addresses.
- Ability to reduce / eliminate costs — With respect to business interruption losses, cyber insurance policies generally calculate the losses as the: (1) Loss of net income only; (2) Loss of net income plus all costs that continued while systems were impacted, including payroll. A business that has mostly fixed expenses may benefit from purchasing a policy that includes coverage for continuing expenses, since fixed expenses will continue even if revenues are down. An example is a business that has unionized employees (where it may not be possible to implement temporary layoffs), with payroll being a large expense. If a business has mostly variable expenses, a policy that quantifies business interruption losses based on the loss of net income alone may suffice, since many expenses will decrease or cease if revenues decline.
Questions to Ask an Insurer / Broker
Before purchasing a cyber insurance policy or when reviewing your current one, questions you can review with your insurance company or broker include:
- What criteria must be met for coverage to apply?
- How are business interruption losses calculated under the policy?
- What does the policy cover with respect to extra expenses?
- What criteria must be met for the extra expenses to be covered?
- Does the insurance company have a panel of experts the insured can be referred to following a cyber attack?
- What is the indemnity period?
- What are the exclusions?
Purchasing cyber insurance requires a great deal of thought, and brokers and lawyers with experience in this area can provide invaluable assistance. Given that insureds have detailed knowledge about their business and the potential impact of a cyber attack, insureds can assess their businesses based on the factors listed above, and work with a broker to identify the appropriate coverage for their specific needs. This will ensure there are no surprises if a cyber insurance claim is filed in the future.
Contact us to learn more. 647-426-0146 | email@example.com
Communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. For permission to republish this content, please contact Rehana Moosa Forensic Accounting Professional Corporation.
Common Exclusions Under Cyber Insurance Policies
Understanding the types of losses and costs that cyber insurance excludes is as important as understanding…read more
Document Requests for Fidelity / Crime Insurance Claims
When reviewing or preparing a fidelity / crime insurance claim, the documents required to substantiate…read more
What Does Cyber Insurance Cover?
With the significant increase in the number of cyber attacks over recent years, cyber insurance has become…read more
What To Do If You Suspect Fraud
When business owners first suspect an employee of fraud, it is important to take the right steps at the…read more
Decrypting Cyber Insurance
Purchasing a cyber insurance policy can be challenging – there are many exclusions and limitations and…read more
The RMFA Difference
Regardless of background or level of knowledge, all our clients are treated with professionalism and respect. All files, regardless of size or complexity, are treated as a top priority. That’s our promise.