SB BI&I Study Shows 87 Percent of Canadian Businesses Experienced Hacking Incidents
Poll of Risk Managers Indicates Companies are Vulnerable
Almost 90 percent of Canadian businesses have experienced at least one hacking incident in the last year, according to a study of business risk managers released today by The Boiler Inspection and Insurance Company of Canada (HSB BI&I), part of Munich Re. More than half (60 percent) believe their companies are dedicating enough money or trained and experienced personnel to combat the evolution of hacking techniques, yet 42 percent do not have cyber insurance coverage.
With the prevalence of cyber attacks in Canada, there is a clear discrepancy among risk managers' perceptions and the level of exposure their companies face from hacking activity," said Derrick Hughes, vice president for HSB BI&I. "Hackers have evolved and so have the risks. Businesses must do more to protect their sensitive information and manage any data breaches."
The survey revealed a notable uptick in awareness and concern about cyber risk following the recent passage of The Digital Privacy Act (Bill S-4). Nearly 70 percent of risks managers said they would be more inclined to purchase cyber insurance coverage for their company due to the new data breach notification requirements.
Concerns about the type of information being breached ranged from sensitive corporate information (50 percent) to personally identifiable information (42 percent) to financial information (8 percent).
When asked about the type of risk management services they would be most interested in deploying to combat cyber risk, risk managers point to intrusion detection and penetration testing (40 percent), encryption (24 percent) and employee education programs (19 percent)
As risks in this relatively new area are still emerging it can be difficult to identify business exposures and address these exposures with adequate insurance protection. Although not inclusive, here is a guide to the types of coverage available for damages received on cyber turf, as described by the I.I.I.(Insurance Information Institute).
Business Interruption – Covers loss of business income as a result of an attack on a company's network that limits its ability to conduct business, like denial-of-service. The coverage may include extra expenses for forensic procedures and loss of income from dependent business interruption.
Business Owners Policy (BOP)—May cover loss from computer viruses and harmful code, but could be excluded if caused by intentional actions by a company employee.
Cyber Extortion – Covers the settlement of an extortion threat against a company's network and the cost of hiring a specialty security firm to investigate and negotiate with blackmailers.
Crisis Management – Insures the expense of hiring a PR or advertising firm to bolster a company's reputation after a cyber incident, as well as notifying consumers of a breach of private information and providing credit-monitoring or other remediation services after a data leak. According to AIG, more than two-thirds of executives and brokers believe a company's reputational risk from cyber attack is greater than financial risk.
Criminal Rewards – Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a cyber criminal who has attacked a company's computer systems.
D&O/Management Liability – Can be specifically-tailored to cover cyber liability risks faced by directors in various industries.
Data Breach – Covers the expenses and legal liability resulting from a data breach. Policies may also provide access to services helping business owners to comply with regulatory requirements.
Identity Theft – Provides access to an identity theft call center in the event of stolen customer or employee personal information.
Liability – Covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of breach of privacy due to data theft from credit cards or health information; transmission of a computer virus that cause third-party loss; failure of network systems that are essential to third parties; and allegations of copyright, trademark infringement or defamation activities on the company's website or banner ads posted on other sites.
Loss/Corruption of Data – Covers damage to, or destruction of, valuable information assets as a result of viruses, malicious code and Trojan horses.
Property—Traditional property policies may cover cyber incidents that result in damage arising from a covered loss cause such as a fire, which might be inflicted by an act of cyber terrorism.
Social Media/Networking – Policies in this emerging field provide coverage for exposure for defamation, advertising, libel and slander on social media forums. Umbrella or excess liability policies may provide broader protection on claims against the insured for libel and slander, or plans with higher liability limits.