Generally, cybersecurity is handled in an upfront manner, with companies protecting themselves from cyberattacks with firewalls, endpoint tools, and network and data cybersecurity solutions to stop attacks before they can breach a company and reach any of their sensitive data. However, with the proliferation of attacks and the increase in infrastructure and technology of both insurance companies and cyber threats, the possibility of cyber threats is becoming more commonplace. With this increase has come a change in the market, with a rise in cyber claims management, or cyber insurance, protecting companies from losses and liabilities incurred from attacks and data breaches.
Cyber insurance, prior to 2020, has been an expensive form of insurance to offer companies. Largely, the cost has come as the need for claims professionals to be experts in the cybersecurity industry, a quickly evolving sector compared with traditional insurance sectors. With the increase of insurance technologies, including automated claim management systems and an evolved understanding of the cyber-threat landscape, more companies have developed cyber insurance products. Part of this has been due to a realization that companies do not require legal or IT services in the majority of cyber claims handling; rather, these are only necessary in specific situations.
The increase in the occurrence of cyber threats against organizations is due in part to the overall shift toward online industries and a shift toward remote work caused by the COVID-19 pandemic. This has resulted in a rapid digitalization of business and has increased awareness of the cybersecurity vulnerabilities, especially the fragility of home networks and human error.
In 2018, the average cost of a data breach in Canada was almost $5 million, and the average cost to an organization to detect and contain a breach (often including investigations, assessments, audits, and crisis management) is $1.78 million. Similarly, the Australian Government's Australian Cyber Security Centre (ACSC), which works to improve cyber security across Australia, responded to 2,226 cyber claims and received 59,806 cyber crime reports at an average of 164 reports per day from June 2019 to June 2020.
Common cyber threats
As with most types of insurance coverage, an organization has to understand what threats they face. For an organization that relies on an online presence and uses e-commerce as a distribution method, the needs will be different than an electronics service provider that carries customers' personal or commercial information. The questions organizations can consider when looking at cyber insurance include:
- How many records containing personal information does the organization retain or have access to?
- How many records containing sensitive commercial information does an organization retain or have access to?
- What security controls can an organization put in place to reduce risk of having a system compromised?
- Do all portable media and computing devices need to be encrypted?
- What about unencrypted media in the care, custody, or control of an organization's third-party service providers?
- Could an organization make a claim if they were unable to detect an intrusion until several months or years had passed?
