At a 2012 Cyber & Privacy Risk conference changes in cyber risk were noted:
1. Cyber attacks have become pervasive
2. current defensive systems aren't working, and
3. Cyber risk is getting bigger and broader.
The Office of the Privacy Commissioner of Canada (OPC) has private-sector privacy legislation in place (including PIPEDA), that outlines accountability and what is expected in a privacy management program. And you can't have privacy without security. Privacy breaches and complaints can be investigated or audited, so compliance on privacy and data breach protocols is more important than ever.
Every organization needs to know what personal information it holds (and whether it really needs it at all). Organizations must protect that personal information they hold, and what is reasonable depends on the sensitivity of the information.
A senior researcher at Trend Micro reported that the "exploit kits" - "a bundle of code that lets hacker exploit the most prevalent flaws in the general user base... lets hackers cast a wide net so the don't have to be choosy about their victims". So being a small organization doesn't necessarily mean you won't be hit.
The Wall Street Journal reported that the Canadian Cyber Incident Response Centre was investigating attacks on an internet technology provider, from outside the country. And some businesses are being hacked from the inside by employees.
Social media users are experiencing identity fraud more and more. There is an identity fraud rate of 10% among Linked In users; 7% for Google Plus users, 6.3% of Twitter users and 5.7% of Facebook users.
So what can a Cyber Liability insurance policy provide to help Canadian businesses respond to a cyber attack? This is still a developing area for insurers, so the policies are not altogether consistent, but there are typically a few main areas of insurance:
A. Privacy / Content Liability to address your legal liability for the party suffering the 'damage' - which may include financial compensation, and even regulatory fines in some cases;
B. Privacy Breach / Notification expenses to comply with regulations, notify individuals affected, as well as crisis management and public relations (to restore and protect reputation);
C. Network Security / Data protection expenses to restore data and regain and control.
The Economical Insurance company also offers cyber insurance for small and mid-sized companies with a solution to address the financial impact to your customers, and address costs to your business and reputation. The frequency of a cyber attack or privacy breach for small businesses may be low - although it is growing annually; but the severity of a claim that does happen can be very costly. Cyber insurance is readily available, and offering more value as it evolves.