Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.
It's relatively new, but it's a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.
"We haven't had a lot of requests so far, but it's a huge field," says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.
By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.
The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied's report says.
Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.
"It's usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy," he says.
Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. "We put it [a recommendation] in all the letters we send, either to take coverage or to increase it."
While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.
"Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach," say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.
"This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard," he says.
Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.
Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.
Writing in Canadian Lawyer magazine, she said that, "29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime."
While any SMB can be a cybercriminal's target and suffer damage, the risk goes up if the business's data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.
This coverage is "modest" for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. "We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure," LawPro says.
Lawyers (and others) should always look to what's covered and what's not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. "The interesting part of every policy is the exclusions," he says.
Indeed, LawPro cautions its lawyer policy holders to "remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm."
Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it's buyer beware, Ms. Lifshitz warns.
"Every insurance company deals with coverage differently. There are always going to be carve-outs" for situations that insurers won't cover, she says.
Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It's the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.
If a smaller entity hasn't taken the steps to become cyberinsurance ready, they're not going to get coverage, she says.
The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:
– How many records with personal information does your company keep?
– How much sensitive commercial information do you keep?
– What security do you have in place that might reduce your insurance premium?
– Do you need to encrypt all your laptops, phones and tablets?
– Do any third parties you deal with have unencrypted media?
– Would you be able to make a claim on the policy you choose even if you haven't discovered a breach for several months or years?