Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber-threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country. This is blog one of five in the series for 2021.
“It’s not if you’re hacked, it’s when.” This old cybersecurity maxim explains why more businesses are purchasing cybersecurity insurance. Despite their best efforts to prevent being hacked, too often defenses fail – and the results can be costly.
When it comes to managing risk, prevention can’t be ignored – but neither can recovery. An insurance policy that covers damages related to hacks is one way to prepare for the worst, but isn’t a panacea. Cybersecurity insurance is still a nascent industry that is very much buyer beware. Providers require compliance with a minimal set of security standards, the policies contain exceptions, and the coverage may not always be enough to cover the losses.
When insurance emerged as a way to control cyber liability in the 1990s, the biggest worries were data processing errors and lawsuits related to online media, according to California-based broker Colony West. Then, in the 2000s, first-party insurance emerged to cover data breaches and lost productivity time.
Flash forward to 2021, where adoption of cybersecurity insurance is growing in parallel with the growing number of cyber attacks. At the same time, expenses are soaring due to hefty ransoms paid to hacker groups and massive fines paid to regulators policing the storage and transfer of personal information online.
In Canada, cybersecurity insurance has become a popular tool for managing risk. According to CIRA’s 2021 Cybersecurity Survey, six out of 10 Canadians organizations with more than 50 desktops have a cybersecurity insurance coverage. Three in 10 have a cybersecurity-specific policy.
In Canada, cybersecurity insurance has become a popular tool for managing risk.
Insurance buyers have over 260 different cyber insurance products to choose from, based on a market index tool provided by Insurance Business Magazine Canada. Those providers are enjoying a rush of new applicants during the course of the pandemic, some driven by an influx of new attacks.
In 2021, 36 per cent of organizations say the volume of cyber attacks has increased during the pandemic. That’s an increase from 29 per cent that said the same thing one year ago. About half of the organizations feel that the volume of attacks has stayed the same, and only three per cent say the volume has decreased.
The volume of cyber attacks has increased during the pandemic
2021: 36% yes
2020: 29% yes
Over three in ten indicate that the volume of cyber attacks has increased during the pandemic, up from 29 per cent last year.
From the insurer’s perspective, the rise in applicants and their perceived levels of risk creates a situation where insurance providers can be pickier about who they cover, and what requirements they can ask of their clients. As a result, cybersecurity insurance often requires customers to put in place security measures that are regularly audited by third parties.
Most organizations with cybersecurity insurance report their provider has made a change over the past year, according to CIRA’s survey. The most common changes include increased premiums (reported by 35 per cent), requests for new forms of proof/verification of cybersecurity measures being in place (34 per cent), and changed eligibility requirements for obtaining/renewing coverage (29 per cent). About one-quarter also reported reduced reimbursement amounts for ransomware attacks.
The most common changes are increased premiums and new proof/verification of security measures in place.
The changes reported in the survey mirror reports of rising insurance rates and tougher coverage requirements coming out of the U.S., as reported by CTV News. The changes also reflect the accumulated wisdom of insurers who realize that simple and low-cost security controls such as multi-factor authentication requirements and consistent backups are all that’s needed to avoid the majority of losses realized.
Stepping back and taking a wider perspective of the cybersecurity insurance picture shows an industry that’s still emergent and still agreeing on the standards. The increased risk environment puts the power in the hands of insurers, who can demand higher premiums from customers while putting more escape clauses in their contracts. Some insurance holders may be told they won’t be covered for damages caused by an insider threat, or by errantly configured cloud storage that’s publicly exposed.
That leaves some companies either wondering if it’s worth it to buy cybersecurity insurance, or if it’s worth it to continue paying rising premiums. Considering the potential impacts of a cybersecurity attack against the difficulty in securing it and the costs of recovery might help factor into the calculus of buying a policy.
The first consideration may be: which parts of your organization are likely to be affected by a hack?
Most organizations affected by an attack say both end-user devices and network infrastructures and databases were impacted most often, according to CIRA’s survey. Overall, 57 per cent of organizations that experienced cyber attacks say they had a negative impact. When asked what services were most commonly affected by negative attacks, 30 per cent of organizations say that network infrastructure and databases were negatively affected by at least half of the attacks. For desktops and individual devices, 31 per cent of organizations say they are impacted by at least half of the attacks. Only one in five organizations say user and customer data is impacted by at least half of the attacks.
Next comes the negative impacts resulting from an attack, including direct costs.
Among organizations that faced at least one cyber attack in the past 12 months, one in three organizations say an attack prevented employees from carrying out day-to-day work. About one in five had to pay repair or recovery costs to suppliers, one in five reported damage to their reputation, and 18 per cent reported a loss of revenue.
One-third cite tying up employees’ time. 19 per cent cite reputational damage, up from 6 per cent in 2018.
Considering the growing number of cyber threats and the ballooning costs of being hit with an attack, the decision about whether to buy cybersecurity insurance likely carries the same logic as the maxim at the start of this piece: it’s not if you should buy cybersecurity insurance, it’s whether you can get it and how much you can get.
To learn more about what cybersecurity insurance covers and why organizations should consider it, be sure to check out this CIRA guest blog from insurance defence and coverage lawyer Mikel Pearce.