Canadian small- and medium-sized businesses are recognizing the need for cybersecurity insurance to cover potential technological attacks on their businesses, market observers say.
“It’s a huge issue,” said Miki Ho, who leads business development for the Coalition insurance company’s Canadian operations.
But, said Danish Yusuf, CEO of Toronto’s Zensurance, with claims only just beginning to roll in due to increases in cybercrime and policies being written for smaller companies, it could take another two years before the market stabilizes.
Indeed, it’s the few large breaches that make news, not the many small ones.
“A $10,000 loss is not newsworthy,” Yusuf said.
IBM Security’s 2020 data breach cost report said 51% of organizations having cyber insurance used claims to cover the cost of third-party consulting and legal services while costs of restitution to victims was covered for 36% of organizations. However, it noted, only 10% of organizations with cyber insurance used claims to cover the cost of ransomware or extortion.
Yusuf said large organizations have the ability to retain security officers as well as lawyers to vet complex policies. One item at issue, he said, is creating policies for smaller companies – the neighbourhood coffee shop or a carpenter, for example – who have a virtual presence yet no protection from online crooks.
Ho agreed, saying simplifying agreements has become key to assisting small- to medium-sized businesses.
Ho said business operators should also try and put themselves into a cybercrook’s shoes. What makes their operation attractive to criminals? He suggested looking at email security, double verifications for logins and making sure employees are educated in how to either spot or preempt cybercrooks.
“As companies employ new technologies, they should be aware of how they’re increasing their risk, expanding their attack surface,” Ho said.
Yusuf said point-of-sale systems could be attacked, making payment impossible. Systems or data could be held for ransom, generally paid via Bitcoin, Yusuf said. Either could in turn lead to brand damage, which would be a further loss.
“Businesses are changing rapidly in this environment,” he said.
What it comes down to, Ho said, is finding a balance between risk and having enough technology to run a company.
Further, Ho said, some policies include putting affected businesses in touch with forensic experts to clear up problems.
When seeking insurance, Yusuf said, businesses should tell their brokers everything and have that confirmed back to them in writing, including any changes that might need to be made.
“It puts your insurance broker on the hot seat to provide you appropriate coverage,” he said.