The Canadian cyber-risk insurance market is relatively young. The idea of transferring the risks associated with the cyber-world came to light at the turn of the last century as fears of the Y2K bug raged. This rapidly evolving market is constantly adapting to new realities such as artificial intelligence, the internet, and crypto-currency or block chains. At the preserve of large companies and organizations, cyber-risk insurance has become accessible to small and medium-sized businesses, for which it is now an essential element in risk management.
Although most insurers now offer more or less comprehensive cyber-risk insurance products, some specialty insurers are able to offer stand-alone insurance contracts with the most extensive coverage.
Generally, these insurance contracts include two types of coverage: third-party liability coverage and first party coverage for damage suffered by the insured.
Third-party liability coverage protects the insured against claims from third parties alleging that they have suffered damage as a result of the insured. The most common are:
- Network Security and Privacy Liability: The loss or unauthorized disclosure of personal information, the inability of authorized third parties to access the insured’s operating system, the transmission of malicious code, the damage or loss of third party data under the care, custody and control of the insured, the failure to promptly disclose a network security breach or the liability of others when the insured entrusts data to a third party (e.g., hosting);
- Media and Advertising Liability: Personal injury, violation of copyright or other intellectual property rights or any other reprehensible act relating to objects published on the insured’s website.
Some contracts also provide for coverage of legal costs related to a regulatory claim, and fines or penalties related to the payment card industry. Although liability for network security is usually limited to pecuniary damage, it may sometimes extend to physical injury or material damage resulting from a breach of network security.
Although civil liability coverages are the core of cyber-risk insurance policies, the various coverages for damage suffered by the insured that have been added in recent years are no less important. They meet increasingly essential protection needs (e. g. the growing scourge of ransom attacks). Here are the most common ones:
- Services and fees related to a privacy breach (e.g., appraisal fees, notification fees, credit monitoring);
- Brand protection/crisis management costs;
- Threats of extortion (e.g. ransom);
- Business interruptions/ Additional costs;
- Data protection and system restoration;
- Reward expenses;
- Social engineering fraud (also known;
- Computer fraud;
- Fraudulent funds transfers.
There is a tendency to amalgamate coverage that has traditionally been found in “Property” (e.g. business interruption) or “Crime” (e.g. social engineering fraud) insurance policies. But be wary, even if the coverage goals are similar, coverage is not triggered in the same way in a cyber-risk insurance policy. We will examine these differences in our next column.