52 years ago ·
Less than 3% of SME’s have cyber insurance
Businesses are now more reliant than ever on technology to operate, whether they are using remote networks for remote-working, paying suppliers by wire transfer, or storing sensitive data online.
At the same time, two-thirds of small-to-medium-sized businesses in Canada have not been able to spend on technology infrastructure, leaving them even more vulnerable to cyber attacks.
And finally, the number of cybersecurity incidents reported in Canada and across the globe has continued to grow at an alarming pace.
Buying a standalone cyber policy is a smart decision for your business, now more than ever. Here are additional reasons why:
The average cost of data breaches in Canada rose 6.7% in 2020
You get cybersecurity tools and support
For most small-to-medium sized businesses, having a robust in-house IT security team isn’t always possible, or even necessary. But this can leave you without a place to turn in the event that the worst does happen. Cyber insurance is a highly cost-effective way to gain access to the support you need in order to both prevent and respond to cyber events. Most cyber policies come with a number of proactive risk management tools, such as employee cybersecurity training programs. A good policy will also give you access to IT experts, forensic specialists, PR firms, lawyers, and more, and often with a nil deductible
Over half of all cyberattacks are aimed at small-to-medium sized businesses
While the headlines focus on major security breaches at major companies, over half of all cyber attacks are aimed at small businesses, they just don’t make it to the news. What you don’t often hear about is the local law firm that mistakenly transfers $100,000 to a fraudster after being duped by a social engineering scam or the doctor’s office unable to use their computer systems for days because of a destructive malware attack. Cybercriminals see smaller organizations as low hanging fruit because they often lack the resources necessary to invest in IT security or provide cybersecurity training for their staff, making them an easier target
Your employees will probably click on something they shouldn’t
The fact remains that humans are the weakest link in the cybersecurity chain no matter how hard we try – approximately three quarters of the cyber claims involve some kind of easily-preventable human error. Theft of funds, ransomware, extortion and non-malicious data breaches usually start with a human error or oversight such as clicking on a phishing link, which then allows cybercriminals to access your systems from the inside.
You aren’t covered under other lines of insurance
Property policies were designed to cover your bricks and mortar, not your digital assets; crime policies rarely cover social engineering scams – a huge source of financial losses for businesses of all sizes. Professional liability policies generally don’t cover the first party costs associated with responding to a cyber event. A good standalone cyber policy is designed to cover the gaps left by traditional insurance policies, and importantly, comes with access to expert cyber claims handlers who are trained to get your business back on track with minimum disruption and financial impact
Cyber insurance covers far more than just data privacy
Many businesses think that cyber insurance won’t be useful to them because they don’t collect sensitive data. However, more than 50% of cyber claims come from events unrelated to breaches of privacy, and any business that uses technology to operate is vulnerable. Two of the most common sources of cyber claims aren’t related to privacy – funds transfer fraud is often carried out by criminals using fraudulent emails to divert the transfer of funds from a legitimate account to their own, while ransomware can cripple any organization by freezing or damaging business-critical computer systems.
Cyber insurance pays more claims than any other type of insurance
CFC has paid more than 1,500 cyber claims in the last 12 months, a number that eclipses previous years and is steadily growing, and the vast majority of these are from small and medium sized business. In fact, it was recently revealed that 99% of cyber insurance claims were paid in 2018, which means cyber has one of the highest claims acceptance rates across all insurance products.**
Information like this shows that cyber policies are doing what they set out to do, which is provide broad coverage for a range of technology and privacy-related risks affecting modern businesses, all backed up by proactive risk management and expert incident response and claims handling.
Source: CFC Underwriting
What All Cyber Criminals Know:
Small & Midsize Businesses With Little or No Cybersecurity Are Ideal Targets
- More than half of all cyberattacks are directed at SMEs, and that number is steadily increasing.
- 93 percent of small and midsize enterprises (SMEs) that have experienced a cyber incident reported a severe impact to their business.
- Almost all reported a loss of money and savings.
- 31% reported damage to their reputation, leading to a loss of clients, as well as difficulty attracting new employees and winning new business.
- Nearly half reported an interruption in service that damaged their ability to operate.
- In spite of these figures, less than 3 percent have cyber insurance.
52 years ago ·
The closure of manufacturing plants, restaurants, retail establishments and other places of business to limit the spread of COVID-19 has resulted in significant business interruption losses. Here are some ways to mitigate those interruptions whenever possible:
- Check Insurance Policies
- Have an Emergency Response Plan
- Protect Idle Property
- Implement Cybersecurity Measures
1. Insurance policies
Checking your insurance coverage should be priority number one. The most relevant policies to check for during the coronavirus include:
- Business interruption coverage – to manage against unforeseen effects on your business.
- Portable equipment coverage – for any items your employees need to take home to work.
- Contents insurance – while the office is empty, there’s a higher security risk and potential for burglaries.
- Credit insurance – although less common these days, it helps protect against the eventuality that customers who owe money for products or services do not pay their debts, or who pay them later than agreed.
2. Emergency response plan
Emergency response or contingency plans are key to reducing your exposure to a liability or property claim during a pandemic. If you have an emergency response plan and a business continuity plan, there may be simple changes you can make to reflect recommendations on how your business can respond to COVID-19.
We recommend that you review two specific sections of your emergency plan: your company’s approach to cybersecurity and the steps you have in place to protect your property.
If you don’t already have a plan in place, here are some resources you can consult for guidance:
In general, a strong emergency response plan will
- Identify and analyze possible exposures to risk, including how a pandemic or any other major adverse situation could impact your business.
- Document a response procedure to manage these risks that reflects international, national and regional standards.
How can I make sure my business property is protected?
When commercial properties are left idle, they face a different set of exposures different to when the business is operating normally. There are many things that business owners and site managers can do to keep their properties safe and secure during the COVID-19 shutdown.
- First, inform your insurance broker of the situation. Your broker can provide guidelines in order to safeguard your property (for more information, see our safety tips on theft, vacant and idle properties).
- Consult a specialist before shutting down production or support equipment to make sure that the proper steps are taken.
- Continue preventive maintenance activities for your building and its components according to schedule. If access to your facility is restricted, only continue urgent repairs.
- Ensure mechanical components, such as elevators, receive essential servicing by monitoring them remotely or conducting periodic on-site assessments. This will help reduce the possibility of a loss of essential equipment following a prolonged period of inactivity.
- Monitor fire protection and burglary alarm notification systems. If these systems are not available, you may want to consider periodic on-site assessments.
- Ensure that all maintenance and service elements are taken care of so that the property is prepared for an extended shutdown. For example, set the temperature in the building to around 15C as this helps to prevent sprinkler systems and water pipes from freezing and bursting.
- If a property is vacated, or even just looks empty, it immediately becomes an easier target for vandals and thieves. To mitigate these risks, schedule regular visits and visual check-ups of the site whenever possible.
- Ensure that security devices, like locks and alarms, are operational, and those with human security patrols can up the frequency of visits to the property.
- Maintain appropriate lighting around the facility and especially around all entrances because it gives the impression somebody is overseeing the facility even if it’s closed.
- Conduct regular checks of their roofs, their downspouts, and any outdoor drains to ensure everything is properly maintained.
- Inform your business partners and clients of your decisions.
How can I prevent cargo losses?
The pandemic has disrupted the global supply chain. As a result, is has created a situation where cargo is being stored for long periods of time in unattended or improvised storage areas and increasing the likelihood of theft or vandalism.
To help you mitigate losses, we recommend the following control measures:
- Ensure the storage yard is fully secured using chain link fence and adequate lightning.
- Monitor site access at all times.
- Establish and implement a policy requiring permission for vehicle to leave the site.
- Limit access to the shipping paperwork.
More information: Preventing cargo losses
How can I protect my business and my employees working from home?
Because of the COVID-19, many businesses have employees working from home – some for the first time. Here are some tips to ensure that your business operations remain secure while your team works remotely.
- Keep up-to-date contact information (including personal and professional phone numbers and emails) for staff, partners, suppliers and the IT team responsible for your online properties.
- Identify the essential operations and services you want to keep running. For example, if you offer an online consulting service, what would you need to maintain a certain level of service with your team working from home? Consider key employees, computer and internet connectivity, phone lines, software, database accessibility, etc.
- For employees who work from home, assess their access needs on a case-by-case basis:
- Work with your IT professionals to secure who can access your network and encrypt confidential information
- Ask your employees to avoid working from unsecured public networks or enable a VPN option for remote network connection to avoid man-in-the-middle attacks
- Enforce a strong password policy and set an automatic inactivity logout
- Ensure endpoint protection for all devices (by installing firewalls, antivirus and security information, and event management (SIEM) software, and disabling USB ports, etc.)
- Provide cybersecurity training to all personnel and reinforce best practices often
- Back up data daily and create a physical backup if the information needs to be quickly retrieved and restored.
- Remind employees that they should not leave these laptops or other company material in the car or anywhere else that would increase the risk of theft.
- Ensure confidential data and intellectual property are adequately protected by different layers of security—this is not the time for a data breach.
What is phishing and how can I prevent it?
You should also remind your employees to be aware of phishing or fraudulent attempts to gain personal information by phone or email. If something seems too good to be true, it probably is. Do not click on any suspicious email attachments or give information to anyone. Common phishing emails often:
- Evoke a sense of urgency to act now
- Ask for sensitive information
- Request that you click on a link
- Come in the form of unexpected emails
- Include multiple people on the sender list
- Contain grammatical errors
- Have an uncommon file type or include suspicious attachments
Employees working from home should also be wary of unsolicited calls. If they didn’t initiate the call, they shouldn’t provide or confirm any information, including business addresses or phone numbers, account numbers, or any information about equipment in the office (such as the make or model of the printer, laptop, etc.).
If you’d like more information, check out the Canadian Anti-Fraud Centre and Get Cyber Safe.
Source: Intact Insurance
52 years ago ·
Campuses are filling up again and unfortunately this means an increase in crime – with burglary accounting for half of all crimes on campus. When thefts occur, there can be big expenses to replace stolen property including laptops, phones, cars to name a few.
So, how can you protect your belongings while you’re away at school? The first step is to check with us to see if your stuff is covered under your homeowners insurance policy. Some policies will extend coverage to college students temporarily living away from home to attend CEGEP or university full time.
Here are some preventive measures and things to consider:
- If a student is living off campus, renter’s insurance is a good investment to consider. As a parent, your homeowners policy may extend coverage to a student living in a dorm or on-campus apartment
- Once your student moves into housing unaffiliated with the school, he or she likely needs separate coverage.
- Create an inventory. Record the value of all personal property to determine the right amount of coverage needed in the event of a loss.
- Secure valuable electronics, like TVs and laptops, to stable fixtures with locking mounts in your room so they can’t be easily removed. Also, protect personal electronics with passwords to guard accessibility and discourage theft. The best way to prevent theft is to implement security measures.
- Since identity theft occurs at a greater rate for young adults, ages 16-24 years-old, it’s worth exploring identity theft coverage.
- Even if the student isn’t bringing a car to campus, parents should opt to keep their student as a driver on their policy.
- If your student drives a friend’s car and has an accident, you’ll want to make sure he or she is covered.
- If you do take the student off the policy, it’s important to add them back onto the policy upon their return home, before they operate the vehicle, even if it’s just for a weekend visit.
- Another factor to consider is that if your college student isn’t driving, canceling their car insurance means they’ll have a coverage gap. And that could affect their future insurance rates.
- If your child owns a car or uses yours during his studies, it’s important that you let us know about this change. In fact, the place of residence and use of the car are key factors in establishing the insurance premium.
College students, and their parents, have enough on their minds. With the right decisions around property and auto insurance, you can eliminate the worrying about paying for that dinged-up front bumper or stolen laptop.
Be sure to talk to us about your new family situation so that we can advise you about the best coverage for your circumstances.
52 years ago ·
Most companies purchase general liability insurance to protect themselves from potential lawsuits or claims resulting from accidents or injuries. They also have professional liability insurance to protect themselves against the cost of errors, malpractice or omissions in services provided to their customers.
Why don’t more companies purchase cyber insurance to protect themselves against first- and third-party claims arising from cyber incidents?
Now that the new Personal Information Protection and Electronic Documents Act (“PIPEDA”) has been in effect across Canada for a few months, we wanted to outline some important reasons to get Cyber Insurance to protect your business.
1. DATA BREACHES ARE COSTLY
The average cost of data breaches at Canadian companies is going up. These costs are influenced by the number of records lost, the number of victims who need to be notified, the time it takes to contain the breach and get back to business, and post-breach costs (lawyers, public relations, whether outside forensic experts have to be hired), loss of business. Breach notification require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected or risk hefty fines and penalties.
Cyber policies can provide cover for the costs associated with providing a breach notice and can also cover the associated regulatory fines and penalties.
2. CYBER INCIDENTS HAPPEN. A LOT
Cybercrime is the fastest growing crime in the world and nearly two-thirds of SMEs have been the victim of a cyber incident. Yet standard property or crime insurance policies can be restrictive in the cover they offer. Furthermore, as large companies get more serious about data security, small businesses are becoming more attractive targets – and the results are often devastating for small business owners.
3. COMPUTERS MAKE OUR LIVES EASIER – AND SO VULNERABLE
Technology systems are critical to operating your day-to-day- from electronic point of sales software to back office work flow management systems. In the event that these systems are brought down, a traditional business interruption policy would likely not respond.
Cyber insurance can provide cover for loss of income and extra expense associated with a cyber event.
4. IT TAKES A VILLAGE
Responding to a cyber incident requires a range of specialists – from IT forensics firms to specialist PR agencies – that help deal with both the immediate aftermath as well as the longer term consequences of a cyber event. Small and medium sized businesses, in particular, are facing an uphill battle; not only are they increasingly being targeted by cybercriminals but they are also unlikely to have the range of required incident response specialists in-house.
5. COVERAGE WORKS
Almost 9 in 10 Small and medium sized businesses say their cyber insurance covered the cybersecurity incidents they suffered with 87% reporting that their policy performed as expected. From recovering your data to protecting your assets and reputation, proper insurance coverage will ensure your business gets back on its feet quickly.
6. ARE YOU REALLY PROTECTED?
The No. 1 reason for not purchasing a policy is the belief that in-house security people and processes provide all the needed protection, with many business’ still believing they are not actually susceptible. Yet cybersecurity experts’ prevailing message is that cyber incidents are a fundamental fact of life – it’s not a question of if a data breach will happen but when.
For additional information see our Cyber Insurance coverage or contact us for a personal review.
52 years ago ·
With Canada’s new Personal Information Protection and Electronic Documents Act (“PIPEDA”) now in effect, here’s what you need to know:
Who does PIPEDA apply to?
All private sector organizations that collect, use, or disclose personal information in the course of their commercial activities (PIPEDA does not apply to organizations that operate entirely in Alberta, British Columbia, or Quebec);
What does it apply to?
- Personal information about an employee of, or an applicant for employment with, the organization and the organization collects, uses, or discloses that personal information in connection with the operation of federal works, undertakings, and businesses; and
- All personal information that flows across provincial or national borders in the course of commercial transactions involving organizations subject to PIPEDA or similar legislation.
- Outside of Canada, PIPEDA applies to foreign organizations with a real and substantial link to Canada that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.
What information falls under PIPEDA?
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and merchant, intentions (for example, to acquire goods or services, or change jobs).
When to Report
- The Regulations require organizations to conduct a risk assessment to determine whether the breach poses a “real risk of significant harm” to affected individuals, considering both the sensitivity of the compromised information and the probability that it will be misused.
- “Significant harm” may include humiliation; damage to reputation or relationships; identity theft; bodily harm; loss of employment, business or professional opportunities; financial loss; identity theft; and damage to or loss of property.
Who to report to
- Provide notice to affected individuals and to the Privacy Commissioner “as soon as feasible” – no set time limit is specified. Similar to the GDPR’s approach, the Regulations allow for updating of a breach report as additional information becomes available.
- Maintain a record of every security incident for 24 months after “the day on which the organization determines that the breach has occurred.” The records must be made available to the Commissioner and contain enough detail to allow the Commissioner to verify the organization’s compliance with applicable requirements.
- Organizations are not expected to report all breaches (but recall, organizations are required to keep a record of all breaches).
Failure to report a breach or to maintain required records is an offence under PIPEDA and non-compliance is punishable by a fine of up to $100,000 per offense. With respect to individuals, each person not notified will constitute a separate offense. Not keeping proper records of breaches, or destroying such records, also would constitute an offense subject to the CA$100,000 fine.
Who should report.
Generally speaking, the organization that is in control of the personal information involved in the breach must report the breach to the OPC.
For additional information see our Cyber Insurance coverage or contact us for a personal review.