Cyber attacks: Are you covered?
Include cyber insurance as part of a risk mitigation strategy.
Cyber attacks are on the rise. Of the various threats aimed at manufacturers, ransomware continues to be among the most common. The ease with which sophisticated attackers can infect entire networks to quickly paralyze operations has led to a surge in ransom amounts.
Faced with continuously evolving threats, it’s difficult, if not impossible, for companies to completely eliminate the risk of becoming victimized. That’s why it’s important to deal with attacks quickly and efficiently. One of the ways to do so is through cyber insurance, which has become an essential part of any risk mitigation strategy.
Most policies will offer general coverage for extortion, including the ransom payment and services of specialists such as forensic and communications firms. Typically, specialists recommended by insurance providers have been carefully vetted for their expertise and have pre-negotiated rates.
Insurers typically appoint a lawyer specializing in cybersecurity and privacy law. This breach coach will take leadership of the incident response, including coordinating between the various internal and external teams, asserting legal privilege on all communications and documents, and navigating potential reporting and notification obligations. This further protects the insured in the event of an attack that results in a third-party lawsuit.
Basic coverage under a typical policy includes first party costs from expenses relating to various components of the incident response and remediation efforts, such as the following:
- Cyber extortion. Ransomware attacks typically involve a ransom demand in exchange for a decryption key that allows the victim to recover data. The amounts demanded vary widely, but can be significant.
- Forensic investigation. Systems must be secure before being brought back online. This entails an investigation to determine the cause and scope of the breach. This also helps determine whether a company is subject to any reporting or notification requirements under Canadian privacy law.
- Data restoration. Opting not to pay the ransom and restoring networks from backups or from scratch (or paying the ransom, but data is lost) will likely lead to costs associated with restoring systems to the pre-attack state.
- Notification costs. Under Canadian privacy legislation, companies may be required to notify affected individuals in the event of attacks involving a risk of harm due to data theft or unauthorized access. Costs include the mailing of notification letters, credit monitoring services and call centre services.
- Business interruption. Ransomware attacks often have a paralyzing effect leading to loss of income. Business interruption coverage helps recover income lost during an attack and the period of restoration.
- Crisis management costs. Reputational harm is another aspect of cyber attacks. Having access to a team of experts trained to respond to the media and other inquiries helps alleviate some of the potential damage and reduce the likelihood of a third party lawsuit.
Basic cyber insurance also covers third party costs (liability coverage). This includes costs incurred for damages caused to the third parties as a result of an attack, such as:
Network security liability. In the event of a cyber attack, the policyholder could incur damages and claims resulting from unauthorized access to (or disruption of) its network using malware, phishing and other techniques leading to a loss.
Privacy liability. Privacy issues are increasingly important, especially when they entail the unauthorized access or exfiltration of personal information. Cases of class action litigation have risen steadily in Canada over several years.
The continuously evolving sophistication of attacks combined with increasing regulatory scrutiny and data protection legislation means companies must be equipped to respond. A comprehensive cyber insurance policy provides rapid access to vetted cybersecurity experts and some monetary relief from the increasing costs associated with cyber attacks.
Imran Ahmad – firstname.lastname@example.org, (416) 863-4329) – is a partner and Katherine Barbacki – email@example.com, (514) 982-4138 – is an associate at the law firm Blake, Cassels & Graydon LLP. Both practice in the area of cybersecurity, privacy and technology law. Jelena Cvetkovic – firstname.lastname@example.org, (416) 915-6928) – is the specialty claims manager and Julie Morand – email@example.com, (416) 542-7435) – is a specialty claims analyst at CNA Insurance.
This feature originally appeared in the October 2020 print issue of PLANT Magazine.