Possession of any party's personal information, such as phone numbers, credit card details, and birth dates, must be safeguarded. A lost or stolen laptop containing a vendor or customer's information or a virtual thief from the other side of the world who is hacking into a computer, phishing scams, or ransomware are examples of adverse events that are occurring daily. Standard property and liability policies exclude damage and liability from these kinds of events. Specialty policies offer coverage that can be customized to fit the needs of an organization.  

Commercial cyber insurance is a type of business insurance designed to protect a business' liability for data breaches related to customers' personal or sensitive business information. Cyber insurance provides protection and coverage for the security and privacy of digital information and data should your business or organization be a victim of a cyber breach.  

Every business can benefit from commercial cyber insurance because, today, pretty much every single company or individual conducts at least some of their business online, which makes them vulnerable to cyber-attacks. If you sell products through e-commerce or maintain electronic customers' records, you should carry cyber insurance to protect your organization from risk. A breach of the systems containing this personal and commercial information can be extremely time-consuming and costly.  

• Payment Information: This is one of the most common types of information that is targeted by cyber criminals, for obvious reasons. Most businesses receive and/or send at least some payments online, and may store their customers' payment information in their systems for ease of use or recurring payments. Payment information can include credit card numbers, bank account numbers, and more.  
• Personal Identifiable Information: When people think of personal identifiable information, they typically think of passport numbers, social insurance numbers, birth certificate information, and so on—and that data certainly qualifies as personal identifiable information. However, this category also includes data such as names, addresses, phone numbers, passwords, account balances, account histories, education records, and other information that allows for an individual's identity to be inferred.  
• Personal Health Information: Any company or organization that handles personal health information is already well aware that it is highly confidential. Cybercriminals can target this type of data for a variety of reasons. Personal health information is essentially medical records, including data such as health status, diagnostic information, recommended and/or applied treatments, health insurance, and payment for health care. 
• Confidential or Protected Information: A wide range of information could be considered confidential and/or protected, such as trade secrets, designs, recipes, formulas, business forecasts, records, methods or techniques, and research data.  

Suppose you use a third-party service such as a data center or cloud provider to store and/or transmit sensitive information. In that case, clarifying that with your insurance broker is essential. This could include services such as data back-up or processing, infrastructure as a service, co-location, software, cloud services and more. Some insurance companies may offer options for commercial cyber insurance coverage that applies to a computer system operated for the benefit of the insured by a third party. There is typically a distinction between a computer system that is operated by a third party solely for the insured and a shared computer system that is operated for the benefit of the insured under a written contract, so it's necessary to know which situation you're dealing with when you speak to your broker.  

Commercial cyber insurance is a fairly specialized coverage designed to address risk exposures related to cyber-attacks. People sometimes have the misconception that it applies to anything that happens with computers or the internet, but that's not the case. For example, suppose your employee hacks your system, embezzles money or purposefully causes damage to your data or computer systems. In that case, your commercial cyber insurance will not cover those losses but employee dishonesty coverage on your business insurance policy.  

How you store and handle certain types of data can also influence whether you can file a claim on your commercial cyber insurance. Canadian business owners should be aware that there are regulations concerning the safe storage of payment information, and you will not be eligible for a commercial cyber insurance claim if your business is not in compliance with those regulations. 

Another example of something that people may assume is covered by commercial cyber insurance, but actually is not covered, is damage to computer systems or a loss of data that is caused by a power surge, mechanical failure or operator error. Those types of losses fall under equipment breakdown coverage, which is a type of commercial property insurance.  

Both standalone policies and endorsements added to an existing business insurance policy are possible for commercial cyber insurance. While a typical business insurance policy does not include business cyber insurance coverage, it can be added on as an endorsement. However, the scope and limits of the coverage provided by an endorsement are usually not sufficient to allow business owners to avoid paying out of pocket for at least some of the costs they could incur in the aftermath of a cyber attack. A standalone policy for Ontario commercial cyber insurance will generally provide more extensive coverage and the option for higher limits, so it's a better choice for those who are vulnerable to losing a significant amount of money as a result of a cyber attack.  

They aren't exactly the same, though this is a fairly common misconception because the names make them sound like they offer the same coverage. While they are similar, commercial cyber insurance applies to both first-party and third-party damages, meaning that it would apply to the costs of cyber incidents that affect your own data as well as cyber incidents that affect the data of a third party or parties such as your customers. Data breach insurance, on the other hand, applies only to first-party losses related to damage or theft of your data. Since commercial businesses rarely deal with just first-party data, commercial cyber insurance is usually the best option for a business owner. 

This is another common misconception. Technology errors and omissions insurance is a type of professional liability insurance that applies to losses caused by errors, negligence, and other factors related to technological products or technology-based services. It does not provide coverage for losses caused by the theft or extortion of third-party data, which is covered by Ontario commercial cyber insurance.  

Some business owners don't worry about preventative cyber security measures once they have commercial cyber insurance in place, but the truth is, both are necessary, and they don't play the same role in protecting you and your businesses against the consequences of a serious cyber attack. Preventative measures such as encryption, firewalls, information security services, educating employees about phishing attempts and more are designed to stop a cyber attack from occurring by making it much more difficult to access your system and take sensitive, protected or confidential data. This is, without a doubt, the preferred scenario because it means you don't have to deal with any of the stress and hassle of potential financial losses—not to mention reputational damage to your business, which is not easy to mitigate. There are many easy-to-implement cyber security tips for businesses that will save you time and frustration later.  

On the other hand, commercial cyber insurance in Ontario is designed to help you handle the aftermath of a cyber attack. It makes it possible for you to receive insurance compensation for various liability-related costs that pertain to data breaches and more. Suppose your cyber security measures fail and information is taken from you. In that case, you'll need financial assistance to handle expenses such as attorney fees, settlements, the cost of notifying affected third parties that a data breach has occurred and much more. However, there are some consequences of a cyber attack that can't simply be erased with Ontario commercial cyber insurance coverage, so it's still essential to take steps to prevent data breaches from happening in the first place. 

Some insurance companies offer advice and other services that assist with preventative cyber security and help their clients avoid cyber risks, either for free or at a discounted rate. That could include information security consulting, assessments of your current cyber security measures, and cyber awareness training. Your insurer may also be able to provide you with a list of approved vendors who offer cybersecurity assistance that meets or exceeds the insurance company's expectations for adequate information security practices. Consult with your Morison Insurance broker to learn more about discounts or offers available to you through your commercial cyber insurance provider. 

Absolutely. Many small business owners need to consider getting commercial cyber insurance coverage, even if they transfer money or transmit and store private information. They assume their business is too small to be targeted by cybercriminals, which makes it an even more tempting target.  

Large businesses with hundreds of employees or franchise chains with corporate head offices are likelier to have their own information technology department, often with in-house cyber security specialists. That means they are a lot more protected and more challenging to hack than a small business with little to no cyber security protection, and hackers, phishers and other types of cybercriminals are keenly aware of that fact. They are more likely to attack a small, unprotected business and get what they can before quickly moving on to the next business than they are to spend a lot of time and resources trying to get around the ironclad security measures that large companies and organizations have in place.