Most business owners understand very clearly why commercial business insurance is so important. You wouldn’t leave your home uninsured, and your business is potentially more valuable and thus exposed to a much more comprehensive range of risks in your professional life than in your personal life. But many business owners understand how critical it is to have the right cyber insurance coverage in place as part of their business insurance program.
There are a lot of common myths and misconceptions out there about cyber insurance policies. As a business owner, it’s in your best interests to know what’s a myth and what’s a reality so you can make an informed decision about your commercial insurance coverage and ensure you have the financial protection necessary to avoid the significant setbacks resulting from a cyber attack. We’ve debunked some of the most common cyber insurance myths below to help you do that.
REALITY: Ironically, this is one of the most common beliefs about cyber incidents, and it’s not true. But even people who believe cyber attacks are a real threat to their business are often surprised by how common they are. According to the 2020 Cyberthreat Defense Report by CyberEdge Group, 78% of Canadian businesses were affected by cyber incidents in 2020—and that figure rose to 85.7% in 2021. In their 2023 Cyberthreat Defense Report, CyberEdge Group reported that 37.5% of Canadian organizations were targeted by six or more successful attacks in 12 months. These numbers reveal that attacks are far from uncommon, and your business is far more likely to be targeted than not, and it’s typical for companies to be targeted multiple times a year. It’s also important to remember that some attacks go undetected, so the real numbers are likely even higher than we realize.
REALITY: This cyber insurance myth is false. Small business owners often assume they don’t have to worry as much about attacks—after all, why would cyber criminals bother with a small, independent business when they could focus their attention on bigger targets with more significant potential pay-offs? While sophisticated, elite cybercriminals keep their eyes on the big prizes, many small-time criminals also work on their own to make a few bucks by exploiting honest businesses. Small businesses are the ideal targets for those people because they’re far less likely to have robust IT security measures in place. For that reason, small businesses are certainly not invulnerable to attacks. In many cases, they are more tempting targets than large corporations that pour hundreds of thousands or even millions of dollars into cyber security measures.
REALITY: This cyber insurance myth is simply that, a myth. If you run an online retail shop or some other type of online business that does plenty of financial transactions over the internet, or you store sensitive information like client’s payment data and identity documents, you’re probably already well aware that you are more likely to be targeted by cyber-attacks. But if you provide your services or products in person and conduct only a portion of your business online, you may think your business is safe. Unfortunately, it’s not. Cybercriminals aren’t just after the apparent stuff like credit card numbers. They’re also looking for information that can be monetized less directly.
For example, just finding out some basic details, such as your employees’ names and contact information, can give cyber criminals the foot in the door they need to carry out a social engineering attack and convince an employee that they should be given money, access or further information. Ransomware attacks are another possibility, in which businesses are paralyzed by having their computer systems locked and forced to pay ransom fees to recover information and access the business needs to function. Even information that seems insignificant to you has the potential to be used against you in ways you wouldn’t necessarily suspect.
REALITY: Commercial general liability (CGL) insurance is an essential building block of almost every business insurance policy, so if you have any business liability coverage at all, it’s safe to say you have commercial general liability. As a result, business owners sometimes assume that their CGL coverage will extend to cyber-attacks and offer them financial protection from litigation and settlement costs should they be sued for a privacy data breach. The experienced commercial brokers at Morison Insurance will unequivocally tell you this is untrue. Commercial general liability applies to situations in which you have legal action brought against you because you or your employee allegedly caused third-party property damage, third-party bodily injury or advertising injury. There’s absolutely nothing in a CGL policy to protect you from the costs of being sued for losing data in your care. But it’s also important to understand that cyber insurance offers more than just basic financial help with attorney fees and other legal costs, bringing us to the following cyber liability myth.
REALITY: This cyber insurance myth is more complicated than simply yes or no. Like any other insurance policy, your cyber coverage will vary according to the insurance company you’re with and how your unique policy is written. That being said, cyber insurance coverage is typically much more than just the ability to access insurance compensation to help with the costs of litigation when you’re sued and the cost of settlements should you be found liable for third-party loss. It also offers proactive, preventative assistance before, during, and after a breach.
That includes assistance with getting a plan in place for how you will proceed in the event of a data breach, including steps such as notifying your clients or customers that a violation has occurred and how to report it to the government. This is important because organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada are legally obligated to do certain things in case of a breach. According to the Office of the Privacy Commissioner of Canada, “Large and small businesses will be subject to PIPEDA requirements to report and notify breaches of security safeguards that pose a real risk of significant harm, and keep records of all breaches of security safeguards.” Those processes may sound relatively straightforward, but they can be a lot more complicated than you think, so having access to professional advice and assistance on how to go about creating a privacy breach response plan is a considerable advantage of cyber coverage that needs to be addressed.
REALITY: Hiring your in-house information security team is a great cybersecurity tip for businesses that will improve your chances of warding off cyber attacks, detecting attacks early on, and stopping them before they can do severe damage. This step makes excellent sense for larger companies with potentially lucrative targets. But the cold, hard truth is that even the most talented and highly-skilled InfoSec team only makes you somewhat impervious to severe attacks that could significantly affect your business’s bottom line. In the same sense, your home may have steel doors, smash-proof windows and a state-of-the-art security system, but that doesn’t mean there’s no way thieves will ever target you. In some cases, it may increase the interest of thieves because it indicates that something inside is well worth stealing.
Cybercriminals make their money by staying at least one step ahead of the game at all times, and some of them are indeed on the cutting edge of hacking technology and phishing or whaling methods. Having a solid team standing behind your company is excellent, but it’s not foolproof. In fact, any security team professional who knows their industry will tell you that the most vulnerable part of the system is people, not the software and hardware that protect your data. Calling up a company and tricking an unsuspecting receptionist or customer service representative into turning over information is far easier than launching attacks against firewalls and other digital protective measures.
REALITY: You may outsource those duties to an IT services vendor instead of having an in-house cyber security team. There’s nothing wrong with hiring an IT vendor to deliver InfoSec services, but just like having an in-house team, it doesn’t make you impervious to cyber attacks. Companies are generally responsible for the data they store, so if you choose to keep it with a third-party vendor and it is stolen from them, you’ll still be held responsible. Most IT vendors have contract clauses that seriously limit their liability, even if a breach was caused by their negligence or failure to deliver services as promised, so recouping costs from them following a breach can be next to impossible.
REALITY: The answer to this cyber insurance myth is key. You may have signed a contract with a service provider or site manager that indemnifies you from legal responsibility for breaches. Still, it’s essential to remember that those types of indemnifications don’t always hold up in court as well as we’d like to believe they will. Even if it’s the most perfectly designed, iron-clad contract ever, the fact remains that you’ll still be faced with legal expenses if you have to enforce the contract or defence attorney fees if you’re required to defend yourself in court to prove your indemnification. Those costs can add up fast, and cyber insurance gives you the support you need to deal with them without suffering financial setbacks that could seriously injure your business success.
REALITY: The frequency of cyber attacks is increasing, and it stands to reason that the premiums for cyber liability coverage have also increased. That doesn’t mean it’s not competitively priced or not offering value for cost. The relatively minor expense of cyber insurance coverage is just a drop compared to the cost of dealing with a breach. According to Statista, the average data breach cost in Canada in 2022 was USD 5.64 million, or roughly CAD 7.24 million. Of course, that’s an average number, so it doesn’t mean those costs hit every business that suffered a breach. Many were lower, while some exceeded a staggering USD 20 million. But even if your breach “only” costs you $500,000 or a million dollars, it will be far more expensive than cyber insurance coverage. Cyber liability isn’t going to bankrupt your company or cause irreparable damage to your bottom line, but suffering an attack without the financial backing of insurance compensation very well might.
REALITY: It’s not uncommon for business owners to severely underestimate the actual cost of a cyber data breach. There are so many potential costs to consider, from legal defence fees and settlement expenses to ransom payments and the cost of designing and implementing a breach response plan. Suppose you have only the most basic cyber insurance coverage available. In that case, you cannot get adequate insurance compensation to cover all your costs. With robust cyber coverage, your insurance company will provide you with financial assistance to deal with all the expenses you may face, including ransom payments for stolen information.
How much cyber coverage does your business need, or do you know of any more cyber insurance myths or questions? Protect yourself from unwanted cyber threats. Call 1-800-463-8074 to speak directly with a qualified commercial insurance broker at Morison Insurance and get insurance coverage that addresses your company’s unique insurance needs
This content is written by our Morison Insurance team. All information posted is merely for educational and informational purposes. It is not intended as a substitute for professional advice. Should you decide to act upon any information in this article, you do so at your own risk. While the information on this website has been verified to the best of our abilities, we cannot guarantee that there are no mistakes or errors.