By Dr. Thomas P. Keenan
Years ago, American radio storyteller Garrison Keillor described Lake Wobegon, the fictional community in which “all the children are above average”. It appears the same rosy view of the world has taken hold of U.S. and Canadian business operators when it comes to evaluating their cybersecurity practices.
According to a study conducted by Ovum Consulting and commissioned by FICO, “a story of overconfidence emerges.”[1] IT managers were asked to rate their companies’ cyber-readiness against competitors. The results suggested that almost everyone thinks they are in great shape.
“From a country-wide perspective,” Ovum reports, “44% of Canadian respondents claim to be top performers (84% say that they are top performers or better than average).” Since this is statistically impossible, there is a clear need for more evolved thinking. Business decision makers tend to understand workers compensation and other forms of insurance, but often skimp on one of the most important categories – information and the equipment that keeps it moving.
The report indicates that “close to two-thirds of survey respondents believe that the rate of cyber threats and data breaches will go up in the next 12 months. The rest say the situation will stay the same.” In fact, combining the pessimists with the “stay the same” group yields the amazing statistic that “98% of respondents think the rate of cyberthreats and data breaches will go up or be maintained in the next 12 months.”
In the face of such risk, purchasing insurance might be a logical choice, and there is a wide range of cyber-risk insurance (CRI) available.
However, on the 2017 Ovum survey, 36% of Canadian firms said they had no cyber security insurance, and many others doubted its adequacy to protect them.
Why?
Globally, the Ovum study indicated that 79% of organizations with more than 10,000 employees had CRI coverage. Companies in the 5,000-10,000 employee tier led the way with a CRI take-up rate of 91%. However, analysis shows that many of those cases had inadequate coverage to handle cyber risks.
More important than the gross amount of coverage are the specific clauses of the CRI policy. Some policy holders have been surprised by the things that are excluded – such as paying ransom in a ransomware situation. There may also be sub-limits in policies that come into play.
On its homepage, the Insurance Bureau of Canada (www.ibc.ca) provides questions to help a company decide how much CRI coverage is appropriate. These include:
- How many records containing personal information does your organization retain or have access to?
- How many records containing sensitive commercial information does your organization retain or have access to?
- What security controls can you put in place to reduce risk of having your system compromised?
- Do all portable media and computing devices need to be encrypted?
- What about unencrypted media in the care, custody, or control of your third-party service providers?
- Could you make a claim if you were unable to detect an intrusion until several months or years had passed?
Other relevant issues may include a business’s exposure in other jurisdictions such as Europe, where the General Data Protection Regulation (GDPR) could affect, for example, a North American company. California’s new CPRA privacy legislation will come into force in 2023, and there are similarities to the GDPR.
An important advantage that comes with having proper CRI coverage is the ability to draw on professional resources. Your insurer will almost certainly have contact information for a major computer security film. Companies that jump in to help a data breach or ransomware victim have high hourly rates, but their expertise can be invaluable. Knowing that the extra expense of keeping them on staff is covered by insurance goes a long way to calming executive angst.
Policies and coverage vary among insurance companies, so shopping around and asking questions are advised.
An article in the Journal of Accountancy[2] listed important varieties of coverage under the terms one is likely to get from an insurance company:
- Extra expense: covering the costs to continue operations even in a crisis.
- Mysterious disappearance/theft: laptops go astray, are stolen, and get left in taxis.
- Loss of income:this is the business interruption as a result of computer system failure or destructioncomponent of computer insurance policies.
- Valuable Papers and Records: covers the cost of research if business data needs to be re-created.
- Temporary Location: this can be vital if you need to move your business to an offsite backup facility.
Advice from experts includes to have a cyber-emergency plan that covers everything from fire and flood, to ransomware attempts, to denial-of-service attacks – and to test the plan regularly. The Ovum report noted that “33% of respondents claim to have prioritized having a tested data-breach response plan in place, 25% say that having a board member responsible for cybersecurity oversight is vitally important, and 21% say their focus is on either monitoring and scoring or reporting strategies.
In some people’s minds, corporate cyber breaches are no longer a matter of if, but of when.
Dr. Tom Keenan, FCIPS, is a professor in the School of Architecture, Planning and Landscape at the University of Calgary, teaching courses in Smart Communities and Information Technology. He taught Canada’s first computer security course in 1977 and is the author of the best-selling book Technocreep: The Surrender of Privacy and Capitalization of Intimacy.
[1] Kellett, A., Ovum Consulting. 2020. Cybersecurity Survey: Investments, Insurance, and Inflated Confidence, Asset 4863, requestable from www.fico.com
[2] Yudowsky, C. How Good is Your Computer Insurance, Journal of Accountancy, December 31,1997, accessed at https://www.journalofaccountancy.com/issues/1998/jan/yudkow.html