Understanding Cyber Insurance by BFL CANADA

UNDERSTANDING CYBER INSURANCE: A CRITICAL COMPONENT OF CYBER

SECURITY STRATEGY

FOREWORD

As we navigate an increasingly digital world, the importance of cyber security has never been greater. With businesses relying heavily on technology, the threat landscape has expanded, making it crucial for companies to protect themselves against cyberattacks In risk management, organizations can choose to mitigate, avoid, accept, or transfer a risk. Cyber Insurance is part of the transfer option, serving as a safety net for organizations facing the financial repercussions of cyber threats

The surge in cyber incidents in recent years has underscored the necessity for cyber insurance. In April 2024, Munich Re reported a significant increase in costs and number of cyberattacks, especially ransomware (costing US$1.1 billion in 2023 against US$567 million in 2022), business email compromise (affecting 22,000 victims and costing US$3 billion between 2021 and 2023), and software supply chain attacks (245,000 incidents and US$45.8 billion in costs in 2023) These attacks have highlighted the devastating financial and operational impact of cyber threats all around the globe Additionally, evolving regulatory requirements, such as GDPR, PIPEDA and CCPA, have made it imperative for organizations to have adequate coverage in place to avoid hefty fines and legal repercussions.

WHAT IS CYBER INSURANCE?

Cyber insurance is a specialized insurance policy designed to help organizations mitigate the financial risks associated with cyber incidents. Unlike traditional insurance, which covers physical damage and liabilities, cyber insurance focuses mainly on cyber-related events Common coverage areas include data breaches, ransomware attacks, business interruption, cyber extortion, and legal fees related to regulatory compliance (Quebec’s Law 25, PIPEDA, etc )

A few examples of cyber-related events covered by a cyber policy are presented on the table below A full list is available in the AdditionalResources section at the end of this document (see Table 1).

Attack Scenario

Breach

Description

An attacker gains unauthorized access to a company’s database and extracts sensitive client data, including names, addresses, and credit card information. The company must notify affected individuals and regulators.

Detailed Description of Coverage

Costs of notifying affected individuals, credit monitoring services, legal fees, and Public Relations expenses to manage the fallout.

Ransomware Attack

A company’s files are encrypted by ransomware, rendering critical data inaccessible The attackers demand a cryptocurrency ransom to restore access. The company must decide whether to pay the ransom or incur the cost of recovery.

Ransom payment (if deemed necessary), forensic investigation costs, data recovery costs, and system restoration fees.

Phishing Attack

Employees receive emails that appear legitimate, prompting them to enter sensitive information on a spoofed website. This compromises employee credentials and client data.

Losses from social engineering scams, costs associated with investigation and remediation, and potential liability claims from affected clients.

THE PARADOX OF THE GROWING NEED FOR CYBER INSURANCE

While as individuals, we rely more and more on technology, our level of risk awareness and risk protection does not follow suit. At home, we use technology for day-to-day activities without necessarily being aware of the risk exposure, even though Canada is one of the most internet-connected countries in the world

The Internet of Things (IoT), such as connected smart TVs, camera systems, and home automation (lighting, temperature control, audio/video control, door security, etc.) represents a potential gateway for hackers, in addition to the exposures arising from personal laptops, tablets and cell phones.

Most people think that cyber risk stops when they leave the office because it is mainly an enterprise risk However, even if we feel safer at home, cyber exposure is higher at the individual level. As individuals, our level of personal cyber security is evidently lower than that of an organization

Hackers are well aware of this and are increasingly targeting individuals. The spoils may be smaller than the ones from an organization, but they are easier to reap. The latest hacking trend is to target wealthy individuals instead of random or ordinary people.

In addition, if attackers manage to gain access to individual connected devices, they may also take control of corporate devices, by creating a bridge between personal and corporate information, for instance by taking control of the second factor of multi-factor authentication (MFA) or by obtaining the user’s credentials.

Moreover, despite the increase in the use of AI, most companies and employees don’t always understand the process behind it This can lead to data leaks and a widening of the attack surface

HOW DOES CYBER INSURANCE WORK?

When a cyber incident occurs, the insurer asks the policyholder several questions that will help the former to establish the context and whether the company is in fact insurable.

Insured organizations must make sure that they can provide the following details:

1. A list of the entity or entities, including named insured or subsidiary, affected by the incident and their locations

2. The status of back-ups, including offsite storage, cloud storage, etc

3. The total number of endpoints, including servers, workstations, and laptops, which have been affected

4. The confirmation that MFA was enabled on all email accounts and remote access, and the date of implementation

5. How this incident has affected the company, including:

a) The systems affected and the role they play in the insured’s day-today business operations

b) The organization’s current level of functionality, expressed in percentage (Corporate vs Plant Operations)

c) If applicable, whether the organization has been able to implement workarounds to carry on operating

d) If applicable, alternative work options employees can resort to in order to mitigate losses, such as training or utilizing annual leave (Please note that staff costs forregular work hours would not ordinarily be eligibleforcoverage under thePolicy.)

6. If a ransom has been demanded, the amount requested and the name of the hacker group

7. The confirmation that a breach coach has been recruited (as recommended)

8. The instructions of third-party vendors to assist the insured with this incident. If so, advise whether tasks are being carried out pursuant to a retainer/contract or at an additional cost to their company

9. If the work is at an additional cost, a list of the tasks being performed and work statements from each vendor for our review

10. The company’s other insurance policies in place (crime or otherwise) which may respond to this incident

CHOOSING THE RIGHT CYBER INSURANCE POLICY

- THERIGHTCARRIER

Selecting the appropriate cyber insurance policy requires careful consideration (coverage, retention, limits, etc.). To help organizations, BFL CANADA recommends following these ten essential steps to place cyber insurance: 1 2 3 4 5 6 7 8 9 10

Kick-off: Presentation of cyber insurance coverage and key placement steps

Technical Review: Review of existing technical documents and identification of gaps/weaknesses

Public Domain Scan: BFL-conducted scan of public domain

Insurance Application (UWR Data Update/Collection): Meetings with stakeholders (IT & insurance/risk teams) to collect technical information, including required insurer applications

Cyber Placement Discussion: Presentation of cyber insurance profile and discussion about placement strategy versus current technical state (potential IT projects/investments)

Market Negotiation: Presentation of the risk to selected carriers and negotiation of terms and conditions (T&C) based on subjectivities

Presentation of T&C: Presentation of different market options and selection of the best option

Placement Finalization: Document signature, binding, and invoicing

Vendor Selection: Interviews with key selected law firms and security firms (DFIR)

Risk Improvement: Preparation for next renewal

ROLE OF CYBER SECURITY MEASURES IN INSURANCE

One of the most important aspects of obtaining a cyber insurance is demonstrating a robust cyber security posture. Insurers often evaluate an organization’s cyber security measures before providing coverage. Organizations with strong risk management practices, incident response plans, and employee training programs may find it easier to secure coverage at favourable rates. This underscores the importance of investing in proactive cyber security measures to not only protect sensitive data, but also reduce insurance premiums

COMMON MISCONCEPTIONS

ABOUT CYBER INSURANCE

Several misconceptions about cyber insurance persist, despite its growing importance.

One common myth is that cyber insurance covers all losses associated with a cyber incident. Policies often have limitations and exclusions, which stresses the need for organizations to have comprehensive cyber security strategies alongside insurance. Another misconception is that only large companies require cyber insurance. In fact, small- and medium-sized enterprises are increasingly targeted by cybercriminals, making them equally in need of protection.

While everybody buys property insurance for tangible assets like buildings and equipment, they do not typically purchase it for non-tangible assets, such as digital data and intellectual property, which are just as vulnerable to cyber threats. This common but irrational behaviour applies to organizations as well.

According to BFL CANADA, the largest Canadian private insurance brokerage firm, only 25% of Canadian companies have a cyber insurance in place and less than 1% of individuals currently purchase a personal cyber insurance policy.

CONCLUSION

In a world where cyber threats are omnipresent, cyber insurance plays a crucial role in an organization’s cyber security strategy. By understanding the complexities of cyber insurance and the importance of strong cyber security practices, organizations can better protect themselves against the financial and operational impact of cyber incidents In 2025, it has become essential for businesses to evaluate their cyber risks and consider appropriate coverage to safeguard their assets and reputation.

BFL CANADA considers insurance as a service, not simply a strategy and an expense We look beyond risk transfer, because cyber risk is a business risk, not an IT risk. Being able to integrate all elements of cyber security into our offering enables our clients to optimize their contracts, eliminate duplication of expenses, improve their maturity posture, quantify their exposure, as well as streamline the insurance program and incident response process.

ADDITIONAL RESOURCES

For further reading, consider exploring the following resources:

– National Institute of Standards and Technology (NIST) cyber security Framework

– Munich Re

– BFL CANADA—Cyber Risk

If you’re looking for expert advice on cyber insurance options, consider reaching out to a licensed broker specializing in this field.

You can contact cyberpractice@bflcanada.ca for more information.

Cyber Attack Scenario

Cyber Extortion

Data Breach

Denial-of-Service (DoS) Attack

An attacker threatens to release sensitive data unless the organization pays a ransom. The company is under pressure to comply to avoid reputational damage.

A company’s website is flooded with traffic, causing it to crash and become unavailable to clients. The result is lost revenue and damaged reputation.

Coverage for ransom payment (if deemed necessary), legal fees for negotiating with the attacker, and costs of post-incident security enhancements.

Costs of notifying affected individuals, credit monitoring services, legal fees, and Public Relations expenses to manage the fallout.

Business interruption coverage for lost revenue during downtime, as well as costs to mitigate the attack and restoration of services.

Table 1 – Cyber-related events covered by a cyber policy

Table 1 – Cyber-related events covered by a cyber policy (continued)

Cyber Attack Scenario Attack Description

Insider Threat

Malware Infection

A disgruntled employee intentionally leaks sensitive company information to competitors or the public, resulting in reputational damage and legal action.

An employee unknowingly downloads malicious software that compromises the company’s network by stealing data and potentially spreading to other systems.

Detailed Description of Coverage

Legal fees to defend against lawsuits, as well as costs associated with investigations and public relations efforts to mitigate damages.

Costs associated with identifying and removing the malware, system repairs, and potential legal fees resulting from data loss.

Network Failure

Phishing Attack

A cyber attack exploits vulnerabilities in the company’s network infrastructure, causing widespread outages and disrupting connectivity for employees and clients. The attack may involve manipulation of routing protocols or unauthorized changes to network configurations.

Employees receive emails that appear legitimate, prompting them to enter sensitive information on a spoofed website. This compromises employee credentials and client data.

Business interruption coverage for lost revenue during network downtime, costs associated with restoring network functionality, and potential legal costs if client service is compromised.

Losses from social engineering scams, costs associated with investigation and remediation, and potential liability claims from affected clients.

Ransomware Attack

A company’s files are encrypted by ransomware, rendering critical data inaccessible. The attackers demand a cryptocurrency ransom to restore access. The company must decide whether to pay the ransom or incur the cost of recovery.

Ransom payment (if deemed necessary), forensic investigation costs, data recovery costs, and system restoration fees.

Table 1 – Cyber-related events covered by a cyber policy (continued)

Cyber Attack Scenario

Regulatory Compliance

An attacker gains unauthorized access to an organization's system, compromising sensitive customer data or personal information subject to specific regulatory standards (e.g. GDPR, CCPA, Law 25). The breach results in the organization failing to meet data privacy and security compliance requirements, triggering regulatory investigations, fines, and penalties.

Regulatory compliance coverage includes legal costs to defend against regulatory investigations and actions, as well as coverage for fines and penalties imposed by authorities such as GDPR, CCPA, or Law 25. The policy may also cover the costs of notifying affected individuals and providing necessary credit monitoring or identity protection services. Thirdparty services, such as public relations support and breach response consultants, may also be covered to manage reputational damage and facilitate compliance recovery efforts.

System Failure

Third-Party Data Breach

Website Defacement

A software vulnerability is exploited, resulting in a system crash that disrupts operations for several days. The disruption impacts revenue and client confidence.

A provider of cloud storage services suffers a breach that compromises the data of multiple clients. The affected company faces legal claims from clients whose data was exposed.

A hacker gains access to a company’s website and changes the content to display offensive messages. This damages the company’s reputation and misleads clients.

Business interruption coverage for lost revenue during downtime, system recovery costs, and potential legal fees if clients are affected.

Liability coverage for legal claims and customer notification costs, as well as remediation and reputation management expenses.

Costs of restoring the website, costs of Public Relations efforts to address the incident, and potential legal costs.