HOLIDAYS

Please note that ChAD will be closed from December 23, 2024 4:30 p.m. to January 3, 2025 inclusively. If you have any questions, please write to us. We will respond to inquiries as of January 6, 2025.

For this holiday season, ChAD wishes you all the best!

i
Fermer

Sorry, but nothing corresponds your search criteria. Try again with different keywords.

Go to content

Cyber Insurance: Best practices to fulfill your advisory role and ensure your clients are properly covered

Publication date: December 10, 2024

The situation 

A visibly concerned client contacts you and asks the following question: “Am I covered for data that is lost or corrupted?” In the same breath, he tells you that his transactional website suffered a cyber attack, and he was forced to take his business off-line until he could assess potential losses. Due to the size of his company (20 employees) and his line of business (flowers, plants and horticultural products), your client never imagined that he would be the target of a cyberattack … until today.

What does the Civil Code say? 

Your client’s worries are understandable. Under the Civil Code of Québec1 his business may be held liable if it has not taken the reasonable means at its disposal to protect its clients.  

Fortunately, the web hosting provider’s investigation determined that the security and integrity of the personal data held by your client’s business were not compromised. Moreover, the website was down for less than two hours. However, the fact remains that business was disrupted, potential sales were lost, and users suffered an inconvenience that should have been avoided. Not to mention the stress it caused your client. 

What is your ethical responsibility with respect to cyber insurance? 

This story raises several questions. Would the client’s existing policy have covered the data loss or corruption, or would a cyber security endorsement added to the policy have done so? Should you suggest cyber insurance to your client? And if so, how do you ensure that you have properly analyzed his needs, and the coverages required? 

What does cyber insurance cover2

Although policies and terminology vary from one insurer to another, typically, cyber insurance covers a number of cyber incidents including attacks on confidential information, cyber extorsion and IT disruptions. Cyber insurance can help you cover certain costs resulting from a cyber attack, including the cost of legal fees, disclosure to the affected parties, hiring a firm to investigate the cause of the incident, and recovering damaged or corrupted data

Two principles govern your ethical obligations in this area:

  • The duty to advise (s. 27 of the Act respecting the distribution of financial products and services): “Insurance representatives must inquire into their clients’ situation to assess their needs. They must ensure to appropriately advise their clients regarding matters that fall within the sectors in which they are authorized to act; if they can, they shall offer their clients a product that meets their needs.” 
  • The obligation to have the required knowledge and abilities (s. 17 of the Code of ethics of damage insurance representatives): “Before accepting a mandate, a damage insurance representative must take into account the limits of his abilities and knowledge and the means available to him. He must not undertake or continue a mandate for which he does not have the necessary skills, without obtaining the proper assistance.” 

With this in mind, here are five best practices that allow you to properly fulfill your advisory role, bridge the information gap between you and your client—who often lacks specialized knowledge on cyber insurance—and add value to the service you provide as a professional. 

1. Advising upstream of the risk  

The question is not “whether” a business will fall victim to a cyber attack but rather “when” it will occur. In other words, zero risk does not exist in either the real world or the virtual world. But are there any best practices to mitigate risk? Definitely.
 
No one expects every damage insurance professional to be an expert in cyber insurance and cyber security. However, it is essential for you to have a basic knowledge of measures that businesses can take to protect their digital assets. Indeed, not a week goes by without news of yet another cyber incident. It is therefore essential to advise clients upstream of the risk, using accurate information and following best practices. Even if you are not an IT specialist, it is important for you to be aware of cyber risks.

This new “insurable good,” cyber risk, does not affect your duty to advise. Actually, you must adapt your advice to the digital world in order to ensure that companies’ business practices take into account the new risks they are now exposed to, and in particular, risks they are unaware of.

And the blind spots are very real, judging by insureds’ levels of interest in and knowledge of cyber insurance. The results of a survey on this issue, published in an article in the Portail de l’assurance [in French only] showed that: 

  • 70% of respondents polled regarding cyber insurance say that they do not understand the risk factors;
  • 57% do not understand the nature of the coverage offered; 
  • 40% find that the underwriting process is too complicated.  

What matters is enabling clients to understand the risks they face, be aware of the potential consequences of not purchasing coverage they were advised to buy and take all the time they need to make informed decisions. 

2. Understanding the client’s business practices 

Unsurprisingly, the human factor is and continues to be the reason for 90% of security breaches3. Since the majority of cyber attacks and claims result from exploiting vulnerabilities for which solutions exist, a good starting point when evaluating the client’s needs is to ask about their current business practices.

Asking questions is the royal road to success. Here are a few examples of such questions: 

  • Do you have a cyber security policy and are your clients aware of it? 
  • Do you carry out supplier-recommended software updates? 
  • Do you periodically back up the data hosted on your desktops and online?
  • What type of data do you keep? Is it sensitive data?
  • Have you determined who can access which computers and the data they can access? 
  • Do you require strong passwords and two-step authentication? 
  • Do you encrypt your data as well as the contents of your desktops and laptops? 
  • Do you have a secure website that encrypts the data exchanged between the client’s browser and your transactional website?
  • Do you use a spam filter and a firewall? 
  • Do you periodically do penetration testing?
  • Do your employees receive regular training on preventive measures they should implement?

These questions and their answers allow you to identify many of your client’s needs, both in terms of the best business practices to implement as well as the need to purchase cyber insurance, if applicable. You are acting as an effective advisor by reminding your clients that every practice they use to shield their operations, hardware and IT infrastructure from attack is an undeniable asset that will lower their risks and protect their stakeholders. These practices could even help lower their insurance premiums. 

There is nothing like a conversation to take your advisory role to the next level and increase its added value:

  • Ask open-ended questions to go beyond the needs the client has expressed.
  • Listen to the client and pick up on his comments in order to put his various business issues and challenges into perspective. 
  • Be transparent about the cyber insurance market: not all insurers offer this product. In addition, products may have limits and exclusions (not all clients will be accepted), and certain recommendations may have to be implemented. 
  • Tell the client that he must answer a questionnaire when purchasing the product and explain that he will need complete, up-to-date data to do so. The client will also have to understand his IT environment or ask for support from an IT specialist familiar with the company’s IT system.

3. Take legal issues into consideration  

Inform your client that since September 2022, the Act respecting the protection of personal information in the private sector stipulates that companies must keep a register of confidentiality issues that arise and quickly take measures to reduce the risk of harm to the persons concerned. The company must also notify the Commission d’accès à l’information and the persons concerned of any confidentiality incident that poses a serious risk of harm. 

The added value of your duty to advise goes beyond simply offering the best coverage. It also lies in the quality of the information you provide to enable the client to make an informed decision with regard to his business and legal issues.

4. Explain using real-life cases  

Since a business’s reliance on technology (such as e-commerce solutions) and on digital services (such as cloud computing) exposes the client to cyber security risks, tell your client this story, about a real-life incident that befell an SMB in Quebec [article in French only]. In the spring of 2021, a ransomware attack paralyzed the company just as they were about to purchase a cyber risk insurance policy. The policy cost $20,000; the company evaluated that the attack cost them $250,000. 

And just to show that no one is safe, the ransomware attack that paralyzed Colonial Pipeline, a company that transports almost 45% of fuel consumed on the eastern U.S. seaboard, resulted in the total interruption of the pipeline’s operations, a state of emergency declaration, and a ransom payment of $4.4 million. 

5. Recognize and respect your limits  

By the end of this conversation, not only will you better understand your client’s needs, while having demonstrated the added value of your services, but you will also know a lot more about the client himself and his business. The time has now come to explain what cyber insurance is, its special features, advantages, limits and exclusions, and how it can be integrated into the client’s insurance portfolio.

Remember, though, that you are offering cyber insurance, a complex product that demands specialized knowledge. You must therefore: 

  • Hold the appropriate certification in commercial-lines insurance;
  • Have the technical skills required to be able to assess cyber risk, or rely on the help of a specialist to do so; 
  • Have a sufficient grasp of the client’s area of business  (agriculture, transportation, construction, etc.); 
  • Understand the policies you recommend (features, definitions, coverages, limits, exclusions). 

Making an informed decision on cyber insurance requires a shared understanding of what the policy includes, the coverage offered, any exclusions and the benefits to the client in terms of his needs and circumstances. An informed decision is based on good communication, regardless of the details of the insurance product.

 

[1] Every person and every organization are bound by civil liability, in other words, “the duty to abide by the rules of conduct incumbent on him, according to the circumstances, usage or law, so as not to cause injury to another.” (Art. 1457, Civil Code of Québec).

[2]  Government of Canada and the Insurance Bureau of Canada. “Does your small business need cyber insurance?” Get Cyber Safe Campaign, https://www.getcybersafe.gc.ca/ 

[3] IBM Security. Cost of a Data Breach Report 2022, https://www.ibm.com/. 

[4] A business may collect only the information necessary for the purposes determined before collecting it (s. 5 of the Act respecting the protection of personal information in the private sector). Businesses must avoid holding information that is not necessary to them since this increases cyber risks.