My name is Mark Goodfield. Welcome to The Blunt Bean Counter ™, a blog that shares my thoughts on income taxes, finance and the psychology of money. I am a Chartered Professional Accountant. This blog is meant for everyone, but in particular for high net worth individuals and owners of private corporations. My posts are blunt, opinionated and even have a twist of humour/sarcasm. You've been warned. Please note the blog posts are time sensitive and subject to changes in legislation or law.

Monday, January 16, 2017

What Small Business Owners Need to Know - Cyber Insurance Should be Part of Your Insurance Coverage

When I look back five or ten years, I am just astounded by the pace of change, both technologically and otherwise. The impact of these changes on how I practice and how my client's conduct their business affairs are truly astonishing.

When Katy Basi wrote a guest blog post in 2014 on New Will Provisions for the 21st Century - Reproductive Assets, I remember saying to myself, this is incredible, we now have to consider reproductive assets in our wills.

Today, I have the same feeling. Eddie Kehoe of RDA Insurance is writing on the need for cyber insurance. Who the heck would have ever envisioned such a need ten years ago. Maybe you would have, but I certainly did not.

Anyways, if you own your own business, you should carefully read this blog post and consider whether you need cyber insurance if you do not already have such insurance in place.

Cyber Insurance Should be Part of Your Insurance Coverage 

By Eddie Kehoe

If I was to ask you to consider purchasing a cyber insurance policy for your business, your first response – more than likely – would be “why do I need this, I’m not Target, Sony or Home Depot?”. Many of us have learned about cyber-attacks from the high profile breaches reported on CNN and the other news networks. What the news networks don’t often report is that breaches are occurring to smaller business every minute in Canada today. In addition, since the protection and firewalls of Multi-National corporations are often very good, cyber attackers often attack these companies indirectly through Trojan horses carried in by their smaller suppliers. I would suggest your business is likely out of business if your company indirectly led to an attack on one of these large companies.

The International Cyber Security Protection Alliance Statistics reported, in 2013, that businesses with less than 250 employees accounted for 31% of the total data breaches reported. Another misconception is that hackers are responsible for all cyber and data breaches. A 2016 NetDiligence Cyber Claims Study reports that insider involvement accounted for 30% of the incidents, hackers caused 23%, malware/virus 21% and third parties (vendors) 13% of incidents. In short, humans are the weak link!

Virtually every business sector is vulnerable; Healthcare (19%) and professional services (13%) were the most breached sectors followed by non-profit (11%), financial services and retail (10% each), with the manufacturing and construction industries trailing not far behind.

Theses breaches can cost your business many thousands of dollars along with its good reputation. Impending changes to Canada’s Personal Information Protection and Electronic Documents (PIPEDA) will carry the biggest penalty to many. From 2017 (exact date yet to be determined) PIPEDA will hold companies responsible for the mandatory notification to individuals that their personal information has been compromised following a data breach. No matter the severity of the breach, all clients must be notified. Insurance companies estimate that the average cost per notification is in the region of $2 per individual. So, if your business is amongst the 68% of Canadian businesses holding the personal information of others the cost to notify these individuals is not an insignificant amount.

Is Your Company Prepared for a Cyber Attack?

If you still believe that a cyber-attack presents little or no threat to your business, ask yourself the following. How prepared is your company or organization for:

  • Identity theft resulting from lost or stolen SIN numbers or credit cards, driver’s license or financial information?
  • A hacking that results in the theft of confidential information?
  • A lawsuit stemming from a security failure?
  • A lawsuit alleging trademark or copyright infringement?
  • A lawsuit alleging invasion of privacy, defamation, or product disparagement involving information residing as email on laptops, flash drives, servers or on the internet?
  • Business interruption due to a security failure or internet virus?
  • The transfer of an internet virus and the resulting fall out?
  • Cyber extortion?
  • Costs related to privacy notification, crises management and disaster recovery?

Mitigating the Risk of Cyber Breaches and Attacks

So, if we leave organized hacking groups to one side, there is a check list that companies should use to mitigate the possibility of a data breach occurring to them.

Do you:
  • Allow employees to take laptops off site?
  • Allow employees to take paperwork off site?
  • Allow employees to use USB sticks or other portable memory storage?
  •  Allow employees access to social media on computers in the office?
  • Allow sensitive printed materials to leave the office (even if en-route to a meeting)?
  • Vet all company postings on the company website or social media?
  • Erase all data from the hard drives of devices replaced?
  • Ensure that all paper maters are shredded and disposed of adequately?
Now that you’ve identified the potential risk to your company your next question is how can I protect my business? Virtually every insurance company in Canada offers cyber insurance policies of varying limits tailored to meet your company’s specific needs. Theses insurance policies not only pay data breach notification costs, but typically also insure the following:

E-mail liability
Defamation (even on social media), libel, product disparagement and infringement

E-commerce extortion
Coverage paid due to threats regarding an intention to fraudulently transfer funds, destroy data, virus attack, or disclose customer information

Funds transfer fraud
Coverage for loss of money or securities due to a fraudulent transfer.

Network Security Liability 

Third party coverage from a failure of security, including theft of a mobile devices and system intrusion. Coverage extended to outsourced data processing and data storage.

Privacy Breach Liability 

Breach of privacy law or the disclosure of protected and personal data
coverage extends to insured’s employees
proceeding defense and penalties included

Privacy Breach Expenses Includes 

Notification expense
Crises management expense
Credit monitoring and data recovery
Cyber investigation expense

Business Interruption 

Coverage for loss of income and the extra expense incurred to restore operations as a result of a computer system disruption caused by a virus or unauthorized computer attack.

Cyber risk is a very real threat to your business continuity. The statistics and the real life stories show that what you thought was only headline news, may well end up on your door step.

Eddie Kehoe is a commercial insurance broker with RDA Insurance who specializes in cyber insurance. Feel free to contact Eddie directly at or 905-652-8680 Ext 2379.

The above blog post is for general information purposes only and does not constitute insurance or other professional advice or an opinion of any kind. Readers are advised to seek specific insurance advice based on their business circumstances.

This site provides general information on various tax issues and other matters. The information is not intended to constitute professional advice and may not be appropriate for a specific individual or fact situation. It is written by the author solely in their personal capacity and cannot be attributed to the accounting firm with which they are affiliated. It is not intended to constitute professional advice, and neither the author nor the firm with which the author is associated shall accept any liability in respect of any reliance on the information contained herein. Readers should always consult with their professional advisors in respect of their particular situation.

No comments:

Post a Comment