Cyber Claims Management

In 2018, the average cost of a data breach in Canada was almost $5 million, and the average cost to an organization to detect and contain a breach (often including investigations, assessments, audits, and crisis management) is $1.78 million. Similarly, the Australian Government's Australian Cyber Security Centre (ACSC), which works to improve cyber security across AustraliaAustralia, responded to 2,226 cyber claims and received 59,806 cyber crime reports at an average of 164 reports per day from June 2019 to June 2020.

Generally, cybersecurity is handled in an upfront manner, with companies protecting themselves from cyber attackscyberattacks with firewalls, endpoint tools, and network and data cybersecurity solutions to stop attacks before they can breach a company and reach any of their sensitive data. However, with the proliferation of attacks and the increase in infrastructure and technology of both insurance companies and cyber threats, the possibility of cyber threats is becoming more commonplace. With this increase has come a shiftchange in the market, seeingwith thea rise of in cyber claims management, or cyber insurance, protecting companies from losses and liabilities incurred from attacks and data breaches.

In the case of cyberCyber insurance, previousprior to 2020, this has been an expensive form of insurance to offer companies. Largely, the cost has come inas the need for claims professionals to be experts in the cybersecurity industry, which is a fastquickly evolving sector compared towith traditional insurance sectors. But, withWith the increase of insurance technologies, including automated claim management systems and an evolved understanding of the cyber-threat landscape, more companies have developed cyber insurance products. Part of this has been due to a realization that companies do not require legal or IT services in the majority part of cyber claims handling, and; rather, these are only necessary in specific situations.

PartThe ofincrease in the offeringsoccurrence of cyber insurancethreats against organizations is the increasedue in cyber threats against organizationspart andto the overall shift towardstoward online industries and with thea shift towardstoward remote work caused by the COVID-19 pandemic. This has seenresulted in a rapid digitalization of business and has increased an understandingawareness of the cybersecurity vulnerabilities, especially the fragility of home networks and human error.

As with most types of insurance coverage, an organization has to understand what threats they face. For an organization that relies on an online presence and uses e-commerce as a distribution method, the needs will be different than an electronics service provider whichthat carries customers' personal or commercial information. The questions organizations can consider when looking at cyber insurance include:

• What security controls can an organization put in place to reduce risk of having a system compromised?
• What about unencrypted media in the care, custody, or control of an organizationsorganization's third-party service providers?

Generally, cybersecurity is handled in an upfront manner, with companies protecting themselves from cyber attacks with firewalls, endpoint tools, and network and data cybersecurity solutions to stop attacks before they can breach a company and reach any of their sensitive data. However, with the proliferation of attacks and the increase in infrastructure and technology of both insurance companies and cyber threats, the possibility of cyber threats is becoming more commonplace. With this increase has come a shift in the market, seeing the rise of cyber claims management, or cyber insurance, protecting companies from losses and liabilities incurred from attacks and data breaches.

In the case of cyber insurance, previous to 2020, this has been an expensive form of insurance to offer companies. Largely, the cost has come in the need for claims professionals to be experts in the cybersecurity industry, which is a fast evolving sector compared to traditional insurance sectors. But, with the increase of insurance technologies, including automated claim management systems and an evolved understanding of the cyber-threat landscape, more companies have developed cyber insurance products. Part of this has been a realization that companies do not require legal or IT services in the majority part of cyber claims handling, and rather these are only necessary in specific situations.

Part of the offerings of cyber insurance is the increase in cyber threats against organizations and the overall shift towards online industries and with the shift towards remote work caused by the COVID-19 pandemic. This has seen a rapid digitalization of business and increased an understanding of the cybersecurity vulnerabilities, especially the fragility of home networks and human error.

In 2018, the average cost of a data breach in Canada was almost $5 million, and the average cost to an organization to detect and contain a breach (often including investigations, assessments, audits, and crisis management) is $1.78 million. Similarly, the Australian Government's Australian Cyber Security Centre (ACSC), which works to improve cyber security across Australia, responded to 2,226 cyber claims and received 59,806 cyber crime reports at an average of 164 reports per day from June 2019 to June 2020.

As with most types of insurance coverage, an organization has to understand what threats they face. For an organization that relies on an online presence and uses e-commerce as a distribution method the needs will be different than an electronics service provider which carries customers' personal or commercial information. The questions organizations can consider when looking at cyber insurance include:

• How many records containing personal information does the organization retain or have access to?
• How many records containing sensitive commercial information does an organization retain or have access to?
• What security controls can an organization put in place to reduce risk of having a system compromised
• Do all portable media and computing devices need to be encrypted?
• What about unencrypted media in the care, custody, or control of an organizations third-party service providers?
• Could an organization make a claim if they were unable to detect an intrusion until several months or years had passed?