With much focus placed on commercial cyber insurance, not enough attention has been directed to personal customers and making sure they’re protected — and know what to do — when a cyber event hits them. And insurers are the key to moving this forward.
Businesses have been wrestling with cyber risk management and how to protect consumers’ personal and confidential information for decades. The responsibility to protect against cyberattacks has largely been put on big business, which have had to get aggressive about their cybersecurity posture due to the extreme financial risk many companies face in the wake of a breach.
Some would argue this focus on business breaches has unintentionally lured consumers into a false sense of security that a breach of personal information or financial fraud resulting from a cyberattack will always be covered by someone else — like a business or their financial institution.
But in 2020, cyberattacks on consumers have been relentless and criminals are widening their targets and tactics to inflict damage like we haven’t seen before. Canadians need to get proactive about managing their own cyber risk hazard level, and they need insurers to help them get there.
Since the beginning of the pandemic in March to late September, the Canadian Anti-Fraud Centre stated it has received 5,242 reports of COVID-19 fraud and nearly 4,000 victims of COVID-19 fraud with a total loss of $6.2 million. A breach of the Canada Revenue Agency in August 2020 led to interruptions in vital government financial assistance and services for thousands of Canadians, as well as the exposure of personally identifiable information.
The Personal Information Protection and Electronic Documents Act (PIPEDA) provides tight guidelines for breached or compromised consumer information by businesses in Canada but does not respond to how individuals manage their own information or another person’s information on a non-commercial basis. This uncertainty leaves Canadians without a clear process for determining how a “data” or “personal information” crime has occurred, how to handle a crime that has occurred and how they can receive restitution for the crime that has been committed against them.
Every attack is different and the grey area in responsibility for crime restitution is growing larger by the day.
As insurance professionals, we need to remember that the traditional claims that we know can also mean that the insured has had a privacy breach that was unknown to them.
Savvy Canadian cyber carriers are providing solutions that go beyond the “Cyber 101” policy of identity theft protection and recognize the broad cyber threat landscape. Carriers have begun including financial fraud and fund transfer fraud, online retail fraud, ransomware, system compromise, cyber extortion, cyberbullying and online harassment remediation into cyber policies. Carriers are also partnering with cyber risk services providers to reduce their clients’ exposure through ongoing education and expert support through the emotional and financial aspects of incident forensics and recovery.
As our clients continue to work and learn from home and order more goods and services online, insurance professionals must expand their coverage portfolios to offer solutions that help insureds understand their personal exposure and put plans in place to reduce the risk of an attack.
This coverage is now a “must have” for everyday consumers — not just businesses—and insurers can and should empower them to take control of their largest risk landscape: Their digital lives.
Jephunneh Lattiboudeaire is head of Canadian business development at CyberScout.