Frequently Asked Questions About Cybersecurity

At our 2023 discussion panel, Ask Me Anything: Cybersecurity and Cyber Insurance, hosted in partnership with Knight Archer Insurance, we received so many great questions that we ran out of time to answer them all during the event. We did not want to let these questions stay unanswered so below you will find answers to the questions we did not have time to answer in person, as well as the questions and answers from the event that did get answered!

What are the top 3 Things SMBs can do to protect themselves?

  1. Take time to look at and identify your digital risks. Where are you vulnerable?
  2. Acknowledge the risks and evaluate if you need to either mitigate the risk, transfer the risk, or if you're okay with accepting the risk.
  3. Set a plan to use internal resources, partners, or other tools like insurance to cover your risks.

Don't hackers only prey on larger businesses?

That is no longer the case. The savviness and determination of bad actors has evolved where they are looking to get into any organization that could give a return. These "hackers" will look for any window of opportunity to insert themselves into any organizational digital environment so they can sit tight and observe. Once they see financial records, customer info, intellectual property, etc. they will strike (or make their "hack" known) when it will give them the biggest return on their investment. Big profit organizations are no longer the only targets. If you own a business, you are a target.

Is an anti-virus product good enough for my computer's security?

Relying solely on an antivirus product for computer security is not enough in today's cybersecurity landscape. While antivirus software plays a crucial role in protecting your computer from known malware and viruses, it has limitations, and modern threats have evolved beyond what traditional antivirus can handle.

You should always take a multi-layered approach to security:

  • Ensure that you have an enterprise-grade firewall in place that has services like Advanced Malware Protection, Cisco Meraki Intrusion Detection and Prevention or equivalent.
  • Investigate the Next-Gen Antivirus solutions that utilize AI for improved detection and response.
  • Add in an MDR (Managed Detection and Response) solution for additional device security.
  • Always protect your users with added Security Awareness Training.

If you want to learn more about layers of cybersecurity, check out these blog posts:

Can you provide a simple explanation of the difference between a threat, a vulnerability, and a risk?

  • Cyber Threat: the possibility of a malicious attempt to damage or disrupt an organization's computer network or collective systems. Anything with the potential to cause serious harm to a computer system, networks, or other digital assets of an organization or individual is a cyber threat.
  • Cyber Vulnerability: a vulnerability is a weakness in the security of a system that can be exploited by an outsider to gain access to, alter, or damage the information or equipment protected by that system. Cybersecurity vulnerabilities can come from many sources, including software flaws and human errors. When cybercriminals find and exploit vulnerabilities in systems, they can gain access to sensitive data or exploit software vulnerabilities to take over computer networks.
  • Cyber Risk: any and all risk associated with financial loss, disruption, or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems

In simpler terms, a threat is the potential danger, a vulnerability is the weakness that can be exploited, and a risk is the likelihood and impact of that danger actually becoming a reality. By understanding these concepts, you can better manage and mitigate cybersecurity risks.

What is the most common type of breach currently, and how can I guard against it?

Without a doubt, bad actors are entering environments mostly through human error.  Phishing, spear phishing, and malware software downloads are increasing at a rapid pace. "Think before you click!" is the mantra every organization should be empowering their users with. The easiest way to really get ahead of it is to have consistent user training. MicroAge Regina customers receive bi-monthly security awareness training, followed with bi-monthly simulated phishing emails. This keeps the malicious attempts top of mind when users are using their organization's technology assets.

What is the role of government and regulations in shaping cybersecurity strategies?

In both Canada and Saskatchewan, government's involvement and regulations are instrumental in shaping cybersecurity strategies and ensuring that organizations prioritize the protection of sensitive data, critical infrastructure, and the privacy of citizens. Saskatchewan businesses should be aware of and comply with relevant cybersecurity regulations and collaborate with local government to enhance their security posture.

Canada has various laws and regulations related to cybersecurity, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the protection of personal information. Additionally, Canada's Cyber Security Act, introduced in 2021, establishes the Canadian Centre for Cyber Security as a key organization responsible for providing guidance and expertise on cybersecurity. For more information please review: Information for small and medium businesses - Canadian Centre for Cyber Security.

Do you want to continue the conversation about cybersecurity for your organization? Contact us using the form below and our Business Development Manager will reach out to set up a consultation at no cost.

  • This field is for validation purposes and should be left unchanged.

Frequently Asked Questions about Cyber Insurance

What is the difference between the cyber liability extension on my policy and a separate cyber liability policy?

The cyber extension on the policy typically only covers the notification of customers and has limited coverage. It does not provide funds transfer fraud for example. A separate cyber policy provides higher limits and includes funds transfer fraud along with many other coverages often not included in a cyber extension coverage. Traditional package policies only cover third-party costs, leaving organizations with coverage gaps. Cyber insurance offers holistic coverage including first-party expenses.

What is the average pay out for a cyber claim for a small business? What does insurance cover?

Email compromise can lead to phishing attacks ($89,000 average loss) and funds transfer fraud ($118,000 average loss). Remote collaboration tools and access are easily exploitable and can lead to ransomware (average loss cost $300,000).

Insurance provides 3rd party liability coverage: Network & Information Security Liability, Regulatory Defense & Penalties, Multimedia Content Liability, PCI Fines & Assessments, Bodily Injury & Property Damage and Technology Errors & Omissions.

Insurance provides 1st party loss coverages: Bodily Injury & Property Damage, Pollution, Computer Replacement, Funds Transfer Fraud, Service Fraud, Digital Asset Restoration, Business Interruption & Extra Expenses, Cyber Extortion, Breach Response, Crisis Management & Public Relations.

I have heard the terms First Party and Third-Party coverage. What is the difference?

First Party coverage covers losses the insured or policy holder suffers, such as funds transfer fraud. Insurance pays for the funds transfer losses the insured incurs from a failure in their security or social engineering.

Third party coverage covers damages resulting from your liability costs that can be assessed against you for a cyber insurance loss. For example, a cyber breach causes a lawsuit against you cause your client lost revenues because of the cyber breach.

Can you buy personal cyber insurance as well as commercial?

Yes, you can purchase cyber insurance for a business or an individual.

I have an SMB and my bank has coverage if my account or credit card are hacked. Why would I need cyber coverage?

The bank or credit company will often not provide coverage for funds transfer fraud. Further, often any limits that may be provided are very limited, if any at all.

How is the digital transformation trend impacting the insurance industry?

With more people working from home and working online, it is creating greater exposure for cyber-attacks for businesses as employees more be more at risk of attack based on networks they are work off of at home.

As well, as people and businesses transact more online, it puts more information online for hackers to try and steal. As companies look after more of their client’s information, the need for added security measures and cyber insurance protections has grown and will continue to grow in the years ahead.

Are there any upcoming regulatory changes that customers should be aware of?

The Federal Government is currently working at updating federal laws around privacy. They key takeaway is that businesses will have to take more accountability to alert clients of data and privacy breaches. This comes with heavy costs for businesses to make their clients aware of any such breach. Further, there will be tougher penalties for businesses that do not alert their clients.

What do you believe will be the most significant disruption in the insurance industry over the next decade?

Digital transformation and Insurtech: The ongoing digital transformation will continue to disrupt the insurance industry. Insurtech startups are likely to drive innovation in areas such as underwriting, claims processing, distribution, and customer experience. This could lead to more personalized policies, streamlined operations and increased competition.

Artificial Intelligence and Data Analytics: The use of AI and data analytics is posed to revolutionize the insurance sector. Insurers will increasingly leverage AI for risk assessment, fraud detection, and customer service. Predictive analytics will enable insurers to better understand and price risks, leading to more accurate underwriting and pricing models.

Emerging Risks: Emerging risks such as cyber security threats, pandemics, and even space tourism-related insurance, will challenge the industry. Insurers will need to adapt to new, unforeseen risks and develop products to address them.

How do you see blockchain or other emerging technologies playing a role in the future of insurance?

Blockchain has the potential to transform the insurance industry by enhancing transparency, security and efficiency. It can streamline processes related to claims management, policy issuance, and reinsurances, reducing fraud and errors.

If the only thing my business does electronically is collect e-transfers for payment of invoices, do I still need cyber coverage and what would it actually cover?

Even if the only electronic activity your business engages in is collecting e-transfers for payment of invoices, it's still advisable to consider cyber insurance coverage. Many times, agreements with payment system providers waive responsibility for them if a privacy breach occurs. It is a myth to believe that the payment system provider will be responsible and you wouldn’t need to worry. Cyber coverage can provide valuable protection for various risks associated with electronic transactions and data handling.

Cyber Extortion: If your business falls victim to a cyber extortion attempt, such as ransomware, cyber insurance can assist in paying the ransom, where legal and ethical, as well as cover the costs of dealing with the incident, including IT forensics and negotiations with the extortionists.

Data Loss: If your electronic records are lost or corrupted due to a cyber incident, cyber insurance can help cover the cost of data recovery and restoration. This can be crucial for businesses that rely heavily on electronic records and data. Business Interruption: Cyber insurance can provide coverage for lost income and additional expenses incurred due to a cyberattack or data breach that disrupts your business operations. This can include costs associated with downtime, temporary relocation, and maintaining operations during a disruption.

Privacy Liability: If your business inadvertently discloses sensitive customer information during e-transfer processing, leading to a privacy breach, cyber insurance can help cover the costs of legal defense and settlements if affected parties sue your business.

Regulatory Fines and Penalties: Many jurisdictions have strict regulations concerning the protection of customer data. If your business is found to be non-compliant and faces fines or penalties from regulatory authorities, cyber insurance may cover these costs.

Is there always cyber coverage included in a base policy or do I need to request it OR have a separate policy?

Cyber coverage must be requested on a base policy and a separate policy should be purchased to provide additional coverage.

Can you give a real-life local example of a cyber insurance incident?

Local business has agreed with a contractor to complete a project for them with work to begin in 3 months.

Local business receives an email from the contractor requesting a down payment for the work in the amount of $5,000 with instructions to transfer the funds. Local business transfers the funds as directed.

Two weeks later, the local business receives another request for an additional $5,000 to buy additional materials, so they transfer the funds.

Finally, another 2 weeks go by and local business receives another email requesting $10,000. Local business is confused since the contractor hasn’t even started the work yet, calls them and the contractor says I haven’t asked you for any money…

Local business realizes they were a victim of Funds Transfer Fraud.

If you want more information about cyber insurance for your organization, reach out to Stephanie Dombowsky, the Director of Commercial Sales at Knight Archer Insurance.