In 2012, small and medium sized businesses (businesses with fewer than 500 employees) employed 10 million people, which represent nearly 90% of all employees in Canada.[1] In that same year, 87% of Canadian businesses used the internet, and 46% had a website.[2] This same study found that Canadian enterprises sold almost $122 billion dollars' worth of goods and services over the internet.[3]

These statistics demonstrate both the presence of Canadian businesses on the internet and the substantial reliance on technology in the day-to-day practices of Canadian companies. It is clear that technology provides many opportunities for businesses in a global marketplace that they would otherwise not have access to.  With increased reliance on technology, however, comes a significant increase in the exposure to potential risks.  As a result, the potentially devastating impact of these risks has become the reality for many businesses.  Still, in most instances, companies do not have an insurance policy with appropriate coverage for cyber liability.

Although cyber liability insurance has been generally available for over 10 years, most businesses are still not insured for this type of risk. Further, many companies are just beginning to learn about independent policies providing for this coverage. The likely reason: most business owners assume that since cyber liability is a form of theft, and their existing policies provide coverage against theft and criminal activity, there is coverage available. Unfortunately, this is not the case. This misunderstanding has left several businesses footing the bill for the resulting expenses related to cyber liability. These costs include the management of the incident, the investigation of the cause, legal costs, regulatory fines, third party damages and costs associated with the mandatory notification to affected parties.

It is prudent for companies to seek some form of protection to address vulnerabilities that result from ineffective security practices. These vulnerabilities include software failure, loss of mobile devices and inappropriate conduct. The confidential information that can be obtained during a breach of information security can result from the use of information for fraud, identity theft, extortion against the company, defamation, sharing of the information over social media sites for further breach of privacy, or further access into the company's' private records. Despite the severity of risk to a business, a 2013 study revealed that only 31% of the respondent businesses possessed some form of cyber insurance coverage.[4]

There are many factors considered when determining whether a company is afforded coverage against cyber liability under its Commercial General Liability policy. For instance, in Zurich American Insurance Company v. Sony Corporation of America et al,[5] the Insurer did not extend coverage for breach of information security. Sony argued that they were entitled to coverage for a cyber breach of customers' personal information which was stolen by hackers. Sony sought coverage under its Personal and Advertising Injury Liability coverage in its policy, as this provided coverage for publication of material in any manner. However, the Court held that Sony was not entitled to coverage as the policy required that the publication come as result of Sony's intentional act.  Although the breach of confidential information could be deemed a negligent act, it was not an intentional one. While this is an American decision, it highlights the importance of businesses understanding the coverage they are provided under their insurance policy. 

From a business and a legal perspective; it would seem imperative that companies obtain insurance designed specifically for coverage against cyber related losses. Many Insurers now offer a comprehensive insurance policy specifically for cyber liability, which includes both first and third party coverage. First party coverage would cover the expenses incurred as a direct result of a breach of privacy (including legal and public relations expenses) and expenses incurred as an indirect result of the breach of privacy (such as loss of loyalty and business interruption). Third party coverage provides protection against the losses suffered by customers.

In reviewing the growing risks that Canadian businesses are susceptible to, it is vital for companies to have proper cyber insurance in place. It is important to note that obtaining cyber insurance will not prevent breaches of confidential information, and may also not provide coverage in all situations where a breach has occurred. Therefore, a business needs to understand that cyber insurance is not a substitute to implementing effective information security practices. Simply having a fire insurance policy does not prevent the risk of a fire. Similarly, cyber insurance will not prevent a breach from occurring. As such, obtaining cyber insurance is just one step in ensuring that your business is prepared for the risks presented with the use of technology. Cyber insurance should be accompanied with the implementation and maintenance of effective security measures, if a business hopes to protect itself against the possibility of cyber liability.

[1] "Key Small Business Statistics" (August 2013) online: .

[2] "Digital Technology and Internet Use, 2012" (12 June 2013) online:
http://www.statcan.gc.ca/daily-quotidien/130612/dq130612a-eng.htm.

[3] Ibid.

[4] "Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age" (August 2013) online: Ponemon Institute
http://www.experian.com/innovation/business-resources/ponemon-study-managing-cyber-security-as-business risk.jsp? ecd_dbres_cyber_insurance_study_ponemon_referral

[5] Index No. 651982/2011 (NY Sup Ct, Feb. 21 2014).

Lerners Insurance Defence Reference Library

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.