Cyber risk management is moving higher up the C-suite agenda. More than two-thirds (68%) of Canadian respondents to our 2022 CEO Survey say they’ve explicitly factored cyber risks into their strategic risk management activities. Insuring against financial losses or damages caused by cyber attacks is an important part of many organizations’ risk management strategy. But organizations are facing new challenges—and, occasionally, unpleasant surprises—as they work to protect themselves against financial losses from cyber incidents.
The rising frequency and magnitude of claims are forcing many insurance companies to increase premiums and become more selective in which risks they insure. The consequences for organizations go beyond higher costs. Policy exclusions can lead to coverage gaps and rejected claims that hinder an organization’s ability to respond to a cyber crisis and leave it with potentially catastrophic financial losses.
Buying external cyber insurance is one way to mitigate cyber risks. We’re also seeing organizations explore self-insurance as a primary layer of cyber insurance or to supplement external cyber insurance coverage. Self-insurance typically involves putting aside funds on an organization’s balance sheet to cover future expenses stemming from a cyber incident or writing cyber risks through an organization’s captive insurer. But to be effective, self-insurance plans need to be designed in a deliberate, formal and defined way.
Here are some initial steps that we’ve seen help organizations explore how self-insurance can fit within their cyber risk management strategy:
Imagine a hacker gained access to sensitive client information in a ransomware attack. What legal and regulatory risks could your organization face? What operational risks, such as network downtime, could disrupt your business? What about the risk to your organization’s reputation and the trust of your current and future clients? And what are the costs associated with those risks?
Quantifying these and other cyber risks, as well as various cyber scenarios, is an important starting point in deciding which risks to self-insure. As part of this analysis, it’s valuable to look both within your organization as well as understand your industry’s inherent risks. As we saw in our latest Canadian Cyber Threat Intelligence report, every business sector faces its own unique attack landscape when it comes to digital risk and potential cyber threats.
Your general liability, business interruption and other insurance policies may be helpful after a cyber incident. But it’s important to pinpoint gaps in your coverage and understand how that lack of protection could affect your organization’s ability to respond to and recover from a cyber attack. For example, many insurance companies won’t cover ransom payments—a particularly important consideration given that ransomware continues to be one of the most significant and costly cyber threats facing Canadian organizations.
A gap analysis that examines the coverage your organization needs to effectively respond to a crisis as well as the protection provided by your existing policies can identify the risks that your organization needs, or chooses, to self-insure.
As cyber insurance premiums rise, it’s valuable to review the costs of the protection you’re receiving. It’s important to have access to adequate insurance funds in a crisis, of course. But self-insuring can give organizations more control over its long-term insurance expenses. By quantifying the risk your organization faces from a cyber attack, you can explore how your liquidity matches your risk tolerance—an important aspect in assessing how you assemble the right mix of cyber insurance.
Responding to a cyber attack typically takes a community of solvers: internal and external teams specializing in incident and crisis management. External cyber insurance policies often include access to some of these service providers. It’s important to think about what services your organization may need in a crisis and whether your insurance policy will cover the cost. The list could include an incident response provider, breach coach, ransom negotiator, forensic investigator, crisis communicator and more.
While identifying and, in some cases, retaining these specialists requires up-front work, self-insured organizations have the advantage of selecting service providers of their choosing. In a crisis, many organizations prefer working with trusted advisors who are already familiar with their business.
Do you understand your threat landscape and the cyber risks you need to insure against?
Can you estimate the costs that organizations in your sector incur responding to a cyber crisis?
What gaps exist in your current cyber insurance coverage?
Have you developed qualitative or quantitative risk frameworks that let you compare the costs and benefits of insurance to alternatives?
Your organization’s resilience during a cyber crisis may hinge on having appropriate cyber insurance. Being able to access the resources needed to execute your response plan reduces your costs and recovery time—an important part of maintaining and building trust with your executive team, clients and other stakeholders looking for critical business services to be quickly restored.
Properly financing your cyber risks is a critical part of readying your organization to respond to a crisis. But to be sustainable, your approach should be affordable, cover the specific threats facing your organization and position it to recover even stronger than before.
Partner, National Cyber Forensics Investigations Leader, PwC Canada
Tel: +1 416 687 8262
Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada
Tel: +1 416 815 5306