Cyber insurance is gaining traction in the Canadian business community, likely due in part to the growing number of ransomware attacks, data from a survey commissioned by the Canadian Internet Registration Authority (CIRA) suggest.
The Strategic Counsel, a research firm, conducted an online survey of 500 Canadian cybersecurity decision-makers (business owners and employees) in July and August 2024. All organizations surveyed had at least 50 employees who used a computer or mobile device at least 20% of the time as part of their employment. Private sector firms had fewer than 999 employees.
Eighty-two per cent of the organizations reported having cybersecurity insurance coverage, up from 59% in 2021.
Of those who had a policy, 42% said it was a cyber-specific policy, while another 40% said it was “part of a business insurance policy.”
The landscape for cyber coverage has shifted, businesses reported.
“Most organizations with a policy indicate that their provider has made changes to the coverage,” the study notes. “The most common changes are proof or verification of security measures in place, increased premiums, and changed eligibility criteria.”
Survey respondents were asked to select reasons for the policy changes. (Multiple answers were possible, so the percentages don’t equal 100%.)
Thirty-nine per cent said their insurer requested new forms of proof or verification of cybersecurity measures in place. Thirty-eight per cent said their premiums increased. And 37% said their insurers changed eligibility criteria for obtaining or renewing cyber coverage.
Another 30% said their insurers reduced reimbursement amounts for ransomware attacks.
Also in the news: Industry fears a trade war would sustain hard market conditions
The average cost of handling cybersecurity incidents is rising, IBM states in its Cost of a Data Breach Report 2024. The average cost of a data breach last year reached US$4.88 million, the report says.
“This number accounts for a rise in the cost of lost business after a cyberattack and the cost of post-breach responses required by organizations to recover from a cyberattack,” Torkin Manes LLP counsel Roland Hung and Laura Crimi write in a blog published on Mondaq.
Ransom demands are another aspect of ransomware attacks that touch on cyber insurance.
Twenty-eight per cent of Canadian businesses were victims of a successful ransomware attack in 2024, up 17% from 2021, according to the CIRA survey.
Among the 141 Canadian cybersecurity decision-makers who reported experiencing a ransomware attack, 79% said their organizations paid ransom demands. The survey shows the most commonly paid ransom amount was in the range of between $50,000 to $100,000.
It seems organizations are paying the ransom and then saying as little as possible about it.
The survey suggests one reason why: more businesses are reporting reputational damage as a result of a cybersecurity breach.
“The impact of reputational damage has trended up over time (28% select it as an impact in 2024, compared to only 6% in 2018), as has the impact of loss of customers (26% in 2024, compared to only 6% in 2018),” CIRA’s report states.
But while Canadian businesses are required by law to report significant breaches to privacy commissioners and the people whose data has been exposed, very few are willing to engage law enforcement on the matter, Hung and Crimi observe.
“A common trend is that organizations will often pay the ransom and remain silent on being the victim of a ransomware attack, where possible,” the lawyers write. “For example, Public Safety Canada reported in 2021 that only 10% of businesses affected by cybercrime reported the incident to law enforcement…”
And the lack of willingness to contact law enforcement itself has a cost.
IBM’s report estimates a savings of US$1million for ransomware victims who choose to involve law enforcement, particularly at the start of a ransomware attack. The savings due to police involvement include a shortened time to identify and contain a cybersecurity breach.
Feature image courtesy of iStock.com/erhui1979
