Seventy-four per cent of organizations across Canada have decided to invest in cyber insurance in 2022 compared to 59% in 2021 despite increasing costs and requirements, finds a survey from the Canadian Internet Registration Authority (CIRA).
However, most organizations with a policy indicate that their provider has made changes to the coverage. The most common changes are proof/verification of security measures in place (42%) and increased premiums (39%).
Other changes include changed eligibility criteria for obtaining/renewing coverage (33%) and reduced reimbursement amounts for ransomware attacks (29%), according to the 500 employees and owners surveyed, in organizations with a minimum of 50 employees.
“Generally speaking, insurers will support the decision of insureds to pay a ransom… But there is a subset of ransom payments that they may actually oppose,” said Brian Rosenbaum, managing director of claims at Aon during a panel discussion at RIMS Canada Conference in Halifax.
“And that has to do with when it’s not really sensitive information, a decryptor is not required, the extortionist has really lowered their demands from original demands, and basically rather than assess the risk and figure out whether or not a ransom needs to be paid, the insured organization just wants to make the payment to go away.”
Nearly all organizations (96%) say cybersecurity awareness training is mandatory for at least some employees. This number has increased from 87% before the pandemic.
In-house developed courses and training material is the most common way these organizations conduct cybersecurity awareness training (48%) followed by refresher training (46%) and third-party developed courses/training materials (44%).
However, three-in ten (29%) organizations experienced a breach of customer and/or employee data last year.
Among organizations that experienced a data breach, just over half (53%) informed management/senior leadership, 49% informed the board, and 44% informed customers.
When breaches do happen, companies need to act fast to inform those affected—employees and customers alike. “You’ve got to communicate with all stakeholders, the public, regulators, business partners and employees in a proper, timely and effective way,” said Rosenbaum.
Feature image by iStock.com/sorbetto