For many small businesses, a fire that destroys all of their operations might be preferable to getting hacked. At least in the case of the fire, there’s a good chance the damages will be covered by insurance.
Cybersecurity protection for losses of data or network assets is in its infancy in Canada, at least as far as small and medium enterprises are concerned. Only about 7 per cent of small businesses – those with fewer than 50 employees – had cyberliability insurance in 2017, according to Statistics Canada.
Medium-sized businesses, or those with 50 to 249 employees, were slightly more prepared at 14 per cent, versus 24 per cent for large companies.
The costs are huge, meanwhile, with reports estimating that cybercrime costs the Canadian economy between $3-billion and $5-billion a year.
Figures from the United States suggest that nearly half of cyberattacks are aimed at small businesses, many of which never recover. Half of small businesses would be unprofitable within a month if they were to lose permanent access to their essential data, the Better Business Bureau says.
Part of the reason for why small businesses in Canada are so poorly covered might be because the process is too complex and costly.
“They were getting these applications that we were sending them [on behalf of] insurance carriers that were extremely complicated, asking very complex questions,” says Mike Groner, account executive for Front Row Insurance. “These were also clients who weren’t in a position to pay six, seven, even eight-hundred dollars a year for cyberliability insurance.”
To that end, Toronto-based Front Row has launched its own product, Hackinsure, which offers coverage for cybersecurity issues ranging from theft, fraud and ransomware to business interruption resulting from data loss.
Businesses can sign up online for the product, underwritten by Swiss insurer Chubb, without having to talk to a broker. Coverage ranges from $100,000 to $1-million, while annual premiums begin at $200.
Mr. Groner says Front Row was able to negotiate with Chubb to remove about 80 per cent of the standard cyberliability application that bigger enterprises typically must deal with.
Such applications generally ask companies to spell out corporate structures, including listing the names of various directors, executives and their responsibilities. Front Row boiled it down to only the most pertinent information.
“We removed any questions where it would have absolutely no bearing on the premium and quote itself,” Mr. Groner says. “They’re simple questions, like are they using Windows 7 or higher? Are they using an antivirus program? Are they using firewalls? Are they using backup-and-recover procedures? It doesn't get invasive beyond that.”
Insurance industry experts say the problem with poor coverage may also stem from a lack of education and regulatory involvement. About 19 per cent of small and medium enterprises in the United States and 15 per cent in Britain are estimated to have standalone cyber coverage.
“Canadian companies are very bad with data,” says Mary Hardy, professor of actuarial science at the University of Waterloo. “There’s not so much oversight and requirement to produce data like there is [elsewhere].”
The federal government has taken notice of the problem, which was the impetus for a renewal of the National Cyber Security Strategy this past June. The plan is devoting $500-million over the next five years to help educate the public on cybersecurity and to develop expertise in the field.
Jeremy Depow, vice-president of policy and research for the Information and Communications Technology Council, says products such as Front Row’s HackInsure are positive steps toward spreading awareness. Companies getting hacked is no longer a question of if, but rather when, he says.
“Hopefully it starts to force businesses to live up to some kind of standard,” he says. “Insurance could be a way where you build in those standards to at least get small businesses up to the basics.”
The cybersecurity insurance market is expected to balloon over the next few years, hitting US$17.55-billion by 2023 from US$4- billion in 2017, according to a Reuters report.
Until recently, Front Row has focused mainly on providing insurance products to the entertainment industry, but the company has moved to the cybersecurity market by customer demand.
Editor’s note: An earlier version of this story said about 60 per cent of companies go out of business within six months of a cyberattack, according to U.S. National Cyber Security Alliance. That statistic has been incorrectly linked to the alliance and cannot be verified, the organization says.