Doug D. Everett, CIP

iicdde2015@gmail.com

The Cyber Index – Cyber Risk Insurance in Canada There are currently (2020) over 20 different policy forms offered in the marketplace not including those designed and distributed through specialty brokers. There are no standard policy wordings which complicates things for Brokers who assist the client in measuring their level of risk and then assess which of the policy forms offered most fully addresses those exposure elements. Some policies define a computer system or a computer network, as limited to only those interconnected devices or those owned and operated only by the insured, does it include mobile devices, smart phones, USB sticks, laptops, on the premises or on and off the premises, are devices owned by employees and used for work included in the definition? What about data stored by a third-party provider whether under contract or not, or in the cloud? Knowing what form of electronic equipment or data is defined is key to following the policy through the coverage maze. Once you know what is considered a computer system; what are the perils or events for which coverage is provided? For example, a security breach could result in potential financial loss whether from business interruption, loss of reputation, theft or extortion, or privacy breach where the personal information of clients is exposed. Are personal information employees is covered? What are the perils that would trigger a business interruption loss and for what period of time would that coverage apply? If the client receives an extortion threat, will the policy pay the expenses to negotiate the threat only or those plus the actual amount of the financial demand? If the insured makes financial transactions through various credit card companies, are they covered in the event of a breach of those payment card standards? If the client promotes their product using electronical means, typically their web site, have they infringed on their competitor, exposed private corporate details about others’ products, or made false claims about their own or others, does their policy provider offer coverage for media liability? If they are accused of a wrongdoing in a foreign jurisdiction, will their policy provide protection? Will it comply with all fines and penalties assessed by a government agency, only in Canada or worldwide? To what level of assistance will the insured go to remedy the loss of personal information of clients and to what degree will the policy protect those expenses in foreign jurisdictions? The insured receives an allegation of fault and reports it to their insurance provider. After an investigation, the company wishes to make an offer to settle with the third party, however the insured does not agree with the proposed settlement, under the Hammer Clause or Consent to Settle Clause, which most policies have, the insurance provider will cease negations and investigations, however, once the final settlement is made and agreed, depending on the policy form, they will pay a % of the additional defense costs and final settlement, some will pay NIL, some 50, 70 or 80%. These are only some key criteria which should be considered when comparing cyber risk polices. We have created the Cyber Index which contains copies of policy wordings, brochures, applications, loss prevention services, claims scenarios, and a full comparison on key criteria to assist Brokers in assessing the benefits of their cyber risk policy options against potential competitors to help in selecting the most appropriate policy for their client. Remember, we have been told that diversity is our strength. Well, Cyber Risk policies are diverse in the way they deal with many aspects of policy terms. Only 15 of the 20 policies reviewed agreed that along with their duty to defend, they extend that right even if allegations are false or groundless or fraudulent, and one that does not include fraudulent allegations in their obligation. Of the 20 policies studied:  14 offer Cyber Extortion;  8 offer some form of cybercrime;  13 some form of protection for Payment Card Industry Standard (PCI);  7 offer 80% for Consent to Settle agreements while the balance offers less or 0%;  11 make reference to the European Union’s stricter and punitive privacy regulations; and  0 for BYOD (employees Bring Your Own Device). The core coverages require careful reading how the perils or events are defined. The Cyber Index provides reviews of each policy using 39 coverage criteria, policy comparisons, policy wordings, brochures, applications all where available, resources, links and opinions focused on Cyber Risks. Access is available on an annual subscription basis at a price of $195 which includes a 1 Hour accredited Continuing Education Credit for the Primary Subscriber. Doug Everett started his career in the P&C insurance industry in 1974 working in claims, commercial lines, and marketing before landing as President of CHES Special Risks Inc.  In 1979, he received his CIP Designation and became an Associate of the Insurance Institute of Canada (IIC). In 1985, he became an Approved Instructor for the Insurance Institute of Canada.  Doug has created more than 70 CE (Continuing Education credit) courses and conducted seminars for brokers both in Canada and internationally. The Canadian Underwriter Magazine has published his expert views on complex subject areas such as Terrorist Acts Insurance and Faulty Workmanship.