Cyber insurance for public sector retail operations
Cyber insurance for public sector retail operations
As a public sector entity, it’s important to ensure your cyber insurance policy covers what you need, and not more, keeping costs down and coverage realistic.
Although property insurance has been around for centuries, with policies that have been refined throughout that time, cyber insurance is a relatively new concept for many organizations. Yet, as cyber crime increases in frequency and sophistication, risk management in the public sector often falls behind in securing insurance policies to mitigate the threat – to assets and to stakeholders.
A simple click of the mouse could open your organization to a system breach that exposes personal, financial, and operational data to criminal elements. Cyber security measures can reduce the risk, but will your insurance cover losses incurred by a cyber attack? Does the policy address key exposure points and is the coverage enough or too much – important considerations for any organization.
Connect with a trusted cyber security advisor to assess your exposure, identify risks and strategies to reduce them. If your organization has a cyber policy, consider an independent review to assess what your coverage does and does not cover, and how to best protect revenues and reputation.
The assessment process
An insurance review typically starts by securing a copy of the policy. The independent insurance advisor will review the policy against your business or organization and highlight any gaps or excesses.
For example, your policy might include coverage against the impact of an extortion or ransomware attack where cyber criminals hold your organization’s electronic data hostage until a ransom is paid. However, almost no government agency or department will transact with criminals, making such coverage superfluous for the public sector.
The team will discuss what your exposure is for revenue, hardware, and communications, in other words, what you stand to lose in the event of a cyber breach affecting operations. If your department has legacy hardware that is no longer available, does the policy allow for a replacement to like kind and function hardware instead of the exact models?
Privacy concerns and risks
We recently completed a review for a government-run cannabis retailer that wanted to, as many in the sector do, update their insurance in the face of increased cyber attacks. As the legal cannabis industry is relatively new and growing, with little historical information, insurance coverage can raise questions and concerns. An independent, experienced insurance advisor can support the sector, now and into the future, determining current needs and ensuring policies can grow with demand.
They will look at any existing policy, and build a model based on assets, what risks apply, and how if any restrictions apply. The plan will be developed on what coverage is required now and include projected growth to cover future needs.
In the case of retailers, losing personal client data in a cyber breach is a major area of concern. An insurance advisor could suggest expanding coverage in that area – however, as noted above, provincial and territorial governments restrict any payment. Coverage for ransomware should be removed entirely, making the policy realistically suited to the retailer’s needs.
It is also important to note state-sanctioned acts of cyber terrorism are not covered by any insurance policy.
How is coverage determined
Payments towards cyber business interruption insurance are based on a percentage; the percentage is calculated by taking the net income and continuing expenses of the business in a normal period and comparing it to gross revenues. The question becomes what sort of coverage do you need as the business’ income increases?
For the sake of round numbers, say your business’ income this year is $10 million, but in two years, you project an income of $50 million. What your limits are under the coverage today would still be in place in two years unless you’ve updated the limits. Your policy may have enough coverage for 10 days of revenues and downtime today, but only three days in the future. If you still want 10 days worth of coverage, you will need to update and increase your limits accordingly.
Stay updated
Understand what your situation is now but be prepared to change tactics quickly. For example, new legislation could impact an existing business model, increasing risk under an existing insurance policy. Having a model you can update allows you to plan for changes, and understand how revenue and policy changes could impact the business, before they happen.
Regular reviews are key to success. A comprehensive review of your insurance policy by an insurance advisor every two to three years will ensure current policies and status are incorporated, and that your organization is up to date in coverage.
A cyber breach can debilitate an organization or business; having the right cyber security insurance – one that addresses revenue, assets and other issues – can reduce the loss, and mitigate damage.
Insights
-
Confidence
May 09, 2024
Bill 19 – British Columbia (B.C.) Money Services Business Act: What you need to know before legislation takes effect
Learn about the upcoming Money Services Business Act in British Columbia and what it means for MSBs operating in the province.
-
Confidence
May 08, 2024
Five key financial considerations for dental grads
As new dental graduates embark on their careers, equipping them with financial knowledge sets them up for success.
-
Progress
May 07, 2024
Impact of Federal Budget 2024 on the Technology, Media & Telecommunications Sector
The 2024 federal budget proposes key tax measures that could impact businesses and entrepreneurs in the technology, media, and telecommunications (TMT) sector.
