Legal Supplier

Cyber insurance helps defray data breach costs

By Staff

Many companies are not prepared for upcoming changes to Canada’s privacy law that will require them to report data breaches within a prescribed time, says Jason Green, principal of Hexigent Consulting.

Green, who has more than 25 years' experience working in digital investigations and cybersecurity, says no matter what the type of business, whether they are publicly traded or private, changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) will apply when it takes effect Nov. 1.

“A data breach is serious, whether you’re a medium-sized law firm, a retailer or a municipal government,” he tells“You have to be prepared for the costs associated with such an incident, and one way organizations can reduce costs is through cyber insurance. We know from experience how vital it can be in defraying costs.”

For example, Green says, earlier this year the Ontario town of Wasaga Beach found its computer systems overtaken by attackers who demanded a ransom to restore access.

“We were called in to assist, and they did pay the ransom,” he says. “But they shared their experience with other municipalities, which prompted the town of Midland to secure cyber insurance. So when their systems were compromised a month or so later, they were prepared.”

Cyber insurance doesn’t typically include ransom payments, but it does cover the costs associated with notifying those whose data may have been breached as well as fees for legal advice and access to high-level cybercrime consultants, Green says.

“This type of insurance also covers the cost of experienced cyber professionals, which in the Wasaga case, resulted in decreasing the ransom demand from $144,000 to about $35,000 in Bitcoin,” he says. “The overall cost to the town was more substantial, in excess of $250,000” due to the expenses associated with reviewing data and diverting resources from the town’s core business.

Still, simply purchasing an insurance policy isn’t enough, Green warns.

“The carrier will want to know details about the state of your systems and infrastructure security to assess how vulnerable your organization is to data breaches,” he says. “Because of that, the business may need to invest a significant amount of money to secure their systems so they can qualify for the right cyber insurance coverage.”

Taking these “best practice” steps will provide organizations with peace of mind and may mitigate any liability claims associated with a breach, Green says.

For law firms, the prospect of being hacked is daunting not only because of the impact on client-solicitor privilege but also the potential for irrevocable damage to the firm’s reputation, he says.

Whether it’s sensitive information about tax, mergers and acquisitions or a publicly traded company, keeping a lid on the data is crucial to large law firms with a global reach, Green says.

“Large firms usually have someone on board who is a lawyer practising in the area of data breach liability, and they will act as a breach coach who advises before, during and after an attack occurs,” he says. “We do a great deal of that type of work with mid-sized law firms because they don’t usually have a resource like that.”

Once organizations have completed an audit and established a baseline of security necessary to procure an appropriate insurance policy, Green says the next step is to ensure safeguards remain up to date and compliant moving forward.

“It’s not like you tackle today's cyber problems and then say, that’s it, we’re done here,” he says. “You have to look at your security measures and practices on a continual basis.”

To Read More Hexigent Consulting Posts Click Here