Small and medium-sized Canadian businesses have a new choice for cyber insurance after a U.S. based provider called Coalition Inc. decided to offer its service north of the border.
Supported by re-insurer Swiss Re, as well as Lloyd’s of London, and Argo Group, Coalition is offering up to $20 million of comprehensive insurance coverage to companies with up to $1 billion in annual revenue.
In an interview CEO Joshua Motta said a differentiator from well-known giant insurers is that Coalition offers customers passive monitoring of their internet-facing attack surfaces, including email servers, internet gateways, databases and virtual private networks.
The service can tell if a customer has devices with exposed Windows remote desktop protocol, unprotected databases and employee credentials for sale on the dark web, Motta said. It also monitors for unpatched software vulnerabilities.
The company also offers policyholders round the clock incident response experts to help after an incident. Using Coalition’s incident response staff where possible means those costs don’t come out of policyholder’s deductible, he said. The company also has access to partner firms with expertise in law, crisis management and public relations.
“Historiallcaly people treated cybersecurity as a technology problem,” Motta said in an interview. “If you just installed anti-virus and firewalls and things like that you could protect your business. But we view it as a risk management problem.”
Coalition cyber insurance is offered through 100 brokers here.
Cyber insurance: Necessary for business
Motta was careful about outlining premiums, saying they depend on variables including a company’s risk profile, size and amount of data being protected. Generally, a small business would pay between $1,000 to $3,000 a year for $1 million of coverage, while a mid-sized firm would pay between $7,500 to $15,000 a year for $1 million of coverage.
Headquartered in San Francisco, Coalition began operations in March, 2017 and has been funded by venture capital. In January it bought internet scanning provider BinaryEdge. Coalition will integrate BinaryEdge to help customers better map their Internet attack surface and monitor risk exposures.
Logan Rohde, a research analyst at InfoTech Research who recently did a study on the cyber insurance industry, said the entry of Coalition is an example of how the sector is trying to find a standard way of measuring an organization’s exposure to cyber risk.
There’s still a worry among businesses that cyber insurance isn’t worth it, Rohde said, based on fears providers will find ways not to pay out claims. In particular organizations assume providers have a list of obligatory cybersecurity practices customers have to follow and if there’s any slight lapse — sometimes called a ‘failure to maintain’ practices — the policy will be voided.
“In the past this language was more common,” says Rohde. But, he added, “I was able to interview an underwriter whose firm had recently surveyed the industry and found this had all but disappeared.” Instead claims are being looked at on a case by case basis on what reasonable current cybersecurity practices are.
“That being said,” he added, “cyber insurance is not a ‘Get out of jail free card’. You are still expected to maintain basic security controls, such as encrypting sensitive data.”
Often organizations are required by insurers to do a self-assessment of their security controls before coverage starts, Rohde said, and if there is a mistake it is the insured’s responsibility to correct it.
The other major worry is insurers will label a cyber attack not covered due to a ‘war and terrorism’ exemption. The prime example is the 2017 NotPetya attack which most experts agree was aimed at Ukraine but escaped into the rest of the world. Among the biggest victims was pharmaceuticals manufacturer Merck, which made a claim for US$1.3 billion to cover restoring or replacing servers and PCs and loss of business.
However, its insurers have refused to pay, arguing the incident was an act of war even though it wasn’t an armed attack. The dispute is still before U.S. courts.
When looking to buy cyber insurance, Rohde said it helps to have an idea how much coverage the organization needs. Do a business impact analysis of the costs of every type of attack the organization is likely to suffer, including restoration, remediation and loss of reputation. “Then it gets a lot easier to determine whether a million or $5 million coverage is enough,” he said.
Understanding what is covered and for how much is vital.
Management may also need legal advice. “More and more, I’m seeing policies that are easier to follow along with, but the giant dense pieces of legalese are still common,” he said. “So if there’s a section you’re not confident, you can seek legal input.”
He also warned businesses not to make quick decisions with their agents. Some firms have discovered what they thought was cyber insurance was really an insurance rider to their property coverage.