Stricter Cybersecurity Insurance Requirements Staring Toronto Companies In The Face
The Canadian cybersecurity attacks have continued to soar over the years, leading to massive revenue loss, damaged brand reputation, and loss of customer and stakeholder trust. A recent report estimates Canada experienced more than 4,000 ransomware incidents in 2020 , resulting in massive revenue losses of between US$164,772,274 and US$659,246,267.
The Canadian regulation on cyber security leverages a regulatory framework that ensures all businesses have adequate insurance to cover their cyber security risks. Over the past few months, companies in Toronto have seen stricter cybersecurity insurance requirements that can frustrate their business processes.
Failure to meet these requirements can lead to severe legal and financial consequences for any company in Toronto and the rest of the country. This blog focuses on some of the cybersecurity insurance requirements that companies in Toronto need to be aware of in 2021 and beyond.
What Are the Cybersecurity Issues Facing Toronto Companies
A cyberattack refers to any intrusion into a computer system or network. The actors behind these intrusions hope to achieve several goals, including disabling your networks, access to valuable data, and elevated privileges. Some of the typical cybersecurity issues affecting most companies in Toronto include but are not limited to malware, ransomware, phishing, and denial of service.
With the advancement of technology and the recent massive adoption of remote work due to COVID-19, the nature and level of these attacks have become very sophisticated, making cyber liability insurance inevitable to have as a business.
The Cyber Security Insurance Requirements Facing Toronto Companies
As a key decision-maker in your company, it is crucial that you keep current and aware of the various cybersecurity insurance rules and regulations that apply to your day-to-day operations. These include:
PIPEDA mandatory cyber breach reporting
On November 1, 2018, the Personal Protection and Electronic Documents Act (PIPEDA) came into effect in Canada. With the rising cases of cyber-attacks and subsequent changes in cyber insurance requirements, every business in Toronto, whether large or small, needs to be aware of this act. PIPEDA, which is managed by the Offices of the Privacy Commissioner of Canada, requires companies that are subject to PIPEDA to do the following:
- Report any breaches in their systems and networks to the Privacy Commissioner of Canada. This could be any breaches of security safeguards targeting personal data that may result in significant harm to individuals.
- Companies are also mandated to notify affected persons immediately about any breach incidences targeting them. In essence, if there is an attack targeting some of your customers, you have a mandate to notify the victims immediately.
- Companies are also required to keep secure records of all breaches.
If a company knowingly disregards PIPEDA’s record keeping, reporting, and notification requirements, hefty fines could be preferred for such an organization. Disregarding PIPEDA’s regulations could also affect your contractual terms with your cyber security insurance provider.
OSFI new security incident reporting requirements
On August 13, 2021, the Office of the Superintendent of Financial Institutions (OSFI) issued new technology and cyber security incident reporting requirements. The new advisory replaces the OSFI’s guidance from 2019 on how and when federally regulated financial institutions are required to notify OSFI about technology or cyber-attack incidences. In general, the new advisory has broadened the scope of reportable incidents from incidences that cause “significant” operational impact to “any incident,” whether minor or significant, that could impact operations. Under the Advisory, FRFIs must report a technology or cyber security incident to OSFI’s Technology Risk Division within 24 hours or earlier.
The 2021 advisory also comes with new guidance on the consequences of failing to report an incident and may include heftier fines, increased supervisory oversight, and watch-listing or staging of the FRFI and ultimately increased insurance rates. Most insurance providers require companies to strictly adhere to the new OSFI security incident reporting requirements as this helps them carry out objective and more precise cyber risk assessments for their underwriting processes.
More stringent cyber risk assessments
To keep risks at an acceptable level, most insurance providers are now setting more stringent basic IT security standards that policyholders must meet to qualify for cyber insurance. Insurance providers typically undertake comprehensive cyber insurance risk assessments to determine your eligibility, premium, and coverage limits for cyber insurance coverage. This underwriting process may range from filling out a simple questionnaire to a more detailed analysis spanning over several weeks by a cyber-security firm. The insurer may also conduct impromptu routine checkups and reassessments to determine your risk level at any given time. At a minimum, companies considering cyber insurance have to put the following safety measures in place:
- All company PCS must be protected with antivirus software that is regularly kept up to date
- Company networks and systems must be protected using a firewall and other accepted techniques
- Company data must be regularly backed up using a secure cloud service or external media
- User access rights and permissions must adhere to a secure provisioning process
User lifecycle management requirements
You may now need to keep a more stringent track of who has access to different files and resources to qualify for cyber insurance. This process is typically referred to as User Lifecycle Management and is designed to ensure only the right employees are granted access permission to systems and networks to complete specified tasks. Managing user access rights from one central platform and tracking their activities once inside the company network is a critical step in most industry-specific compliance requirements in Canada. ULM solutions replace various online identities with a single, safeguarded, authentic, and effectively managed credential for every user.
Tektonic Can Help Improve Your IT Security
Notably, taking additional steps to improve your IT security will not only reduce the risks of successful attacks but can also lower your insurance premiums. At Tektonic, our highly experienced IT security experts will suggest several improvements you can implement to make your entire IT infrastructure more secure and ensure you are complying with industry requirements. Our solutions enable you to quickly and efficiently track and implement changes in accordance with compliance standards to meet the changing cyber insurance requirements.
Specific IT security solutions that we provide include:
- Incident response plan: We will develop an incident response plan to guide you on the steps to take if your data or resources are compromised. An incident response plan can effectively mitigate the risks of being a victim of the latest cyber-attack.
- Awareness training: Your employees form the weakest link in the fight against cyberattacks. One of the efficient ways to protect against cyber-attacks and data breaches is to train employees on cyber-attack detection and prevention techniques. Our experts will offer effective security training to increase awareness amongst your employees.
- Updates of systems and networks: The risks of cyberattacks increase substantially when systems or software aren’t fully up to date. Such systems provide weaknesses that cybercriminals exploit to gain access to your network. We will integrate a patch management system to manage all software and system updates and keep your system resilient and up to date.
- Endpoint protection: Endpoint protection protects networks that are remotely bridged to devices. Mobile devices, laptops, and tablets that your remote employees use connect to your company network could provide access paths for a range of security threats. We will protect these paths with unique endpoint protection software to reduce your risk exposure.
- Install a firewall: Our experts can put your entire network behind a robust firewall protecting your IT infrastructure from any cyber-attack threat. Our firewall systems help block any brute force attacks made on your network and systems before they can do any damage.
- Data backup: We will also back up your data in cloud storage to prevent serious downtime, loss of data, and severe financial loss in the event of a disastrous cyber-attack on your systems.
It is no longer a matter of if but when a security breach will happen. With these increasing threats, Toronto companies are now seeing more detailed, stricter cyber liability insurance questionnaires. Some businesses who weren’t serious about their IT security now realize they can’t get insurance without making improvements and getting serious about their IT security management. If you need help to improve your IT infrastructure security and comply with the stringent insurance requirements, don’t hesitate to contact Tektonic. Our goal is to protect your entire IT infrastructure and reduce the risks of cyber-attacks so you can get the insurance your organization requires at affordable rates. Contact us today to learn more.