This article is part of our 2025 Privacy Breach Insights series, designed to help companies navigate the evolving privacy breach landscape. As privacy threats grow more sophisticated and regulatory scrutiny increases, companies face greater legal, financial, and operational risks. To stay ahead of these challenges, each part of this series provides actionable insights on privacy breach preparedness, compliance obligations, and risk mitigation. Explore the full series here.
The increased volume of cyber and privacy threats to Canadian companies have amplified the importance and use of cyber insurance to mitigate risk. An improved understanding of cyber and privacy risk in the insurance industry has led to better underwriting standards, progressively refined policy wordings, and a variable menu of applicable coverages. Insurers are raising additional capital to meet potentially larger underwriting demands in line with the growing sector. In turn, cyber insurance is becoming a more mature market offering with coverage becoming more expensive.
Understanding what coverage options are available to you, which are most relevant to your particular business, and what types of damages are not covered, is critical. For example, first party cyber liability insurance provides coverage for damages incurred directly by the company, such as covering lost income from business interruption, assisting with the payment of ransomware requests on behalf of policyholders, assisting with the retrieval of stolen funds, as well as notifying affected customers and paying for their credit monitoring. In contrast, third party coverage can help cover legal fees or damages arising from third-party claims (like class action lawsuits). Companies should think carefully about the impact that privacy breaches ("breaches") may cause to their ability to continue to operate during a critical event, or whether they may only be exposed to damages (for example, through data extortion).
A study of the Canadian cyber insurance industry by Telus found that the top reasons that payouts fell short of expectations were because:
- a policy did not cover all elements of the incident;
- the insurers' assessment of recovery costs misaligned with the company's expectations; and
- the company was found to be non-compliant with policy requirements.1
To qualify for a policy, a quarter of companies had to implement or expand internal security processes and/or improve internal controls. Examples of these types of processes may include deploying the use of multi-factor authentication and appropriate anti-virus software, performing regular data back-ups, conducting privacy impact or system vulnerability assessments, implementing appropriate incident response and disaster recovery plans, as well as ensuring compliance with any additional industry-specific standards. As such, ensuring compliance with data privacy and cybersecurity best practices will not only mitigate the impact and likelihood of a breach (and therefore the need to file a claim), but such steps may be a prerequisite to qualify for certain cyber insurance policies.
Footnote
1 Telus Business, The Telus Canadian Cyber Insurance Study, 2024.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
