Cybersecurity insurance growing in popularity after high-profile digital attacks. Does your organization need it?

For many executive directors, it’s a nightmare scenario.

In late October, ransomware attackers breached the Toronto Public Library’s systems, stealing the names, social insurance numbers and, likely, copies of government-issued identification documents of current and former staff — and demanded the organization pay up to get the data back. 

It’s been more than a month, and the organization behind Canada’s most extensive library system has not paid the ransom. Still, the incident has had other costs — cybersecurity experts to manage the breach, credit monitoring for staff whose data may soon be on the dark web, and staff time for dealing with the situation. 

“It has been a very challenging time, and we are deeply sorry for the concern it has caused,” the library said in a press release in late November. 

Faced with the threat of incidents like this, non-profits nationwide are increasingly joining their for-profit peers in purchasing cybersecurity insurance — typically, an add-on policy covering breach-related business downtime, cyber consultants, legal costs, and otherwise. 

In the past five years, the global cybersecurity insurance market tripled in volume, swelling to US$13 billion in premiums in 2022. With increasing phishing, malware and ransomware attacks, it’s expected to nearly double again by 2025, according to the Swiss Re Institute. 

Following ransomware attacks, organizations are having to pay an average of $300,000 to recover stolen data, while the average loss incurred from business email compromise (BEC) is roughly $170,000, says Johan Hernandez, who leads the cybersecurity practice at NFP Canada, an insurance brokerage and consultancy.

“Because non-profits don’t have the same kinds of budgets as private organizations, this kind of event can be devastating for them,” he says. 

Faced with these potential costs, experts say cybersecurity insurance is a good idea for organizations that collect personally identifying information and financial details, like full names, social insurance numbers, credit card information or medical information. 

However, they stress that developing solid technological infrastructure and staff protocols to prevent attacks is even more critical than purchasing an additional policy. 

“By the time insurance steps in…your reputation with your funders, with your partners, with the folks you deliver services for, might have already been impaired,” said Erin Burbidge, vice president of policy with the Clean Foundation, a Nova Scotia-based environmental charity. 

Insurance: A security blanket, not a cure-all pill

Concerned about the potential impact of a breach, the Clean Foundation purchased add-on cybersecurity insurance at the suggestion of their broker about four years ago. 

While their digital systems were already robust, the insurance policy offered peace of mind for covering costs in an attack. It also came with built-in know-how: If their systems were hacked, they’d be provided with trained cyber experts to help mitigate the damage. 

The policy, sold by Boxx Insurance, costs about $6,000 annually — around six per cent of their total insurance spend. This has been well worth it, said Burbidge, as the impact of an attack on the organization would be significant. 

Clean Foundation has a staff of about 120 people, annual revenues of $30 million, and performs home energy audits in Halifax and New Glasgow. This program requires the collection of homeowner information and the processing of payments. 

The charity also manages the payroll for numerous interns who work with partner organizations, increasing the amount of financial information in their systems. 

Given this wealth of data, a breach would be devastating, she said. 

Still, if her organization had to choose between proactively securing their systems and purchasing insurance, she’d take the former. 

“The insurance is better than nothing,” but it’s not a cure-all pill, said Burbidge. Proactive security is the “first and best defence.” 

Start with an audit? 

Depending on the policy, cybersecurity insurance can cover several costs, such as data recovery, business interruption, and, in some cases, even public relations and crisis management after a cybersecurity incident, said Jason Shim, chief digital officer at the Canadian Centre for non-profit Digital Resilience. 

“In addition to looking for what is included in a policy, you should also make sure you’re reading the fine print for what the exclusions are,” he said. 

Co-operators, for example, offer two types of cyber insurance: Cyber Guard, which covers unexpected expenses associated with the loss of confidential data, and lost income from business interruption due to a breach. Cyber Guard Select, an enhanced policy, is also offered. 

With the latter, non-profits are covered for privacy breach expenses, business interruption, third-party lawsuits resulting from cyber incidents, and privacy regulatory liability. They can also select from nine optional add-ons, such as crisis management or claims related to inaccurate or plagiarized information. 

For organizations considering an add-on cybersecurity policy, Alexandra Theroux, operations manager for Impact Organizations of Nova Scotia (IONS), suggests beginning with a digital security audit. 

Last year, her organization took this approach, working with Carbide, an east-coast cybersecurity company, to review their systems for any weaknesses and explore ways to shore them up, such as installing two-factor authentication or training staff to avoid being duped by phishing scams.

Ultimately, they decided not to proceed with cybersecurity insurance because they were already protected for the sensitivity of the data they collected. 

In their work to support local non-profit organizations, IONS collects only constituents’ names, emails, and phone numbers. All of this information is then stored on cloud-based storage systems, like Mailchimp and Eventbrite, she said.  

Additionally, IONS does not collect much financial information, and the information they do have could not be used to commit fraud. 

“Even if someone were to breach our files, they wouldn’t get anything that would put any individual that’s interacted with us at any kind of risk,” she said. 

Based on this experience, Theroux encourages all organizations to increase their cybersecurity awareness, but said small organizations should exercise caution before barrelling ahead with a new policy. 

Non-profits have very tight budgets, and purchasing coverage they don’t need could mean reducing investments in programs or staff, she said. 

Steps to take before approaching insurance brokers

Yet, if your organization doesn’t opt for new coverage, investment in cybercrime prevention could still be worth your time. 

Increasingly, to receive coverage, non-profits must show insurance providers they meet minimum digital security requirements, such as multi-factor authentication or phishing training for staff, said Shim.

This could include employee training programs and simulations, vulnerability scans to check for security weaknesses, penetration tests or “ethical hacking,” and hiring cyber security consultants to audit IT systems, build firewalls, and ensure that systems meet regulatory compliance, said Doug Foley, senior manager of commercial insurance at Co-Operators. 

“Pricing for an insurance policy – whether general or cybersecurity specific – is based on a risk assessment that involves criteria that may differ by provider and coverage type,” he added. 

At NFP, Hernandez and his team determine the price of a policy on a number of different factors, including an organization’s revenue and operating budget, the type of industry they operate in, the number of employees they have, the type and quantity of data they collect, and existing cybersecurity protocols that the organization has in place. 

There are five security pillars that the cyber insurance team consider when developing policies for organizations: multi-factor authentication; backups that are both offsite and tested regularly; an incident response plan which details the role of each employee in the event of a cyber attack; internal training programs; and existing investments in anti-virus software and security patching. 

Post-attack improvements

Since their ransomware attack, the Toronto Public Library has improved its network security, and more fixes are on the horizon. 

“It will take us time to analyze data to determine who is affected and how,” they said. 

“[But] when the investigation is complete, we will respond to findings in a manner that better protects us from the very significant data privacy and cybersecurity risks faced by public institutions today.”

Tell us this made you smarter | Contact us | Report error