Insights

Managing risk and reputation in the wake of new privacy legislation

Posted by
FHR
FleishmanHillard HighRoad
Insights

Managing risk and reputation in the wake of new privacy legislation

Écrit par
FHR

A recent report from Statistics Canada shows more than one in five Canadian businesses experienced a cybersecurity incident last year but most went unreported. That’s about to change as new federal privacy legislation takes effect November 1st that will require companies to notify affected parties when an incident poses “a real risk of significant harm to individuals.”

And not just any notice will do. Companies will be on the hook to provide customers, employees and vendors details such as a description of the circumstances surrounding the breach, the personal information involved, the steps the organization has taken to reduce the risk of harm that could result, and the list goes on.

With November fast approaching, I sat down with Terri Mason-Benjamin, AVP of Cyber and Professional Liability at CNA Insurance, to discuss how cyber insurance and effective communications can help organizations navigate this new territory in a way that minimizes risk and protects reputation.

1) Do you anticipate more interest in cyber insurance policies in the lead up to or shortly after mandatory breach notifications take effect on November 1st?

I definitely anticipate more interest but not necessarily a significant increase in take-up rates right away. There is still a general lack of understanding and many misconceptions around cyber insurance.  So although many companies may be aware that mandatory notification is coming into play and what that means for their organization, they still may not make the connection to cyber insurance as a useful tool in managing privacy-related events.

2) Based on what you've seen, can effective communications impact the overall costs of a breach? What about costs to reputation?

Absolutely. Communicating quickly, effectively, and transparently with affected individuals following a breach can not only reduce the chances of a third-party claim arising later, but could also go a very long way toward minimizing reputational harm. Effective communication could also be looked upon favourably by regulators, and therefore may minimize any potential impact of a breach from a regulatory perspective.

3) Do you have a point-of-view about the value in companies preparing for a breach? Is there a role for communications here?

Breach preparation is a key factor which insurers consider when underwriting cyber insurance. In many breach situations time is of the essence when it comes to mitigating damages and minimizing costs to the affected organization. Having a comprehensive, well-communicated Incident Response Plan in place is of paramount importance, and certainly communications plays a significant role in incident response.  

4) Are companies recognizing the value of cyber incident insurance? Have you seen any new trends over the past few years?

I think companies who’ve had a breach definitely see the value, but despite the widespread frequency with which these events are occurring, many companies still seem to doubt that such an event will happen to them. Additionally, the lack of understanding and misconceptions about what would and wouldn’t be covered by a cyber insurance policy also impact companies’ ability to see the value of this product.

5) What’s a common myth around cyber and insurance where companies would do well to know the facts?

There’s no such thing as outsourcing cyber exposure! Some companies that subcontract their IT needs and have indemnification provisions built into their contracts with those IT vendors believe that they have outsourced their cyber exposures. Although such third parties may be a source from which to recover later on, the primary company still has an obligation to protect personal and confidential information, and the company not the outsource provider will have to respond to any claims against them arising from such issues accordingly. Additionally, any business interruption loss the company may suffer due to a network outage may not be fully recoverable under such contracts. And it goes without saying that, in the court of public opinion, blaming a breach on a vendor will do little to regain the trust of customers and stakeholders.

A recent report from Statistics Canada shows more than one in five Canadian businesses experienced a cybersecurity incident last year but most went unreported. That’s about to change as new federal privacy legislation takes effect November 1st that will require companies to notify affected parties when an incident poses “a real risk of significant harm to individuals.”

And not just any notice will do. Companies will be on the hook to provide customers, employees and vendors details such as a description of the circumstances surrounding the breach, the personal information involved, the steps the organization has taken to reduce the risk of harm that could result, and the list goes on.

With November fast approaching, I sat down with Terri Mason-Benjamin, AVP of Cyber and Professional Liability at CNA Insurance, to discuss how cyber insurance and effective communications can help organizations navigate this new territory in a way that minimizes risk and protects reputation.

1) Do you anticipate more interest in cyber insurance policies in the lead up to or shortly after mandatory breach notifications take effect on November 1st?

I definitely anticipate more interest but not necessarily a significant increase in take-up rates right away. There is still a general lack of understanding and many misconceptions around cyber insurance.  So although many companies may be aware that mandatory notification is coming into play and what that means for their organization, they still may not make the connection to cyber insurance as a useful tool in managing privacy-related events.

2) Based on what you've seen, can effective communications impact the overall costs of a breach? What about costs to reputation?

Absolutely. Communicating quickly, effectively, and transparently with affected individuals following a breach can not only reduce the chances of a third-party claim arising later, but could also go a very long way toward minimizing reputational harm. Effective communication could also be looked upon favourably by regulators, and therefore may minimize any potential impact of a breach from a regulatory perspective.

3) Do you have a point-of-view about the value in companies preparing for a breach? Is there a role for communications here?

Breach preparation is a key factor which insurers consider when underwriting cyber insurance. In many breach situations time is of the essence when it comes to mitigating damages and minimizing costs to the affected organization. Having a comprehensive, well-communicated Incident Response Plan in place is of paramount importance, and certainly communications plays a significant role in incident response.  

4) Are companies recognizing the value of cyber incident insurance? Have you seen any new trends over the past few years?

I think companies who’ve had a breach definitely see the value, but despite the widespread frequency with which these events are occurring, many companies still seem to doubt that such an event will happen to them. Additionally, the lack of understanding and misconceptions about what would and wouldn’t be covered by a cyber insurance policy also impact companies’ ability to see the value of this product.

5) What’s a common myth around cyber and insurance where companies would do well to know the facts?

There’s no such thing as outsourcing cyber exposure! Some companies that subcontract their IT needs and have indemnification provisions built into their contracts with those IT vendors believe that they have outsourced their cyber exposures. Although such third parties may be a source from which to recover later on, the primary company still has an obligation to protect personal and confidential information, and the company not the outsource provider will have to respond to any claims against them arising from such issues accordingly. Additionally, any business interruption loss the company may suffer due to a network outage may not be fully recoverable under such contracts. And it goes without saying that, in the court of public opinion, blaming a breach on a vendor will do little to regain the trust of customers and stakeholders.

FHR
FleishmanHillard HighRoad
FleishmanHillard HighRoad
FHR
FleishmanHillard HighRoad