Swiss Re: Cyber insurance market escalating rapidly

Swiss Re: Cyber insurance market escalating rapidly

Swiss Re:

  • The potential costs of cyber-attacks are escalating rapidly; cyber security and resilience are a growing concern for firms
  • A dedicated cyber insurance market is developing fast, but the scale of cover is still relatively modest
  • Product & process innovations, and Big Data and smart analytics, will help foster improved cyber insurance solutions
  • Governments can play an important role in boosting cyber resilience
  • This is the first report published by the Swiss Re Institute, which officially launches today

Cyber risk is a growing concern for businesses, with recent attacks demonstrating that the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data. Swiss Re’s latest sigma report “Cyber: getting to grips with a complex risk”, says businesses need to do much more to integrate cyber security into their risk management programmes. Initiatives to boost cyber resilience are underway. A dedicated cyber insurance market is developing rapidly, but so far the scope of cover is modest relative to potential exposure. Product and process innovation and also advanced analytics will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover. Ultimately, some cyber risks, especially those related to extreme catastrophic loss events, may be uninsurable. For such risks, there may be a case for a government-sponsored back-stop.

In its Sigma report titled “Cyber: Getting to grips with a complex risk,” Swiss Re said, “the costs of a cyber breach can escalate well beyond managing the fallout of lost or corrupted data.”

Recent high-profile cyber-attacks increasingly demonstrate that the costs of a cyber security breach extend beyond managing the fallout of lost or corrupted data. Firms must now factor in the potential damage to their reputation, physical and intellectual property, and also disruption to business operations. The increasing scope and magnitude of potential costs associated with cyber-incidents reflect the ever-evolving cyber risk landscape, which in turn is being shaped by three main dynamics:

– the growing speed and scope of digital transformation;

– the widening sources of vulnerability from hyper-connectivity, with the rapid spread of, for example, internet-enabled devices and cloud computing;

– and the growing sophistication of hackers alert to the potential economic gains from successful cyber-attacks.

Despite increased awareness of the dangers, firms are generally ill-prepared to cope with cyber risks. Relatively few firms have integrated cyber security into their mainstream risk management. Regulation could be a catalyst for change with legislation coming into force in many jurisdictions requiring firms to build enhanced data protection safeguards. As a result, “firms – large and small – need to invest more in cyber security architecture to develop robust pre-and post-loss risk management capabilities,” says Swiss Re Chief Economist Kurt Karl.

While a dedicated cyber insurance market was developing rapidly, the scope of its cover was modest relative to potential exposure, it pointed out.

“Product and process innovation and also advanced analytics will help foster improved cyber insurance solutions and extend both the boundaries of insurability and reach of cover.”

Nevertheless, some cyber risks, especially related to extreme catastrophic loss events, might be uninsurable, Swiss Re said.

Given this, the reinsurer argued for a government-sponsored backstop similar to the state support for protection against catastrophic terrorism risks.

“More broadly, governments have an important role in promoting cyber resilience, including measures to improve cyber information capture and diffusion, and setting laws and regulations about how cyberspace is used and protected. By reshaping incentives and increasing awareness of cyber threats, governments can further nudge the private sector into developing improved market-led solutions,” the report said.

The sigma report is e published under the “Swiss Re Institute” banner. The Swiss Re Institute was formally launched on Wednesday with an intention to provide high-quality research and outreach capabilities under one-roof.

Thinking of your target’s acquisition: is your cybersecurity risk assessment sufficient?

In 2015, we have seen several important cybersecurity breaches in the industry. Some of them have been extensively mediatized while others remained less known by the general public. Recently, the online dating website Ashley Madison was hacked and the identity of millions of users revealed all around the world. Even more recently, we learned that over 500 million users’ Yahoo accounts had been hacked in 2014 and this news came out shortly after the acquisition of Yahoo by telecom giant Verizon. Can these attacks jeopardize your upcoming transaction? They absolutely can. As a matter of fact, Verizon asked for a $1 billion discount off its initial offer of $4.8 billion to acquire Yahoo and just recently said that it has a reasonable basis to believe that the massive data breach of email accounts represents a material impact that could allow Verizon to withdraw from the deal. The burden seems to now be on Yahoo to demonstrate the full impact of the breach.

These attacks raise an important question: are companies aware of the importance of conducting thorough cybersecurity due diligence in their M&A transactions? Here are a few tips that could be helpful when it comes to assessing the cybersecurity risk of a targeted company:

  1. Do not wait until the end of your due diligence. Start assessing the risk at the earliest stage of the due diligence process. It is important to ask the target what its most important and useful IT systems are and the most common risk associated with them. Are they covered by complete and extensive IT policies? Are they regularly updated and evaluated by IT experts? Those are examples of questions that need to be asked while conducting your IT due diligence.
  2. Know exactly the most important systems that need to be considered. Since due diligence in cybersecurity can be very expensive for the buyer, it is important to identify what systems or technologies are most at risk of being subject to a cyber-attack. By tailoring your risk assessment, you are controlling the cost while making sure to investigate the proper systems with a higher risk of being hacked that will endanger the success of your transaction.
  3. Do not engage in any cybersecurity risk assessment if your company does not have internal IT experts or extensive knowledge in this area. It is no easy task when it comes to estimate the cost of a potential cybersecurity problem within the target’s systems. Not only is it important to discover such problems but it is also very important to be able to evaluate how such problem could negatively impact the transaction and what the best way to fix those problems is, before engaging in further discussions or negotiations. If your company does not have the internal team to proceed with the cybersecurity due diligence, you should consider retaining the services of external IT specialists.
  4. Consider the importance of obtaining cyber insurance. Since cyber-attacks can be highly expensive for a company, the importance of cyber insurance (not only in the specific context of an M&A transaction) is rising for many companies throughout the market. According to an IBM survey conducted in 2016, the average cost of a data breach reached $6.03 million this year, which represents a 12.5% increase compared to 2015. The software-maker McAfee estimated that the total cost of cybercrime in the global economy can reach up to US$575 billion per year. The costs are high and most of the time very difficult to estimate so that is why companies should consider having cyber insurance in order to protect themselves from such costs and uncertainty. Cyber insurance policies can cover a wide range of risks from network security liability to regulatory defense and penalties and network extortion.

For more, please see our previous posts on how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction and the ways regulatory bodies have begun managing these risks.


Norton Rose Fulbright’s lawyers in Canada cover the full range of areas involved in deal-making. Our Deal Law Wire blog is about sharing our insights with you. From corporate law to cross-border, antitrust/competition, intellectual property, employment and labour and pension matters and more, our lawyers offer a Canadian and truly global perspective that few practices in the world can rival.

Canada: Cyberbullying And The Implications For Insurers

Canada: Cyberbullying And The Implications For Insurers

Article by Michael Blinick and Leona Kung (Student-at-Law)

There can be no doubt that cyberbullying is a new and disturbing development that significantly impacts society these days. In a 2009 General Social Survey, Statistics Canada reported that 7% of adult internet users were cyberbullied.1 It has resulted in various high profile suicides involving teens and has contributed to some of the most horrific events of recent years. 2 A troubling variation of the commonly understood scope of cyberbullying is the sharing online of private and highly intimate videos of a sexual nature that were never intended to be shared publicly, colloquially referred to as ‘revenge porn’. Not surprisingly, this new form of bullying raises new societal issues, including new potential exposure for insurers.

Doe 464533 v. N.D3 and the new tort of Public Disclosure of Private Facts

On January 21, 2016, the Ontario Superior Court released the decision in Doe 464533 v. N.D. representing the first Canadian decision recognizing the new cause of action of “public disclosure of private facts”, an invasion of privacy tort.

In this case, the defendant posted an intimate video of the plaintiff on a pornographic website without her knowledge or consent. The plaintiff had sent the video to the defendant, who was her on-again-off-again boyfriend, on the understanding that it was private. When confronted by the plaintiff, the defendant admitted to posting the video and subsequently removed it from the website. Despite the removal, the plaintiff claimed to have suffered mental injuries as a result of the defendant’s actions and sought compensation for same.

Justice Stinson found that the defendant’s actions caused significant psychological and emotional harm to the plaintiff and awarded her compensatory general damages, aggravated damages and punitive damages totaling $100,000. 4 Although the video was removed, Justice Stinson recognized that there was no way to know how many times it was viewed or downloaded or copied elsewhere. In making his decision, Justice Stinson recognized the current role of technology in perpetuating the invasion of privacy.

The Honourable Justice Stinson cited American legal scholar William L. Prosser, who described the tort of public disclosure of private facts in his article “Privacy”. 5 Justice Stinson essentially adopted the elements of the cause of action enumerated by Professor Prosser, namely: 1) the disclosure of the private facts must be a public disclosure, not a private one; 2) the facts disclosed to be public must be private facts and not public ones; and 3) the matter publicized or the act of the publication would be a) highly offensive to a reasonable person, and b) is not of legitimate concern to the public. 6

Potential Impact of Decision for Insurer’s

With this decision, the court took a step towards responding to the increased awareness regarding the rise of social media and cyberbullying. At the same time, the recognition of this new privacy tort as a cause of action impacts certain insurers and gives rise to a new potential area of exposure. As demonstrated, victims of cyberbullying may now file civil actions against the perpetrator alleging the public disclosure of private facts where private facts, videos, pictures or other private information are shared. If the perpetrator is a child or dependent, then the plaintiff may also commence a claim against the parents of the cyberbully for negligent supervision when there is a failure to control their child or dependent and fails to prevent the harm caused by the child or dependent. Such a negligence claim against the parents has been held to be a distinct claim from the intentional tort claim against the child7 and not derivative from the child’s intentional acts in certain circumstances. 8

If the parents are named in the action, then their homeowners or tenant insurance policy insurer may have to respond. As a homeowner’s insurance policies generally includes both property coverages and liability coverages, including personal liability coverage for the insured’s personal activities worldwide, insurers could have a separate duty to defend. 9 As the duty to defend is triggered by the true nature of claims alleged in the pleadings, 10 it is not relevant, at the initial stage of the inquiry, whether the parents will be proven to be negligent.

It is true that the personal liability coverage from a homeowners’ policy may very likely contain an exclusion clause against providing coverage for an insured’s intentional or criminal acts, thereby excluding coverage for the child’s intentional cyberbullying, or cyber public disclosure of private acts. However, the exclusion clause may not necessarily exclude coverage for claims of negligence or claims of failure to act or supervise, as against the parents.

For example, in Durham District, a negligence claim was advanced against the parents for failing to properly supervise and discipline their son, who had set fire to the contents of his high school’s plastic recycling bin. In this case, the Ontario Court of Appeal interpreted the exclusionary clause in the homeowner’s insurance policy narrowly and construed the ambiguity against the insurer-drafter to hold that negligence claims were not excluded by the clause. Therefore, the insurer had a duty to defend the parents against the negligent supervision claim against them, while the claim against the child’s intentional act was excluded from coverage.

This contrasts with the decision in Unifund Assurance Co. v. E.(D.),11 a recent decision from the Court of Appeal that involved a negligence claim against the parents of a minor for their failure to investigate and take reasonable care to prevent the bullying that their daughter participated in against another minor at their school. As the parents’ homeowner’s policy specifically and unambiguously excluded the “failure of any person insured to take steps to prevent… psychological or emotional abuse” 12, the Court of Appeal held that the negligent supervision claim against the parents was separately and specifically excluded from coverage.

Therefore, absent a specific exclusion clause, a homeowner’s insurance policy may have to respond to negligent supervision claims against the parents where there is a cause of action against their child for the public disclosure of private acts. In Doe 464533, had the plaintiff instituted proceedings against the defendant’s parents for their failure to exercise reasonable supervision at the time of the posting of the video, then their homeowner’s policy insurer may very well have had to defend the parents’ claims even if the child’s intentional acts were excluded from coverage. In light of this, it may be prudent for insurers to reexamine the exclusions clauses in their homeowner’s policy to address the potential for these claims against the parents given the realities of the world that we currently live in and the potential for an increase in the number of claims that insurers could be asked to respond to.


1.Perreault, S, Statistics Canada, Self-reported Internet Victimization in Canada, 2009, (15 September 15, 2011) online:

2.See e.g. CBC News, “B.C. girl’s suicide foreshadowed by video”, (11 October 2012) online: CBC News ; and “Cyber-bullying-linked suicides rising, study says”, (20 October 2012) online: CBC News.

3.Doe 464533 v. N.D, 2016 ONSC 541.

4.Note that this was the amount claimed by the Plaintiff.

5.William L. Prosser, “Privacy”, 48 Cal. L. Rev. (1960).

6.For further details on the decision, see previous McCague Borlack article “New Privacy Tort Recognized in Ontario: Jane Doe 464533 v. X” published in February 2016

7.Durham District School Board v Grodesky, 2012 ONCA 270 at para 14; and Godonoaga (Litigation Guardian of) v Khatambakhsh (Guardian of) (2000), 49 OR (3d) 22 (Ont. C.A.) at para 20.

8.See Durham District, supra note 5.

9.See Godonoaga, supra note 4.

10. Non-Marine Underwriters, Lloyd’s of London v Scalera, [2000] 1 SCR 551.

11. 2015 ONCA 423.

12. Ibid. at para 24.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Cyberbullying Insurance Now Available to Chubb’s Canadian Homeowners Customers

Cyberbullying Insurance Now Available to Chubb’s Canadian Homeowners Customers

Press Release:

Chubb has added cyberbullying coverage to its Canadian Masterpiece® Family ProtectionSM policy to help cover clients and their families from the expenses associated with a cyberbullying incident.

“Technology is an integral part of our daily lives. It connects us and facilitates communication,” said Paul Johnstone, Senior Vice President, Chubb Personal Risk Services Canada. “But technology can also be a gateway to risk. Cyberbullying, including online threats and harassment, can create reputational damage and cause financial loss and emotional harm. Chubb’s new cyberbullying coverage can help protect the people who are most important to you.”

Cyberbullying coverage provides up to $60,000 in compensation to clients and family members for expenses related to harassment and intimidation committed via personal computers, telephones or mobile devices. Clients may recover costs incurred when cyberbullying results in wrongful termination, false arrest, wrongful discipline in an educational institution, or diagnosed debilitating shock, mental anguish or mental injury leading to the inability of the client or a family member to attend school or work for more than a week. The coverage provides compensation for psychiatric services, rest and recuperation expenses, lost salary, temporary relocation services, education expenses, professional public relations services, and cyber security consultants.

Cyberbullying coverage is available to all Canadian Masterpiece® homeowners customers who purchase a Family Protection policy. Chubb’s Masterpiece® Family ProtectionSM policy includes an array of coverages to help families recover and protect themselves from perils including stalking threats, carjacking, home invasion, air rage, hijacking and child abduction.

Coverage is subject to the language of the policies as issued.

About Chubb

Chubb is the world’s largest publicly traded property and casualty insurance company. With operations in 54 countries, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. The company is distinguished by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength, underwriting excellence, superior claims handling expertise and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at:


Cyber insurance business booming alongside hacks, but are the risks covered?

Barbara Shecter | Financial Post

That basic yet key ingredient is all but missing in the growing business of cyber insurance, in which business is booming as the list of hacking incidents from Target to Ashley Madison grows. Add to the mix the ever-changing nature of hacks and different levels of security sophistication among companies, and the challenges mount alongside the opportunities.

“There are many unknowns,” said Nick Galletto, cyber risk services leader for the Americas at Deloitte.

Hacks such as the one that hit adultery website Ashley Madison can give an idea of the cost of the fallout of such an event. But that doesn’t come close to providing the depth of data insurers use to create and measure the underwriting standards when they sell protection against house fires, break-ins and car accidents.

Paul Schiavone, regional head of financial lines in North America at the corporate and specialty division of Allianz Group, said the global insurer is writing cyber insurance policies and is excited about the new line of business.

But he acknowledges the relative lack of data makes it difficult to know if the policies are properly calibrated to the risk when it comes to cyber insurance. “It’s difficult for the insurance industry to even price it,” Schiavone said in an interview.

Still, despite the unknowns, companies including his are anxious to be in the game.

“It’s exciting — that doesn’t happen often in insurance,” Schiavone said.

Terri Mason, who heads up Allianz’s professional indemnity and cyber risk business in Canada, said all insurance underwriting is a blend of science, based on actuarial experience, and art, based on assessing less tangible risk-worthiness. But in cyber insurance, it’s “a little bit more of an art at this point because it is so new and we don’t have that historical data that we do in other types of insurance coverage,” she said.

As a result, insurers will generally charge higher deductibles than they would be for other forms of corporate insurance, so the insurer to offset the risk something unanticipated is lurking.

“I think the cyber market will … look quite different in five or 10 years,” she said, comparing it to the early days of widespread insurance for corporate directors and officers insurance, which gained popularity a couple of decades ago. “Right now we’re all still sort of finding our way and learning as we go.”

Cyber insurance dates back to “Y2K” when it was believed the turn of the century might wreak havoc on computer systems and data storage around the world. But those who track the industry said it has grown substantially in the past couple of years along with the list of corporate and government hacks siphoning off private information to disrupt business or extract financial gain.

For now, many insurance policies primarily cover the costs of business interruption, data destruction, and extortion in cases where malware known as “ransomware” freezes workers out of their own company’s systems unless the company pays the hacker.

But coverage is expanding, with some policies now including extra protection for events such as a regulatory claim stemming from data loss or a breach of standards, according to a recent report from Allianz.

Insurers may also cover breaches related to technology belonging to a third party, but this is limited because of the potential accumulation of risk borne by the insurer, and it would only be offered after a detailed risk analysis, often conducted by a third party, the report said.

Deloitte’s Galletto said headline-making breaches at such companies as Sony, Home Depot, and JP Morgan Chase are masking a more serious and potentially more costly form of cyber attack that is just coming to light, bringing with it greater challenges for both companies and their insurers.

Known in the industry as advanced persistent threats, or APTs, these insidious breaches actually dwarf the headline-makers, Galletto said.

“Most organizations are completely unaware that APTs are present in their environments and potentially siphoning their critical data,” he said. He described the tactics as “low and slow” and therefore difficult to detect using traditional methods.

In one case, he said, a company was outbid in the late stages of a planned acquisition because an APT hack had slowly siphoned off key information to a competitor, undetected.

“The crisis management response required to investigate, contain, eradicate, and recover from an APT is significantly greater than a disruption of service or loss of equipment,” said Galletto.

“This makes it difficult for organizations and insurance companies to know how to plan ahead and how to cover costs that they could never predict.”

Companies turn to cyber insurance after Ashley Madison and other high profile hacks

In the wake of the Ashley Madison hack and other high-profile data breaches, Canadian companies are turning to so-called cyber insurance to protect themselves from the fallout of data leaks.

In July, adultery website Ashley Madison made headlines after hackers broke in to the company’s network and leaked customers’ personal information, including their messages to other members and sensitive financial data.

The ensuing class-action lawsuit – and founder and CEO Noel Biderman’s decision to step down in late August – were the latest in a series of incidents that experts say represent a wake-up call for executives about the real-world consequences of digital vulnerabilities.

Duncan Stewart, director of technology research at Deloitte, said the past year has seen a surge in awareness about cyberattacks, and companies are turning to insurers to prepare for what seems an inevitability in an increasingly interconnected world.

“The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with,” he said.

There is no legal requirement for companies to report a hack in Canada, making the true number difficult to determine, but security company Websense said in August 2014 that 36 per cent of Canadian businesses had observed a breach in their IT security last 12 months.

In a KPMG survey of Canadian property insurance executives, data security even beat out unexpected catastrophic events as the third-biggest risk facing Canadian companies in 2015 after regulatory burdens and low interest rates.

Stewart compared significant breaches like the Ashley Madison hack to automobile collisions that result in a total write-off, yet he said companies also require coverage for the small attacks and fender-benders of cybersecurity that happen far more often.

Insurance against cyberattacks is now just a part of the cost of doing business, he said.

“You wouldn’t have a factory and not have fire insurance, so why would you think about not having cyber insurance?”

Technology analyst Carmi Levy said in an email that insurance providers are stepping in to meet the needs of companies as they find themselves handling more and more data on behalf of their clients and suppliers.

“In the process, they are increasingly liable for what happens when hackers manage to break in and snag some of that data,” he said.

Insurance expert Paul Kovacs, president and CEO of the industry-funded oversight body PACICC, said insurance companies are expanding their offerings to provide more than just compensation and protection from liability in the event of a cyberattack.

“When this happens, you are going to need professional help with communications, with forensic investigation, with restoring your systems and putting the protections back in,” he said.

Kovacs pointed to the example of Sovereign General, part of the Co-Operators Group, which offers coverage for privacy breaches, business interruptions, extortion, and data recovery stemming from a cyberattack, as well as crisis management services.

He said companies and organizations used to dealing in sensitive information, such as hospitals and financial institutions, were among the first to become targets and have developed comprehensive cybersecurity policies.

Yet what used to be a concern just for the obvious targets is now a business risk for almost everyone, he said, and it’s not just customer data that’s at risk.

In July, security company Symantec issued a report detailing the “Butterfly” hacking group that it said is responsible for at least 40 attacks since 2012 meant to steal trade secrets and industrial data in order to sell it to the highest bidder.

Kovacs said industrial espionage is spreading out from the large companies that have long been in the crosshairs as hackers become more sophisticated.

“Now, they’re still going after the big companies but they’re going after the mid-size companies and even some relatively small companies,” he said. “The threat is spreading.”


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest