LEXPERT MAGAZINE
|
SEPTEMBER 2017 59
| IN-HOUSE ADVISOR: CYBERSECURITY |
easier for insurers to determine. "I would
say we have enough data on a typical pri-
vacy breach [from] thousands of breaches
and hundreds of millions of records being
compromised in the US" As for deduct-
ibles, "retention [the industry term for
deductibles] for small firms can be as low
as $1,000," he says. "For large firms, it may
make sense to take retention of $5 million
to $10 million."
Before a company or organization begins
to explore purchasing cyber insurance (an
umbrella term the industry uses to encom-
pass all aspects of this type of insurance, in-
cluding ransomware), it needs to determine
whether it requires this coverage and, if so,
what items on the "buffet," as Eskins calls
it, are available.
Vanessa Coiteux, a partner in the
Montréal office of Stikeman Elliott LLP,
says that there's growing interest in this
form of coverage. "In the last two years,
more and more companies are asking us
about the process. ey're asking about
premiums and making assessments about
how they're covered in their current insur-
ance policies, what they need to cover and
their risk profile."
e buffet of options to consider can be
extensive, including coverage for business
interruption, and the costs related to data
loss and restoration, forensic investigations
and extortion demands, as seen in ransom-
ware attacks. What, if any, coverage to buy
can be difficult to assess.
"Among the questions clients raise with
us as lawyers is what sort of scope of cover-
age they need and what limits they need,"
says Nishisato. "Is it enough to have $5, $10
or $50 million in coverage? at's hard to
answer because it really depends. [How-
ever], these attacks are becoming larger in
scale and are compromising more and more
sensitive information."
Major data breaches, such as the one ex-
perienced by Target Corp. over the 2013
holiday season, resulted in staggering loss-
es. Although the cost has been estimated at
US$300 million, of which one-third was
covered by insurance, "several industry an-
alysts forecast that Target's breach-related
losses will reach $1 billion," the New York
law firm Patterson Belknap Webb & Tyler
LLP wrote in its blog. "Aer disclosure of
the breach in early 2014, Target's profit was
cut in half — down 46 percent over the
same period the year before."
While the relatively paltry demands
made by the WannaCry and Petya hackers
might make some organizations wonder if
ransomware insurance (which is a separ-
ate policy) is required — "If you can pay
$300 to get your information back, that's
cheaper than calling a lawyer to ask them if
you should pay," says Dolan — another per-
spective can be seen in the case of the South
Korean web hosting company Nayana.
In late June 2017, it was reported that
Nayana paid hackers US$1 million in bit-
coin to recover the data of approximately
3,400 customers. In the wake of that pay-
ment, several other South Korean compa-
nies became targets of Distributed Denial
of Service (DDoS) attacks, in which the
victimized company is flooded, and ren-
dered inoperative, by incoming traffic from
thousands of compromised computers
CHARLENE RIPLEY
>
GOLDCORP INC.
We had an attacker who
basically sent us four extortion
emails, each from a valid
internal Goldcorp email.
We think [the hacker] first
attacked and infected our
systems in 2015 and hung
out and waited, which is
typical, for an opportune
time to attack.
