Public policy papers Cyber-Incident Risk in Canada and the Role of Insurance Paul Kovacs, Executive Director, Institute for Catastrophic Loss Reduction & Adjunct Research Professor, Economics, The University of Western Ontario Melissa Markham Co-ordinator, Urban Issues, Institute for Catastrophic Loss Reduction Robert Sweeting Manager, Research,
Institute for Catastrophic Loss Reduction April 2004 ICLR Research Paper Series - No. 38
In 2003, the Institute for Catastrophic Loss Reduction began a study to research the insurance industry and its role in cyber risk transfer and loss prevention. The work was carried out in two Phases:
• Phase I — Case Study Review. A literature review and data collection exercise was undertaken to examine cyber-incident risk in Canada and to describe the insurance environment of, and coverage for, these threats. • Phase II — Consultation with Industry Stakeholders. A cross-section of insurance and reinsurance companies, and e business solution providers were selected for consultation and a series of one-on-one interviews were concluded with senior officials from these firms.
This Final Report brings together the salient features of the Phase I and Phase II work in a single document. In broad terms, this Final Report: • defines, details, and estimates cyber-incident risk costs and losses in Canada; • discusses business vulnerability to cyber-incident risk and provides references to the global experience with the cyber incident threat; • examines the role of the insurance industry (including basic principles of insurance in providing standard policy coverage) in providing protection against cyber-incident risk; and • discusses risk mitigation techniques to reduce the risk of cyber-incident events.
The paper describes the costs and vulnerabilities associated with cyber-incident risk and the ability of insurance to provide coverage for these risks.