Guest commentary: Computing cyber insurance
By Rehana Moosa, President, RMFA
It is common knowledge that cyber attacks are happening more frequently and with dire financial consequences. Having the right cyber insurance policy can help businesses recover quickly from a cyber attack, from an operational and financial perspective.
There are several factors unique to the construction industry that should be taken into consideration when purchasing or renewing a cyber insurance policy.
- Construction projects can take several years to complete. However, many cyber insurance policies will cover losses for only short periods of time, usually ranging from 30 days to 12 months, depending on the policy. For construction companies that earn revenues through long-term contracts or projects, if a contract or project is cancelled or lost due to a cyber attack, a portion of the lost income may not be covered by cyber insurance.
- After a cyber attack, in an effort to cut costs, some businesses lay off employees temporarily until operations return to normal, or they recover financially. Many employees in the construction industry are unionized, making it difficult to decrease labour costs by enforcing layoffs. In these cases, it can be helpful to purchase a cyber insurance policy that includes coverage for continuing costs such as payroll.
- Many construction companies generate revenues by submitting bids for new projects. The opportunity to submit bids may be lost due to a cyber attack if emails are inaccessible, and notifications about open bids are not received, or if data required to prepare a bid is lost or irretrievable. If an insurance claim is filed, it is important to keep copies of all bids that were lost because of the cyber attack. This information can be used to substantiate a claim for lost income.
Questions to ask an insurer or broker
Before purchasing a cyber insurance policy or when reviewing your current one, questions you can review with your insurance company or broker include:
- What criteria must be met for coverage to apply?
- How are business interruption losses (losses of income) calculated under the policy?
- What does the policy cover with respect to extra expenses such as employee overtime?
- What criteria must be met for the extra expenses to be covered?
- Does the insurance company have a panel of experts that insured can be referred to following a cyber attack (e.g., computer forensics experts, lawyers, etc.)?
- How long are losses covered, from the date of the cyber attack?
- What types of losses and costs are not covered?
How much coverage do you need?
An insurance broker can help determine the appropriate amount of cyber insurance for your business’ specific operations. There are also publicly available sources of information that can provide guidance.
Many insurance companies and cybersecurity firms track data on actual cyber insurance claims that have been filed in recent years. Data is tracked based on different parameters such as geographic location, industry, and annual revenues. This data can be used to understand the amount and types of losses claimed by businesses comparable to yours, which can guide policy selections.
Rehana Moosa, CPA, CA, DIFA, CFE, CFF is President of RMFA, a forensic-accounting firm based in Toronto.