Cyber Risk Insurance
CRA-5.8.28
A
licensee , based on the assessment ofcyber security risk exposure and with an objective to mitigatecyber security risk , must evaluate and consider the option of availing cyber risk insurance. The evaluation process to determine suitability of cyber risk insurance as a risk mitigant must be undertaken on a yearly basis and be documented by thelicensee .Added: January 2020CRA-5.8.29
The cyber risk insurance policy, referred to in Paragraph CRA-5.8.28, may include some or all of the following types of coverage, depending on the risk assessment outcomes:
(a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs of analysing thelicensee’s legal response obligations;(a) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations;(b) Coverage for a variety of torts, including invasion of privacy or copyright infringement; and(c) Coverages relating to loss of revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by thelicensee .Amended: April 2023
Added: January 2020
