Cyber security and online shopping icons over top of a man using a laptop

Cyber insurance for public sector retail operations

Cyber insurance for public sector retail operations

5 Minute Read

As a public sector entity, it’s important to ensure your cyber insurance policy covers what you need, and not more, keeping costs down and coverage realistic.

Although property insurance has been around for centuries, with policies that have been refined throughout that time, cyber insurance is a relatively new concept for many organizations. Yet, as cyber crime increases in frequency and sophistication, risk management in the public sector often falls behind in securing insurance policies to mitigate the threat – to assets and to stakeholders.

A simple click of the mouse could open your organization to a system breach that exposes personal, financial, and operational data to criminal elements. Cyber security measures can reduce the risk, but will your insurance cover losses incurred by a cyber attack? Does the policy address key exposure points and is the coverage enough or too much – important considerations for any organization.

Connect with a trusted cyber security advisor to assess your exposure, identify risks and strategies to reduce them. If your organization has a cyber policy, consider an independent review to assess what your coverage does and does not cover, and how to best protect revenues and reputation.

The assessment process

An insurance review typically starts by securing a copy of the policy. The independent insurance advisor will review the policy against your business or organization and highlight any gaps or excesses.

For example, your policy might include coverage against the impact of an extortion or ransomware attack where cyber criminals hold your organization’s electronic data hostage until a ransom is paid. However, almost no government agency or department will transact with criminals, making such coverage superfluous for the public sector.

The team will discuss what your exposure is for revenue, hardware, and communications, in other words, what you stand to lose in the event of a cyber breach affecting operations. If your department has legacy hardware that is no longer available, does the policy allow for a replacement to like kind and function hardware instead of the exact models?

Privacy concerns and risks

We recently completed a review for a government-run cannabis retailer that wanted to, as many in the sector do, update their insurance in the face of increased cyber attacks. As the legal cannabis industry is relatively new and growing, with little historical information, insurance coverage can raise questions and concerns. An independent, experienced insurance advisor can support the sector, now and into the future, determining current needs and ensuring policies can grow with demand.

They will look at any existing policy, and build a model based on assets, what risks apply, and how if any restrictions apply. The plan will be developed on what coverage is required now and include projected growth to cover future needs.

In the case of retailers, losing personal client data in a cyber breach is a major area of concern. An insurance advisor could suggest expanding coverage in that area – however, as noted above, provincial and territorial governments restrict any payment. Coverage for ransomware should be removed entirely, making the policy realistically suited to the retailer’s needs.

It is also important to note state-sanctioned acts of cyber terrorism are not covered by any insurance policy.

How is coverage determined

Payments towards cyber business interruption insurance are based on a percentage; the percentage is calculated by taking the net income and continuing expenses of the business in a normal period and comparing it to gross revenues. The question becomes what sort of coverage do you need as the business’ income increases?

For the sake of round numbers, say your business’ income this year is $10 million, but in two years, you project an income of $50 million. What your limits are under the coverage today would still be in place in two years unless you’ve updated the limits. Your policy may have enough coverage for 10 days of revenues and downtime today, but only three days in the future. If you still want 10 days worth of coverage, you will need to update and increase your limits accordingly.

Stay updated

Understand what your situation is now but be prepared to change tactics quickly. For example, new legislation could impact an existing business model, increasing risk under an existing insurance policy. Having a model you can update allows you to plan for changes, and understand how revenue and policy changes could impact the business, before they happen.

Regular reviews are key to success. A comprehensive review of your insurance policy by an insurance advisor every two to three years will ensure current policies and status are incorporated, and that your organization is up to date in coverage.

A cyber breach can debilitate an organization or business; having the right cyber security insurance – one that addresses revenue, assets and other issues – can reduce the loss, and mitigate damage.


  • September 26, 2023

    Executive real tech talk: How the right partner can help you choose the best technology solution for your business

    A partner can save you from spending thousands of dollars on solutions that don’t fit your goals. But how do you find the right partner for your organization?

  • Progress

    September 26, 2023

    Thinking of selling your company or practice? Here are the advantages and disadvantages of each option

    Get a clearer understanding of the four most common options for selling your business or professional practice — and which might be best suited to your goals.

  • Agility

    What are the barriers to net-zero for Canada’s energy and utilities companies?

    Is net-zero electricity achievable by 2035? Explore the current state of the sector and the challenges and opportunities on the path toward renewable energy.