Cyber security and online shopping icons over top of a man using a laptop

Cyber insurance for public sector retail operations

Cyber insurance for public sector retail operations

5 Minute Read

As a public sector entity, it’s important to ensure your cyber insurance policy covers what you need, and not more, keeping costs down and coverage realistic.

Although property insurance has been around for centuries, with policies that have been refined throughout that time, cyber insurance is a relatively new concept for many organizations. Yet, as cyber crime increases in frequency and sophistication, risk management in the public sector often falls behind in securing insurance policies to mitigate the threat – to assets and to stakeholders.

A simple click of the mouse could open your organization to a system breach that exposes personal, financial, and operational data to criminal elements. Cyber security measures can reduce the risk, but will your insurance cover losses incurred by a cyber attack? Does the policy address key exposure points and is the coverage enough or too much – important considerations for any organization.

Connect with a trusted cyber security advisor to assess your exposure, identify risks and strategies to reduce them. If your organization has a cyber policy, consider an independent review to assess what your coverage does and does not cover, and how to best protect revenues and reputation.

The assessment process

An insurance review typically starts by securing a copy of the policy. The independent insurance advisor will review the policy against your business or organization and highlight any gaps or excesses.

For example, your policy might include coverage against the impact of an extortion or ransomware attack where cyber criminals hold your organization’s electronic data hostage until a ransom is paid. However, almost no government agency or department will transact with criminals, making such coverage superfluous for the public sector.

The team will discuss what your exposure is for revenue, hardware, and communications, in other words, what you stand to lose in the event of a cyber breach affecting operations. If your department has legacy hardware that is no longer available, does the policy allow for a replacement to like kind and function hardware instead of the exact models?

Privacy concerns and risks

We recently completed a review for a government-run cannabis retailer that wanted to, as many in the sector do, update their insurance in the face of increased cyber attacks. As the legal cannabis industry is relatively new and growing, with little historical information, insurance coverage can raise questions and concerns. An independent, experienced insurance advisor can support the sector, now and into the future, determining current needs and ensuring policies can grow with demand.

They will look at any existing policy, and build a model based on assets, what risks apply, and how if any restrictions apply. The plan will be developed on what coverage is required now and include projected growth to cover future needs.

In the case of retailers, losing personal client data in a cyber breach is a major area of concern. An insurance advisor could suggest expanding coverage in that area – however, as noted above, provincial and territorial governments restrict any payment. Coverage for ransomware should be removed entirely, making the policy realistically suited to the retailer’s needs.

It is also important to note state-sanctioned acts of cyber terrorism are not covered by any insurance policy.

How is coverage determined

Payments towards cyber business interruption insurance are based on a percentage; the percentage is calculated by taking the net income and continuing expenses of the business in a normal period and comparing it to gross revenues. The question becomes what sort of coverage do you need as the business’ income increases?

For the sake of round numbers, say your business’ income this year is $10 million, but in two years, you project an income of $50 million. What your limits are under the coverage today would still be in place in two years unless you’ve updated the limits. Your policy may have enough coverage for 10 days of revenues and downtime today, but only three days in the future. If you still want 10 days worth of coverage, you will need to update and increase your limits accordingly.

Stay updated

Understand what your situation is now but be prepared to change tactics quickly. For example, new legislation could impact an existing business model, increasing risk under an existing insurance policy. Having a model you can update allows you to plan for changes, and understand how revenue and policy changes could impact the business, before they happen.

Regular reviews are key to success. A comprehensive review of your insurance policy by an insurance advisor every two to three years will ensure current policies and status are incorporated, and that your organization is up to date in coverage.

A cyber breach can debilitate an organization or business; having the right cyber security insurance – one that addresses revenue, assets and other issues – can reduce the loss, and mitigate damage.


  • Agility

    June 20, 2024

    Why your credit union can’t afford to ignore scenario planning

    In today’s era of business, credit unions need scenario planning to anticipate and respond to future risks and opportunities.

  • Confidence

    June 20, 2024

    Three tips to keep your business insurance effective

    Avoid the pitfalls of inadequate business insurance with these three essential tips.

  • Progress

    June 19, 2024

    How the current market impacts the value of your energy business

    How do shifts in the energy sector impact the value of your business? A valuation can help you understand what your company is worth in a volatile market.