Cyber security and online shopping icons over top of a man using a laptop

Cyber insurance for public sector retail operations

Cyber insurance for public sector retail operations

5 Minute Read

As a public sector entity, it’s important to ensure your cyber insurance policy covers what you need, and not more, keeping costs down and coverage realistic.

Although property insurance has been around for centuries, with policies that have been refined throughout that time, cyber insurance is a relatively new concept for many organizations. Yet, as cyber crime increases in frequency and sophistication, risk management in the public sector often falls behind in securing insurance policies to mitigate the threat – to assets and to stakeholders.

A simple click of the mouse could open your organization to a system breach that exposes personal, financial, and operational data to criminal elements. Cyber security measures can reduce the risk, but will your insurance cover losses incurred by a cyber attack? Does the policy address key exposure points and is the coverage enough or too much – important considerations for any organization.

Connect with a trusted cyber security advisor to assess your exposure, identify risks and strategies to reduce them. If your organization has a cyber policy, consider an independent review to assess what your coverage does and does not cover, and how to best protect revenues and reputation.

The assessment process

An insurance review typically starts by securing a copy of the policy. The independent insurance advisor will review the policy against your business or organization and highlight any gaps or excesses.

For example, your policy might include coverage against the impact of an extortion or ransomware attack where cyber criminals hold your organization’s electronic data hostage until a ransom is paid. However, almost no government agency or department will transact with criminals, making such coverage superfluous for the public sector.

The team will discuss what your exposure is for revenue, hardware, and communications, in other words, what you stand to lose in the event of a cyber breach affecting operations. If your department has legacy hardware that is no longer available, does the policy allow for a replacement to like kind and function hardware instead of the exact models?

Privacy concerns and risks

We recently completed a review for a government-run cannabis retailer that wanted to, as many in the sector do, update their insurance in the face of increased cyber attacks. As the legal cannabis industry is relatively new and growing, with little historical information, insurance coverage can raise questions and concerns. An independent, experienced insurance advisor can support the sector, now and into the future, determining current needs and ensuring policies can grow with demand.

They will look at any existing policy, and build a model based on assets, what risks apply, and how if any restrictions apply. The plan will be developed on what coverage is required now and include projected growth to cover future needs.

In the case of retailers, losing personal client data in a cyber breach is a major area of concern. An insurance advisor could suggest expanding coverage in that area – however, as noted above, provincial and territorial governments restrict any payment. Coverage for ransomware should be removed entirely, making the policy realistically suited to the retailer’s needs.

It is also important to note state-sanctioned acts of cyber terrorism are not covered by any insurance policy.

How is coverage determined

Payments towards cyber business interruption insurance are based on a percentage; the percentage is calculated by taking the net income and continuing expenses of the business in a normal period and comparing it to gross revenues. The question becomes what sort of coverage do you need as the business’ income increases?

For the sake of round numbers, say your business’ income this year is $10 million, but in two years, you project an income of $50 million. What your limits are under the coverage today would still be in place in two years unless you’ve updated the limits. Your policy may have enough coverage for 10 days of revenues and downtime today, but only three days in the future. If you still want 10 days worth of coverage, you will need to update and increase your limits accordingly.

Stay updated

Understand what your situation is now but be prepared to change tactics quickly. For example, new legislation could impact an existing business model, increasing risk under an existing insurance policy. Having a model you can update allows you to plan for changes, and understand how revenue and policy changes could impact the business, before they happen.

Regular reviews are key to success. A comprehensive review of your insurance policy by an insurance advisor every two to three years will ensure current policies and status are incorporated, and that your organization is up to date in coverage.

A cyber breach can debilitate an organization or business; having the right cyber security insurance – one that addresses revenue, assets and other issues – can reduce the loss, and mitigate damage.


  • February 26, 2024

    Protecting yourself against fraud is a matter of good business practice

    It’s difficult to keep up with all the products and services required to defend against fraud. But security solutions all have one thing in common. When it comes to safeguarding your company, good business practices will always be your best protection.

  • February 29, 2024

    What’s next for businesses now that CDAP has ended?

    The federal government has announced that the Boost Your Business Technology grant is fully subscribed and will no longer accept new applications. MNP Digital remains committed to supporting Canadian small businesses with their digital transformation goals.

  • Performance

    2024 Nova Scotia Budget Highlights

    View a summary of MNP’s highlights from the 2024 Nova Scotia Budget.