A specialty broker providing cyber insurance has found a way to attract business from Canadian small and medium-sized organizations: Partnering with a cloud provider that helps firms meet a cybersecurity standard.
The partnership between Ridge Canada Cyber Solutions Inc. and CyberCatch Canada is aimed at lowering the odds of insured firms being hit by a breach of security controls by having them implement this country’s CAN/CIOSC 104 national baseline cybersecurity controls for small and medium organizations.
Canadian firms that sign up for cyber insurance through Ridge Canada get a discount for subscribing to CyberCatch’s Compliance Manager Solution for managing the CAN/CIOSC 104 cyber controls they are expected to implement.
The companies announced the partnership earlier this month.
Ridge Canada Cyber Security is a managing general insurance agency that provides specialty insurance products to Canadian insurance agents and brokers. CyberCatch Canada is a division of a U.S. software-as-a-service provider offering solutions to help mid to large-sized companies meet cybersecurity guidelines. U.S. customers have to meet the NIST 800 series of standards, while Canadian firms have to meet CAN/CIOSC 104.
Small and mid-sized organizations (SMOs) have limited resources and generally don’t know what cyber security controls to implement or how to implement in order to be secure from cyber threats, CyberCatch chief executive officer (CEO) Sai Huda, said in a statement. “The Compliance Manager Solution is a one-stop-shop for SMOs.” The platform provides “an easy but smart way to mitigate cyber risk for both the SMO but also the insurer.”
“This partnership allows us to help our broker partners with clients who are still in the assessment and control phases of the enterprise risk management process,” said Ridge Canada CEO Greg Markell. “Recognizing that many underwriting requirements harmonize with CAN/CIOSC 104, it will give many organizations guidance on where they can start, and our broker partners a solution when market feedback is that their client is not ready for cyber risk transfer, as well as for existing clients looking for assistance on staying secure.”
The CAN/CIOSC 104 requirements, published in 2021 by the Canadian CIO Strategy Council, specify a minimum set of cyber security controls for small and medium organizations (defined as firms with fewer than 500 employees).
The requirements are broken down into two categories:
—Level 1 requirements are intended for smaller organizations that are just starting their cyber security journey. Typically they don’t have the resources to invest or outsource IT resources, and their knowledge of cyber security would be considered entry-level;
—Level 2 requirements are intended to build from Level 1 requirements as organizations mature and develop their cyber posture. They have a basic understanding of cyber security, general knowledge of the cyber-related risks they face, and are looking to increase their cyber security maturity.
The standard begins with this statement: “Top management of the organization is ultimately responsible for the cyber security program.”
It then outlines a series of steps organizations have to take to comply with requirements. Briefly, these include creating a cybersecurity risk assessment, an incident response plan, and an application patch management plan; enabling and properly configuring security software and hardware for both on-premises and cloud assets; implementing strong user authentication to corporate IT systems; implementing user access control; and properly backing up systems, with encryption where necessary.