FREQUENTLY ASKED QUESTIONS
+ Who is BOXX Insurance?
BOXX Insurance Inc. is a Toronto-based Insurtech and MGA.
We specialize in risk management solutions for small-to-medium sized businesses (SMBs). The company’s flagship product, Cyberboxx™, interlocks leading edge cyber insurance and cybersecurity expertise and assistance. Threat intelligence, cybersecurity experts, and full data backup and recovery are all made available to SMBs at an affordable monthly price. Cyberboxx™ allows you to stay ahead of cyber threats, learn from the best, respond to attacks, and re-secure your business faster and more cost-effectively.
+ Does BOXX Insurance have authority to issue insurance policies?
Yes, BOXX Insurance acts under authority given to it by Lloyd’s of London to quote, bind, endorse, renew, and cancel Cyberboxx cyber and data insurance policies, as well as collect premiums.
ABOUT CYBER INSURANCE
+ What is cyber insurance?
Cyber insurance helps businesses decrease risk by offsetting the costs involved with recovering from a cyber-related breach or similar event.
It is protection against cybercrime, which is on the rise in Canada and globally. Security breaches are now inevitable, with 70% of hacks targeting small to midsized businesses to steal/exploit data or hold a business to ransom.
In general, cyber insurance policies have two primary components:
First party coverage: for costs related to a data breach resulting in loss to the insured. For example: costs relating to threat of extortion, loss of income due to interruption of the business, costs of reinstating data, and computer forensics.
Third party coverage: for claims brought against the insured by third parties who allege they have suffered loss because of the insured’s actions. There are also regulatory obligations to secure personal or commercially sensitive data.
+ Why should my business purchase cyber insurance?
There are many reasons why cyber insurance is necessary for your business. As businesses become ever more reliant on technology and hold more and more sensitive data, the risks from suffering a loss related to problems computer systems continue to grow. This can lead to unforeseeable costs from negotiating a ransom, lost revenue, a damaged reputation, and legal and regulatory costs, not to mention the associated business disruption.
+ Is cyber insurance coverage mandatory in Canada?
No, but cyber insurance will help cover the costs to adhere to mandatory regulatory requirements. The Government of Canada legally requires that all private sector organizations, of all sizes, take measures to secure their data, monitor security threats, and respond and recover from a breach if the worst happens.
On November 1, 2018, revisions to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as per the Digital Privacy Act came into effect, requiring organizations to adhere to certain obligations before, during, and after a breach of security, including the following:
The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.
+ Don't most businesses already have coverage for cyber risk within their general business insurance, public liability, or
professional indemnity insurance policies?
Cyber insurance is sometimes included as part of business insurance, but the amount of coverage tends to be very limited and generally not aligned with current cyber risk reality.
Cyber insurance and business insurance have very different purposes. While they may complement each other, they operate very differently. We strongly recommend you understand each before accepting and/or buying either or both.
+ My I.T. department is confident in our cybersecurity protection. Do I still need cyber insurance?
Equifax, Sony, Air Canada, and many other large corporations have entire in-house I.T. departments devoted to security. Yet, they still suffer data breaches.
A simple oversight like not updating software, not setting appropriate user authentication procedures for third party vendors, losing an unencrypted laptop, or a rogue employee with malicious intent, can all lead to a cyber attack. A risk your I.T. team may not be able to prevent.
+ What does the Cyberboxx™ insurance policy cover?
Cyberboxx™ membership provides essential protection against your cyber risk exposure.
Our insurance coverage includes but is not limited to*:
First Party Coverage
Reimbursement for the costs of repair, restoration, or replacement if a hacker causes damage to your websites, programs, or electronic data.
Support in the event of a data breach, including forensic experts, legal advisors and crisis management experts.
Payment of the costs associated with regulatory investigations.
Payment of civil penalties levied by regulators (where permissible).
Protection if a hacker tries to hold your business to ransom by covering the ransom you have paid, as well as the services of a risk consultancy firm to help manage the situation.
Coverage for lost profits, including where caused by damage to your reputation, if a hacker targets your systems and prevents your business from earning revenue.
Third Party Coverage
Cyberboxx™ coverage will pay to defend and settle claims made against you for failing to keep customers’ personal data secure. The policy includes protection if you mistakenly infect someone’s system by sending them an infected email or your failure to keep your computer system secure.
Protection if your online content infringes someone’s intellectual property rights, including if done by a hacker, such as the inadvertent infection of another system with malware through an email attachment.
Prior Acts Coverage: Insurance for undetected and unknown infections which were present during time of policy purchase but effectively a “wake up” in the form of malware or cyber ransom afterwards.
Cyber Deception or Social Engineering Coverage: Insurance for the loss of money as a result of a social engineering or phishing attack against you which results in your voluntary transfer of money to an unintended third party.
*This communication provides general information on Cyberboxx™’s products and services only and is not intended to be, and does not constitute, a solicitation of business. Coverages are subject to underwriting and may not be available in all provinces. The information contained herein is not a part of an insurance policy and may not be used to modify any insurance policy that might be issued. In the event the actual policy forms are inconsistent with any information provided herein, the language of the policy forms shall govern.
+ Does Cyberboxx™ insurance cover both online and offline exposures?
Yes. The policy is triggered by the breach of electronic and non-electronic data that includes theft and loss. With Cyberboxx™, your business has access to insurance for a sophisticated hack, but also for leaving a paper file on a train or sending information by email to the wrong person.
+ Can all types of business access Cyberboxx™ insurance?
There are certain categories of businesses that are deemed higher risk and, therefore, will trigger underwriting consideration:
Financial companies involved in any of the following: depository institution, investment bank, security underwriter, securities broker-dealer, payment card processors/gateways, payroll processors, credit rating agencies, insurance companies or similar
Social, dating or professional networking sites or services
Pornography or gambling
Data companies, including data warehouses, direct marketers, data aggregators, or information brokers
Data companies, including data warehouses, direct marketers, data aggregators, or information brokers
Family planning or substance abuse centres or services, adoption agency or abortion clinic
Mobile application or video game developer/publishers
+ Where can I purchase a Cyberboxx™ membership?
Cyberboxx™ memberships are available through licensed insurance brokers in Ontario, Alberta, and British Columbia. Please contact your local insurance broker to receive a Cyberboxx™ quote.
+ How does BOXX Insurance provide a quote?
All quotes are provided online at the invitation-only sales portal pages. Please contact us at to access.
+ What are the main factors that contribute to BOXX Insurance's calculation of premiums?
Class of industry, client records, and location(s) you declare;
Your company specifics (headcount, subsidiaries, date of incorporation, etc.) you declare;
Estimated Turnover you declare;
The Limit of Liability you select;
Any Optional Extensions you select;
Past claims or incidents, known circumstance, and other history you declare;
Current I.T. risk management and security controls you have in place and declare.
+ What if the security questions are not answered accurately or completely?
The Insurer may cancel the contract or reduce the amount that will be paid if a claim is made, or both. If the failure to tell the Insurer is fraudulent, the Insurer may refuse to pay a claim and treat the contract as if it never existed. We ask that all applicants try their best to answer the questions as accurately and completely as possible.
+ For how long is the quote estimate valid?
30 days from the date of the quote estimate. A future commencement date up to 30 days in advance of the day of submission can be selected during the online application.
+ How does a client pay for the policy?
During the online quote process, you will be guided through each step. If you do not accept the quote when received, you will be able to click within the emailed quote estimate and re-enter online to retrieve and complete the quote. However, it must be done before the 30-day quote estimate validity period expires. The total premium must also be paid when the quote is accepted.
+ What is Prior Acts Coverage?
Cyber attacks and breaches are often discovered well after they occur. However, many cyber insurance policies do not provide coverage for any acts that occurred prior to the effective date. Our Prior Years policy endorsement extends the coverage of insurable events to prior to the policy inception date. This ensures peace of mind that you have coverage irrespective of when the first incident or breach first occurred.
+ What is Retroactive Liability?
Under Prior Acts Coverage, the policy may be limited by a Retroactive Date stated in the policy schedule. The policy does not provide cover in relation to any matter arising under the policy that occurs before the stated Retroactive Date. For example, the Retroactive Date may be stated as 1st January 2018 if the inception date of the policy is 1st January 2019 i.e. not greater than 365 days before the policy inception date.
+ What is 'Limit of Liability'?
Limit of Liability means the limit of the Insurer’s liability for a particular cover under this policy. The Limit of Liability for each applicable cover, any sub-limits of Liability, and defense costs are part of that amount and are not payable in addition to the Limit of Liability.
+ About Claims
Responding to a breach incident quickly is critical. Boxx is unique in having its own dedicated emergency response team. As a result, if you are a Cyberboxx™ member, you speak to a breach incident response expert to help contain the risk as quickly as possible.
Our professionals are here to support you during breach incidents, whenever you need us - across the globe and around the clock. A cyber breach isn’t always a disaster, but mishandling one can be. When a cyber security breach occurs, time works against you. Most hackers accomplish their objectives within the first 5 hours of gaining access to your network. With our coverage, we provide the resources to help you contain the incident on your first call to us and help prevent an incident from causing material damage to your business or reputation.
Here are some of the steps we go through:
The Hackbusters™ contain the breach. Our team of Hackbusters™ will help you contain the situation and mobilize the relevant team specialists. They work in conjunction with our data protection and ransom experts. Our PR experts will deal with incidents that affect employees and customers, and our legal representatives will provide advice and support on all the legal implications of a cyber-attack.
Re-secure your network and get you back up and running. If you have a cyber incident, our goal is to get your business back up and running quickly and as hassle-free as possible. We will help eliminate the cause of the breach and secure the responsible weak points to prevent future attacks.
Address legal and regulatory requirements. The legal consequences of a breach can run in to the millions of dollars. Deciding who and when to notify is not easy. Our policy provides the legal expertise and indemnifies damages to third parties impacted by your breach, including regulatory damages.
Manage your brand reputation. Not all security breaches will become public, but for many it will be inevitable. If relevant data protection legislation requires that affected individuals be notified, our specialists help in the messaging and communications distribution.
Conduct a thorough investigation. The Cyberboxx™ breach response team will help you document the facts surrounding the breach, its effects and remedial actions taken as these may be required as part of any legal defense or regulatory notification to be submitted.
Minimize the risk of a similar breach. Whenever there is a breach, it is important to feed back the conclusions from the investigation in to your procedures to ensure that employees are given appropriate training on them. Regulators are often just as interested in what has been done to remedy processes going forward, as in the breach itself.
+ How do I cancel a policy?
The Policy can be cancelled by the Insured with 30 days notice to the Insurer, and no refund will be provided regardless of the cancellation date. Please inform your broker of your intentions to cancel.
+ How does BOXX Insurance secure my personal information?
+ How can I contact BOXX Insurance?
For corporate or media:
+ What if I have a complaint about BOXX Insurance Inc., the Insurer, or any company providing services on behalf of
BOXX Insurance Inc.?
Please contact us at firstname.lastname@example.org