Cyber Insurance GLOSSARY

explanations for unfamiliar terminology


ACCESS CONtrol Provisions

A method of securing data or systems through permission based limited access. For example, limiting access to employee human resources files to human resources employees only.

Anti-virus Software

A program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.

“Back door”

A secret method of bypassing normal authentication and verification when accessing a system. A back door is sometimes created in hidden parts of the system itself or established by separate software.


A network of computers and software robots, or bots, that remotely run autonomously and automatically. A computer can be unknowingly added to a botnet as a result of being infected by malware. The botnet creator or owner can then use the computer for malicious activity, commonly denial of service attacks.

business continuity plan

A formal corporate document that outlines the steps the business will take in any scenario to return to normal operations. The plans are written ahead of time and are created with the input of key staff in various functional department. A good plan will ensure that roles are assigned, employees and those accountable know what to do and when, contact information for individuals within the plan are kept up to date. Table-top exercises performed by third parties are another way to make sure that the plan is tested regularly, and the organization is prepared to follow the plan in the event of an emergency.

Cloud Computing

The ability to access all required software, data, and resources via a computer network instead of the traditional model where these items are stored locally on a user’s computer.

Canada’s Anti-Spam Legislation (CASL)

The Canadian federal law dealing with spam and other electronic threats.  CASL applies to commercial electronic messages that are sent to an electronic address.  A commercial electronic message must obtain consent, provide identification information and provide an unsubscribe mechanism.

A Commercial Electronic Message is determined by the content; the hyperlinks in the message to website content or a database, and; the contact information.

An electronic address is defined in CASL as being an email account, a telephone account, an instant messaging account, and any other similar accounts.

For more information visit here.

Computer system

Any combination of facilities, equipment, personnel, procedures and communications integrated to operate your business; examples include file storage, data processing systems, Customer Relationship Management (CRM) systems, Supervisory control and data acquisition (SCADA) systems, and more.


A small data file that a web site installs on your computer’s hard drive to collect information about your activities on the site or to allow other capabilities on the site. Web sites use cookies to identify returning visitors and profile their preferences on the site.


A prefix used to describe a person, thing, or idea having to do with computers, information technology or management information systems.

Cyber Attack

Any type of offensive manoeuvre that targets information technology (IT) and operational technology (OT) systems, computer networks, and/or personal computer devices and attempts to compromise, destroy or access company systems and data.

Cyber incident

An occurrence, which actually or potentially results in adverse consequences to a computer system or network or to the information that they process, store or transmit, and which may require a response action to mitigate the consequences. This is not necessarily a malicious attack and can be caused by human error or system failure.

Cyber Risk management

The process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level by taking into consideration the costs and benefits of actions taken by stakeholders.

distributed denial-of-service attack (DDoS attack)

An attempt to make a computer system unavailable to it’s intended users. Although the means to, motives for, and targets of DoS attacks may vary, they generally consist of the concerted, malicious efforts of a person or group to prevent legitimate users from using a computer system by crashing the service or overwhelming the service with illegitimate requests and/or information.

data breach

An incident involving the unauthorized access to, theft of, or disclosure of non-public information.


A data security process that involves transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a ‘key’. The result of the process is encrypted information. Encryption is different than a password - a standard username & password can stop bad actors from gaining access to your machine, however they do not protect your data if the physical hard drive gets removed, make your data unreadable if it is accessed by an unauthorized party or stop attempts to intercept your internet connection and read information being sent across networks.


a defined way to breach the security of an IT system through a vulnerability.


The unauthorized removal of data or files from a system by a threat actor.


A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

General Data Protection Regulation (GDPR): 

The European Union’s General Data Protection Regulation is a federal law that took effect May 25, 2018.  It applies to any organization that offers goods or services to or monitors the behaviour of EU residents.  It also applies to all companies that hold personal data of any resident of the European Union.  The regulation pertains to the processing of personal data and the free movement of such data.

For more information visit here.


A common terminology for an unauthorized person (or organization) who maliciously accesses or attempts to access a management information system by circumventing software security safeguards.

identity theft

The unauthorized assumption of a person’s identity in order to misappropriate that person’s money, credit or other resources. Identity theft most frequently occurs when an unauthorized person gains access to the personally identifiable information of another person to commit fraud or other crimes.

Intellectual property

The legal rights that result from intellectual activity in the industrial, scientific, literary, and arts fields and include items such as an author or creator’s copyright, trademark, and patents.

Intrusion Detection System (IDS)

A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

data breach

An incident involving the unauthorized access to, theft of, or disclosure of non-public information.

IP Address

A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication and identifies a computer or other hardware devices (such as a printer) on the Internet.

Local area network (LAN)

A computer network that interconnects computers within a limited area such as a home or office building, using network media.

Malicious code

Software or firmware that is intentionally entered in to a computer system for an unauthorized purpose.


A Managing General Agency (MGA) is an individual or business entity acting on behalf of a capital provider to provide, negotiate, and countersign insurance contracts. This is most common when capital providers from Lloyd’s of London partner with Managing General Agencies in foreign jurisdictions to provide local expertise and relationships.


A common term for a variety of malicious software, which can infect computer systems and impact system performance, limit availability of data, and disrupt operations.


Regular updates provided by software developers improve the software or address security vulnerabilities and other bugs in operating systems or applications.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standards (PCI DSS) are developed by the Payment Card Industry Security Standards Council to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.  PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers.  PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). 

For more information visit here.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Canadian federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.

For more information visit here.

Personally identifiable information (II)

Information that can be used to identify, contact or locate a specific individual, either alone or when combined with other personal or identifying information. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

-          age, name, ID numbers, income, ethnic origin, or blood type;

-          opinions, evaluations, comments, social status, or disciplinary actions; and

-          employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Finding this information is often the goal of hackers looking to steal identity or money. 


An exploit that involves deceiving recipients into sharing sensitive information such as usernames, passwords, and financial details with a third ­party. Phishing is typically carried out by e-mail or instant messaging, and often directs used to enter details into a website. Targeted versions of phishing aimed specifically at senior executives and high-profile targets has been referred to as ‘Spear Phishing’ or ‘Whaling’.

service provider

A company or person who provides and performs IT services including Application Service Providers (ASP), Cloud Providers, Data Processors, Internet Service Providers, Managed Security Services, Point-of-Sale / Payment Systems, and Web Hosting.

social engineering

An exploit that involves manipulating an individual into revealing confidential information. In most cases, this is administered via email or phone and the attacker never comes face-to-face with the victim.


The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. While the most widely recognized form of spam is e-mail spam, however it can also occur on blogs, forums, instant messaging, and other communication platforms.


A term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different and legitimate source, such as a known customer, client, or employee. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message and enhance effectiveness of Social Engineering Fraud.

threat actor

Any person, group or thing, which acts, or has the power to act, to cause, carry, transmit, or support a threat.

Trojan Horse

A type of malicious software which appears to perform a certain action but in fact performs another such as transmitting a computer virus. For example – an attachment that indicates it is a resume, contest, or offer is actually an executable file or file with macros. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros. Unlike malware, Trojan Horse viruses do not propagate by self-replication but rely heavily on the exploitation of an end-user (see Social Engineering).

virtual private network (VPN)

An internet communication network that enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, thereby benefiting from the functionality, security and management policies of the private network.

IP Address

A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication and identifies a computer or other hardware devices (such as a printer) on the Internet.


A hidden, self-replicating section of computer software that maliciously infects and manipulates the operation of a computer program or system, typically without the permission or knowledge of the user.

Any other questions?

If you have questions on Ridge Canada, Cyber Insurance, or potential partnerships, please Contact Us.