Last week’s IBAO conference in Toronto brought together industry leaders for a series of engaging panel discussions, addressing key issues from brokerage technology to the evolving landscape of commercial lines insurance, and the critical need for wildfire disaster preparedness and recovery.

Standout topics also included a focus on intangible risks, particularly cyber threats, and the vital role brokers play in helping clients navigate complex security landscapes. The CEO panel added an important layer to this conversation, emphasizing that for brokers to effectively protect clients from the risks of ransomware and cyberattacks, they must first secure their own businesses.

Highlighting the importance of brokers practicing what they preach, panelist Ben Isotta-Riches, chief distribution officer at Aviva Canada, said, “It would be a bit silly if you’re selling cyber insurance and faced a cyberattack yourself.”

Navigating an evolving landscape of cyber risks

Urging brokers to better protect their firms against cyber risks, Louis Gagnon, chief executive officer, Intact Financial Corporation, Canada, added, “We have a lot of data, we are connected to the world, and, in general, small businesses are not well protected.”

He’s right. Survey results from the Insurance Bureau of Canada found that 47% of small business owners admit they don’t allocate any portion of their annual operating budgets to implementing cybersecurity defences.

As a result, new data from Statistics Canada reveals that some businesses paid ransoms exceeding $500,000 following cyberattacks last year. For small and medium-sized businesses, which often have limited liquidity, the impact of these ransom payments can be particularly devastating.

While addressing the insurance industry’s gaps in cyber risk knowledge, Gagnon pointed out that this lack of understanding represents: “A big opportunity to make sure that we better understand what’s going on.”

Panelist moderator and business advisor Marissa Teeter likened Gagnon’s remarks to an “oxygen mask” approach to cybersecurity, explaining that brokers can better protect clients only after adequately educating themselves and securing their own businesses against cyber threats.

Cybersecurity costs driving mergers and acquisitions

With rising costs related to changing regulatory demands, implementing cybersecurity response plans, and complying with privacy legislation, Paul MacDonald, executive vice president of personal insurance and digital channels at Definity, highlighted that the investment necessary to remain at the leading edge of technology and cybersecurity can be a significant burden for many brokerages.

He noted that these escalating costs are contributing to the industry's increasing trend toward mergers and acquisitions. “We’re never going to have time for the people side of this business if we’re spending all our time trying to upgrade our systems,” MacDonald said.

“It’s no surprise to us that many brokers have chosen to partner and band together to figure out how to remove some of these inefficiencies… so [they] can spend more time on what is important,” he continued. Although there will always be room for smaller, specialized brokers and insurance companies, MacDonald added, “I do think that the future will be fewer, larger entities.”

What can brokers do to secure their businesses?

In the spirit of protecting their own businesses to better serve clients, brokers should adopt these cyber-smart practices:

• Leverage Your Expertise: Use your cyber insurance knowledge to your own advantage – secure a cyber policy for your firm to cover potential costs from data breaches, ransomware attacks, and other incidents. This not only safeguards your business but reinforces your position as a trusted advisor in cybersecurity.
• Invest in Comprehensive Cybersecurity Training: Ensure all employees are educated on cybersecurity basics, like recognizing phishing attempts and practicing safe browsing. Regular training can help create a security-conscious culture.
• Implement Multi-Factor Authentication (MFA): Using MFA across all business applications provides an added layer of protection, making it harder for unauthorized users to access systems and sensitive data.
• Patch and Update Systems Regularly: Regular software and security updates address vulnerabilities that hackers can exploit. Implementing a patch management system ensures that all systems are up-to-date.
• Limit Access to Sensitive Information: Follow a “least privilege” approach to access management, granting employees only the access necessary for their roles. This minimizes the impact of potential security breaches by restricting unauthorized data exposure.
• Establish a Cyber Incident Response Plan: A well-defined response plan outlines how to detect, contain, and recover from cyber incidents. Include detailed response protocols and designate key team members to minimize disruption in the event of an attack.