Between 2018 and 2019, ransomware attacks shot up by 131%, according to the most recent Beazley Breach Briefing, indicating that this is still a significant threat facing many companies. At the same time, the sums demanded by cyber criminals rose exponentially, sometimes reaching seven or eight figures, Beazley found.
In this risk environment, the cyber insurance market in Canada is continuing to develop, but has yet to reach the same penetration as our neighbours south of the border.
“There’s far more penetration on standalone cyber products in the US than there is in Canada,” said Greg Markell (pictured), president and CEO of Ridge Canada Cyber Solutions. “I would say, however, that that is developing, and that the general apathy and scepticism that we saw among Canadian cyber buyers or prospective buyers previously is starting to lessen.”
Similarly, Markell has seen a lot more sophistication enter the brokerage channel and believes that retail brokers are doing a great job in educating themselves about cyber and communicating the potential risk to their clients. The education and awareness piece around cyber has improved markedly even over the past six to 12 months, he continued, noting that in the meantime, the cyber risk has become too significant for companies to ignore.
“The reality is all Canadian businesses have this exposure,” Markell said. “As the brokerage community has started to see the evolution and the uptick in losses translate not just to large-scale entities in Canada, but all the way down to small businesses being affected, I think that a lot of the ‘I’m not a target’ mentality is starting to dissipate.”
Nonetheless, some experts are warning that current rates for cyber insurance are not sustainable given the size of losses stemming from cyberattacks – an argument that’s been underscored by huge breaches hitting companies like Mitsubishi Electric and MGM Resorts in recent months. However, says Markell, it’s important to note that these major breaches impacted Fortune 500 companies.
“Rate hardening among larger businesses, we fully see that coming into effect. I would say that small, mid-sized business rates are remaining relatively stable with the exception of some markets that didn’t price properly when they entered the market,” he explained. “We’re seeing some reactivity to that and to losses, mainly to loss developments surrounding ransomware and potential business interruption and business income loss.”
Meanwhile, the first anniversary of the mandatory breach regulations in Canada have come and go. To celebrate, the Office of the Privacy Commissioner of Canada (OPC) published the results of its assessment of the various data breach incidents that have occurred over the past year, revealing that tens of millions of individuals’ private data had been compromised.
“What needs to continue to happen [is] moving that education and awareness to the forefront, to translate it down to small, mid-sized business owners that they do have a risk, they have an exposure and these things have repercussions,” said Markell. “[Breaches] can be quite expensive if you don’t plan accordingly so if you don’t have any planning, if you haven’t accounted on what to do, if you haven’t set up your channels in terms of who’s going to help you through these things, and you’re reacting when you are in one of these circumstances, it’s going to be a bad time.”
It behoves the entire risk management community to continue to drive the awareness down to end consumers of the insurance products. For generalist brokers, Markell advises that they keep familiarizing themselves with cyber insurance products, especially since other policies are not picking up cyber exposures.
“It’s [about] knowing that you’re not going to find coverage baked into your traditional lines of insurance, so being aware that the cyber risk really sits outside of traditional lines of coverage and then educating themselves on how to access the policy,” he told Insurance Business. “If you understand how to access the policy and how the procedures going into it work, then you’re in a better position than just dealing with something ad hoc and coming back to the insurer with ‘please reimburse’ when that’s not how these policies work.”
He added: “We can continue as an industry to get better and more efficient at handling these frequency-related claims, and I think that is something that we should continue to drive forward in 2020.”