Small and medium-sized businesses in Canada are getting a leg up when it comes to cybersecurity. In August, the federal government announced a new certification program and talent development pilot, called CyberSecure Canada, that will help enhance cybersecurity among Canadian companies.
According to a press release, the program is voluntary and aims to get SMEs to achieve a baseline level of cybersecurity, in turn providing their clientele with confidence in the business, while giving the organizations a competitive advantage.
One cyber expert told Insurance Business that the move is yet another signal to SMEs that they should be taking cybersecurity seriously.
“This has been a major issue for quite some time now, and we saw that via how they structured the potential fines and penalties as they relate to mandatory notification in the Digital Privacy Act that came into effect November 01 of last year,” said Greg Markell (pictured), president and CEO of Ridge Canada. “If you fail to notify the privacy commissioner, your organization could be in line for fines up to $100,000, and when you look at it that way, the $100,000 fine is not going to move the needle a lick as it relates to privacy or cyber for mid- to large-cap enterprises. That's a signal to small businesses that says, ‘Hey, get your house in order and start taking this seriously,’ because a Facebook or a Google or any of the FANGS aren't going to bat an eyelash at $100,000. Who that's going to affect is your mom-and-pops.”
Depending on the study you read, between 65% and 75% of businesses aren’t around anymore six months after getting hit by some sort of cyber breach. That should also be alarming for SMEs in Canada.
“Canada is made up of small businesses. According to the latest Statistics Canada figures, 97.9% of businesses in Canada are deemed ‘small.’ The federal government [with this pilot] is coming out and saying that ‘we recognize [the fines are] punitive, and maybe we should be doing something to support them,’ which I think is essential,” said Markell.
On the insurance side, small and medium-sized organizations are starting to take the need for risk transfer seriously. Ridge Canada has seen the trickle-down of buying patterns from larger businesses into the mid-market, in part thanks to the work of brokers.
“We've been hearing the plight of small businesses, and while there is still a general apathy that exists amongst Canadian businesses – we hear a number of things from our broker partners that their clients are telling them, whether it be, ‘my business is not targeted’ or ‘I don't know how to fill out this application’ or ‘this is going to be way too expensive’ – [but] we're not seeing as much resistance anymore,” said Markell. “Our broker partners are getting better at communicating the actual exposures and what the policies do all the way down to small business.”
Nonetheless, there is still a significant issue relating to cyber insurance that needs to be addressed, added Markell. The fact is that cyber package extensions do not cover major exposures for small businesses.
“It's an education that needs to permeate through all retail channels, and it's something that our broker partners are acutely aware of,” said the Ridge Canada leader.
Moreover, small businesses need to know that there doesn’t have to be data exfiltration for a cyber issue to impact them, and if a business is paying for notification costs, but nothing has been exfiltrated, then that’s an unnecessary item on their cyber bill.
“In most of the scenarios that we see here in Canada, data hasn’t been taken outside of the organization. You look at what's making the headlines, and most of those privacy-related issues are insider threat,” said Markell, pointing to Desjardins and Capital One. “Small business in Canada is still struggling with the proliferation of ransomware, and they're still struggling with new and emerging threats like crypto jacking, which again, is not exfiltrating data from your systems, but it's still grinding you to a halt, and it could potentially cause opportunity cost loss.”
In this ever-evolving cyber landscape, MGAs are especially well-equipped to bring solutions to the marketplace.
“I think a lot of it has to do with who you have helping in claims scenarios. We pride ourselves on using Canadian vendors and we pride ourselves on using the best of the best, and we think that goes a long way,” said Markell. “In terms of product development, we're acutely aware of what's going on and what's out there. The criminals are staying a step ahead – how do we forecast what's going to be affecting Canadians six, 12, or 24 months out? So, we're looking at product design that's based on that, and that's based on [businesses’] immediate needs to respond to their immediate exposures.”