With Canadian businesses increasingly being targeted in cyberattacks, many companies are turning to cybersecurity insurance to mitigate risk, a recent study conducted by the Canadian Internet Registration Authority (CIRA) has found.
The survey, which was participated in by a national representative sample of 510 cybersecurity “decision-makers,” has found that almost 60% of businesses in the country have taken out cyber coverage as the threat of cybercrime has steadily climbed. Half of these organizations have purchased cyber cover as part of their business insurance policies, while the other half bought a separate “cybersecurity-specific” policy.
The research also showed that many respondents felt that the number of cyberattacks surged at the height of the pandemic, with more than a third (36%) of businesses claiming that COVID-19 has triggered a rise in cyber incidents in 2021, up from 29% in the year prior when the coronavirus outbreak started.
“[In 2021, the] adoption of cybersecurity insurance is growing in parallel with the growing number of cyberattacks,” wrote Erin Hutchison, product marketing manager at CIRA, in her analysis of the survey results. “At the same time, expenses are soaring due to hefty ransoms paid to hacker groups and massive fines paid to regulators policing the storage and transfer of personal information online.”
From the insurers’ perspective, Hutchison noted that the spike in cyber insurance applicants and their perceived levels of risk has created a situation where “the insurance providers can be pickier about who they cover and what requirements they can ask of their clients.” These requirements include having cybersecurity measures in place and these being regularly audited by third-party specialists.
CIRA’s survey also revealed that most businesses reported their brokers making at least one change to their cyber insurance policies in the past year. Increased premiums topped the list of changes at 35%, followed by “requests for new forms of proof/verification of cybersecurity measures being in place” (34%), and revised eligibility requirements for obtaining or renewing coverage (29%). About a quarter of respondents also said that the reimbursement amounts for ransomware attacks were reduced.
“Stepping back and taking a wider perspective of the cybersecurity insurance picture shows an industry that’s still emergent and still agreeing on the standards,” Hutchison explained. “The increased risk environment puts the power in the hands of insurers, who can demand higher premiums from customers while putting more escape clauses in their contracts.”
“That leaves some companies either wondering if it’s worth it to buy cybersecurity insurance, or if it’s worth it to continue paying rising premiums,” she added. “Considering the potential impacts of a cybersecurity attack against the difficulty in securing it and the costs of recovery might help factor into the calculus of buying a policy.”
Premium prices in the cyber insurance and reinsurance market are expected to soar between 2021 and 2023, in some cases rising two-fold as the “protection gap” further widens because of the pandemic, a recent report from financial services giant S&P Global predicts.
The research also noted how the pandemic has accelerated “digital transformation and systemic vulnerabilities,” resulting in massive economic and insured losses in the cyber insurance sector. The situation has, in turn, pushed demand for cyber re/insurance coverage because of increasing awareness of cyber risks among businesses.
“The pandemic exacerbated the huge cyber insurance protection gap by causing existing and new clients to request larger limits and more inclusions in their policies’ terms and conditions,” according to the report. “In addition, some insurers are offering more advanced services, including value-added assistance services, and we have seen a shift from non-affirmative (silent) to affirmative (explicit) cyber coverage, leading to previously unrecognized premium volume.”
To sustain profitability, S&P predicts insurance companies to continue restructuring their cyber offerings, pushing up rates further and adjusting their terms and conditions, including exclusions and payout limits, while hoping to increase retention levels.
Businesses, meanwhile, should be mindful of the factors impacting the cost of coverage before deciding on which policies to take out. Here are some of the major cyber insurance aspects Canadian organizations need to consider:
The number of staff a business employs has a major impact on cyber insurance premiums as this also affects the company’s risk exposure.
“Although SMEs in general have more discrete cybersecurity tools, the greater the number of devices, users, and systems an organization has, the larger its threat surface and therefore the greater the possibility of being the victim of a cyberattack,” cybersecurity firm WatchGuard Technologies wrote on its website. “Policies are tailored according to size and complexity.”
Equally important in determining premium prices, however, is the industry the business is in.
“There are sectors that are more prone to be victims of cyberattacks than others,” WatchGuard added. “Apart from the number of cyberattacks suffered, insurers also take into account cases where the associated costs generated are sizable, such as the financial sector. Therefore, if an organization belongs to any of these sectors, policies will be more expensive.”
In IBM Security’s latest X-Force Threat Intelligence Index, the manufacturing sector topped the list of most targeted industries in North America, accounting for 28% of all cyberattacks in the region. This was followed by professional and business services (15%) and retail and wholesale (11%).
In an article posted on its website, MicroAge, a Fort McMurray-based IT products and services provider, pointed out that each business faces a different set of risks as each also holds different data.
“The number of clients a business has, the data that is collected from these clients, and the sensitivity of the data collected are all factors that influence the risk levels of the business,” the company noted. “The risk level will influence the requirements from insurers as well as the type of cyber insurance coverage and premiums businesses can apply for.”
Insurance providers typically perceive businesses that generate higher revenue to be at a greater risk of being targeted by cybercriminals. Because of this, these companies often pay more for cyber coverage.
“Company revenue can be a major element in determining the maximum amount of losses generated by the cyberattack that the insurer covers, and this influences the cost of policies significantly,” WatchGuard noted.
According to insurtech firm Embroker, insurers often reward businesses that dedicate significant resources and efforts toward preventing cybercrime with lower premiums.
“[To save on costs,] high-risk companies should educate their workers about these risks and employ experts to install security protocols, monitor hardware and software security,” the company wrote in a guide on its website. “[Businesses should also] put together proper procedures and plans for what needs to be done if a cyberattack does occur.”
Edmonton-based brokerage firm Foster Park Brokers noted that with the number of businesses experiencing data breaches rising in recent years, the market for cyber insurance has also grown substantially. However, unlike other forms of insurance, the firm explained that cyber coverage does not entail a “one-size-fits-all approach.”
“Most cyber policies are offered a la carte, allowing policyholders to negotiate terms and conditions and purchase the coverage that fits their needs,” Foster Park wrote on its website. “To ensure your business has best-in-class cyber coverage, it is critical to assess your business and consider the specific risks you wish to insure. The level of coverage your business needs can vary depending on your range of exposure.”
Among the items relating to cyber insurance policies that businesses need to consider when building the ideal coverage, according to the firm, include limits and sub-limits, retroactive coverage, standard exclusions, panel and consent provisions, and vendor acts and omissions.