Let's take a look at the cyber insurance market in Canada. In this IBTV episode, Michael McCallum, cyber underwriting leader at AXIS Insurance, talks market challenges, the biggest cyber risks brokers and their clients need to be aware of, and the typical claims that could be prevented.
Paul: [00:00:21] Hello, everyone, and welcome to the latest edition of Insurance Business TV, a cyber special in association with Axis Canada. It's fair to say that the insurance market has seen its fair share of upheaval in recent years. Whether it's been COVID, hardening markets or the present cost of living crisis, There have been a host of headline grabbing issues to grasp the industry's attention. Yet even before pandemics and economic crisis were at the forefront of our minds, one issue was looming large over the sector and has stayed in the spotlight ever since. That, of course, is cyber. It's a market that is constantly evolving, continually witnessing new trends and threats. So how can brokers keep up and what should they be thinking about in 2023? Today, I'm delighted to welcome a true expert in the field, Axis Canada's Michael McCallum, who is the company's cyber underwriting unit leader. Michael, welcome to IB TV.
Michael: [00:01:21] Thank you, Paul. I'm glad to be here.
Paul: [00:01:24] So Michael, let's dive straight in. Give us some oversight on how the cyber landscape in Canada is evolving right now and and what trends are you seeing?
Michael: [00:01:35] Certainly, certainly. So if we level set 2023 with a quick view of 2022, what we generally experienced in the market was continued rate increases across the board, which were required to fund the increased claims activity. And secondly, insurers setting a new standard or minimum baseline set of risk controls across their portfolio of insureds. And what I generally mean by that is improving cyber hygiene. Everyone by now is probably heard of a critical risk control, multi factor authentication. However, that really was not the case a couple of years ago. So we take these main point two main points into consideration. On a whole, insured should feel much better about their premium pool to fund losses for 2023, but also much better about how insureds are handling and protecting against their exposures. So a lot of work from all parties has really gone into this from insurers, brokers and insureds. And I think the end result of that is a much improved and much more sustainable cyber insurance market for 2023. I also believe it's going to be a pretty competitive landscape for 2023. We've already seen some trends of more capacity entering into the Canadian market, whether that be from markets who hit the pause button on cyber over the past couple of years and are now reengaging or from new capacity entering into the Canadian marketplace and they see a tremendous amount of opportunity. We know cyber is a specialty product that requires specialty expertise. So I think it's very important to make sure that the market follows through on this in order to keep it sustainable for many years to come. It's certainly been a deliberate action from Axis over the past couple of years, and we're expected we're expecting big opportunities and very excited for the growth potential in 2023.
Paul: [00:03:24] Well, you're talking about trends for 2023. But if you don't mind, I'd like to flip the script a little bit and talk about the threats that are on the landscape as well. So can you pinpoint for us some of the the biggest cyber risk that brokers and the customers need to be alert to this year?
Michael: [00:03:41] Yeah, it's really a big question, Paul. I think there's a few key items to tackle here. A major industry concern continues to be catastrophic and systemic cyber risk Markets continue to build out their models to understand what the next big cyber event could be and also model out what its impact might look like. If we shift more to Canada. Specifically, we continue to navigate a changing regulatory environment, and that's both on a provincial and federal level, and we certainly cannot forget about ransomware. I really do think ransomware still remains a top threat. We understand how quickly it can impair business operations, really in any industry. And here in Canada, Ontario specifically, we've started off the year with a couple public and high profile incidents. And I think what's most noteworthy is perhaps the the ransomware model seems to be changing. It's evolved from simply a threat. Actor encrypts data for extortion, for a payment, and it's moved to more of a form of double extortion, where not only can they encrypt the info, but they're also exfiltrating the information and they now control it. So it's really interesting to see how it's evolved and will continue to do so. I'm actually quite curious and interested to see how AI technology enhancements might change ransom and malware and also the use of AI for social engineering, you know, the use of AI for deepfakes, how how AI technology can use to be used to learn and mimic voices within minutes. Certainly lots going on there. Very top of mind topic at the moment. I could certainly go down the rabbit hole, but I think I'll just leave it at that for now.
Paul: [00:05:26] Yeah, well, I'm going to go down a little down the rabbit hole, if you don't mind, and just sort of expand on this subject of threats, because as we know, bad actors are always looking for those weak spots in security. Perhaps you can give us some insight on some of the typical claims that your team sees that perhaps could be preventable.
Michael: [00:05:45] Yeah, for sure. So ransomware, as I mentioned, it's not going anywhere. And that really does lead the charge in terms of claims we are seeing whether that's through phishing attacks or business email compromise. I think majority of how they're getting into to the system can be lumped under social engineering umbrella term, but also funds transfer fraud being right up there as well as we're seeing some traction on that end. In terms of prevention, for me, employee cybersecurity awareness training has always been top of mind and I still believe it is the best first line of defense. Oftentimes employees click on links or attachments, and that is the entryway into their environment. So if businesses can educate their employees not only how to spot phishing attempts, but also on general cyber security concerns and trends, I think that really goes a long way. But the key thing is to make sure that it's ongoing and embedded within the company. I think that is the best way to create a strong cybersecurity culture throughout the organization. On top of that, Axis believes there are critical elements of a good cybersecurity posture, and those include multifactor authentication backed MFA. We like to see that both for remote Axis and privileged account Axis. You know, I mentioned it earlier. That's really one of the strong risk controls that's critical and at the forefront. And then we jump into other controls, such as implementing an endpoint detection and response solution, maintaining regular data backups, applying critical software security patches at a regular interval, and as soon as possible. The list certainly continues to grow as the threats evolve.
Paul: [00:07:30] You know, I think you've given us some some great tips for all the companies out there. But if you don't mind, just shed a little bit of that spotlight on yourselves as well. Tell me what the priorities are for Axis over the next 12 months.
Michael: [00:07:44] Yeah. Thanks, Paul. As I mentioned, Axis sees a tremendous amount of opportunity in the Canadian cyberspace at the moment. Customer proximity is more important than us forever. What's key for us is identifying that different brokers, different markets really have different needs. Each of our insureds have different needs. So we're keen on differentiating, differentiating our products and services based on those needs. For us, that means taking a more segmented approach with a greater focus on the middle market space and also a renewed focus on a small market space. We acknowledge that there is a difference in how we need to tackle these segments. It's really not a one size or one approach fits all, so Axis is really working to ensure that we can tailor our product so that it is fit for purpose. And what that means is making sure that our insureds have the resources they need at both ends, both pre incident and post incident, and also working with our broker partners to ensure their service needs are being met. Whether whether that be fast and efficient quoting capabilities and the small market space or a more tailored underwriting approach for the mid to large sized entities. There's certainly going to be a lot more to come from Axis in 2023, and I really think we're primed to deliver as a specialty leader in the cyber market.
Paul: [00:09:02] In an exciting year for Axis. And clearly the cyber market is going to maintain its spot as the industry's hot topic. Michael, it's been great to have you with us. And of course, if you want to learn more about cyber or indeed any other area of the insurance market, then make sure you stay where it's hot. And that's right here on Insurance Business TV.