THE CYBER INSURANCE MARKET is showing signs of stabilization after two years of extreme volatility, characterized by high frequency and severity of claims, soaring rates, reduced insurer appetite, and strict underwriting and risk management requirements.
Contending with an ever-changing cyber-threat landscape, Canadian insurers have made corrective actions to reflect the increased frequency and severity of the risk. Adjustments to pricing and risk appetite – although challenging for insureds and brokers – are starting to have an impact. Rate increases are stabilizing as insurers gain more control over attritional losses and insureds focus on the implementation of cybersecurity controls.
There are many reasons for optimism in the cyber insurance market, according to the panel of cyber insurance experts gathered for the latest edition of IBC’s Executive Insights Series – but significant challenges remain, with the panellists expressing concerns about rising ransomware costs, risk aggregation or systemic events, and the significant cyber insurance coverage gap, among other things.
“The cyber insurance market is stabilizing. We’re seeing fewer drastic changes in terms of rating and limit contractions – but that still depends on the industry or class of business that’s being marketed,” says Angela Feudo, assistant vice president, professional solutions, Trisura. “We’re seeing a much more proactive approach in brokers getting ahead of renewals and coming to insurers a lot sooner in the process.”
Proactivity and preparation are key for brokers navigating the ever-changing cyber-insurance marketplace. Phil Baker, president of BOXX Insurance Inc. in Canada, says a cyber renewal is a different beast from a property or general liability renewal because brokers generally need more time to engage with clients and underwriters to ensure that all coverage requirements – in particular, cyber-security controls – are in place. The hard work doesn’t stop once the contract is signed. Baker says brokers should work with insurers throughout the cyber insurance policy term to monitor the insureds’ controls and help predict and prevent any potential losses.
Proactive risk management
There are nice-to-have and need-to-have cyber risk controls that will determine insurability and competitiveness in the marketplace. Underwriters are concentrating on several crucial controls at this time, including multi-factor authentication (MFA) – a defensive authentication method that requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN – and having secure remote desktop protocol (RDP), which reduces visibility into the corporate network.
“Depending on the revenue threshold the client has, an endpoint detection and response [EDR] solution is definitely key. It’s one of the best preventers – with MFA working in tandem – to prevent ransomware attacks,” says Kelly McGuinness, production underwriting and business development lead at Coalition. “The segmentation of back-ups and different network capabilities, IT budget, and other things of that nature are also important.”
McGuinness adds that many carriers today will monitor the dark web to identify critical vulnerabilities, like the Log4j vulnerability discovered in December 2021, and alert clients to existing and potential problems. “The additional services that are being provided by carriers in the current environment are second to none,” McGuinness comments.“Cyber is not just a pure insurance product. A partnership approach [among carriers, brokers, and insureds] is key, and these value-added services are things that brokers should be aware of and clients should certainly avail [themselves] of.”
Lindsey Nelson, cyber development leader at CFC, believes this heightened focus on cybersecurity controls has factored into some of the rate relief and stabilization in the marketplace. She says, “Every cyber insurer is heavily invested in reducing the frequency of cyberattacks, using threat intelligence to their advantage, notifying clients of threats in advance, and preventing claims before they happen. A combination of more adequate pricing and that proactive risk-management approach has led to a much more positive picture for our broker partners and clients.”
Despite a lot of progress in the marketplace, there is still a very significant cyber-insurance coverage gap in Canada, particularly among small- and medium-sized enterprises (SMEs) – many of whom believe they’re not a target of cybercrime because they’re too small. However, endless claim examples show that size of business does not deter threat actors from knocking on the network doors of small businesses and engaging in a ransomware attack.
“There’s a lot of room to go in terms of cyber uptake,” says Nelson, noting that CFC estimates less than 15 percent of businesses in Canada purchase a standalone cyber policy today. “It is primarily an SME issue, and … I think accessibility for small businesses to be able to afford the coverage has certainly been one piece of it.
“I do strongly believe cyber should be the number-one product that brokers are talking to their clients about – and how often we talk about cyber needs to change. A quote should be presented to every single client, regardless of industry, because everybody with employees and a computer has an exposure. How we talk about the product also needs to change. We need to start looking at it as a services-led solution that works proactively to stop cyberattacks, rather than focusing on responsive wording for when an attack does happen.”
Baker concurs with Nelson on changing the conversation around cyber. He says, “I think we really need to de-emphasize the insurance component of the product. The insurance is secondary. What’s key is partnering with a company that can get in front of your exposures to predict and prevent losses from happening, and we need to educate our brokers and our insureds that risks are coming from new sources. Larger companies are used to buying large towers of cyber insurance, but they’re starting to push that risk down through the supply chain. So the smaller businesses are certainly a target, but [the larger businesses are] also going to have heavier burdens in terms of protecting their businesses from their suppliers.”
What lies ahead?
Looking ahead and making predictions are challenging in a marketplace where the only constant is change. However, all four panellists agree with Nelson that “it’s a very exciting time to be in cyber insurance” – saying that excitement can relate to the challenge of tackling a new cyber exposure or problem.
Feudo expects to see continued growth in the marketplace from existing and new purchasers of cyber insurance. She says, “I really do hope that we see more stable rating because I think everybody benefits from that as long as we’re at the right price and we don’t have these large fluctuations. I think we will also see an increase in limits requested. The larger companies are currently buying pretty large limits, but I think we’ll see those medium-sized companies start moving into those larger towers, whether that be from contractual requirements or future Canadian legislative changes within the privacy space.”
Baker eyes growth opportunities in a relatively untapped part of the cyber insurance market – personal risk. He explains, “As we’ve changed to this new way of working [hybrid or remote], the lines are blurred between home and business, so I think there’s going to be an increased demand for personal cyber insurance. We have so many devices in our homes that are now connected to the internet. When you add that all up, it’s billions of devices, so I think there’s going to be an increase in demand for personal products to protect our families and our homes.”
Meanwhile, McGuinness thinks the future will put more of an onus on insurance carriers to provide continuous solutions for active threat monitoring. “The archaic method of insuring and underwriting cyber is going to change drastically in the future,” she says. “Cyber is an ever-changing marketplace, and insurance carriers need to adapt alongside their clients to ensure they’re providing the best product possible.”
Originally published on Insurance Business Canada in October 2022