How Canada’s insurers can build more effective cyber programs
The cyber insurance product is growing exponentially in Canada, having increased from $20 million in premium five years ago to over $500 million today. While Canada’s cyber market has matured more gradually than some other regions, multiple new entrants and ambitious carriers are looking to drive toward a more sophisticated market.
In our experience, the most successful cyber carriers excel in three areas:
Thoughtful risk management and underwriting – While some domestic carriers do dabble in cyber, the most successful cyber carriers have a strong understanding of their policyholders’ businesses, IT environments and incident preparedness. This leads to better underwriting controls and coverage, and an improved approach to holistic risk management and risk mitigation.
Strong incident response – Cyber insurance isn’t just a risk transfer tool. Worthy offerings also integrate proper incident response resources and protocols. Canada’s cyber coverage clients include a sizable population of small- to mid-sized businesses that don’t always have sophisticated crisis response plans. When they purchase cyber insurance, they’re not just buying a policy. They need a full suite of incident response services.
We normally see two different approaches to incident response services. In the first, carriers build their own in-house programs. While this is an effective way to ensure policyholders have the resources to quickly respond to incidents, it is also expensive for the carrier, requiring the hiring, training and ongoing development of a highly skilled team that must be on call 24/7.
Related: Can cyber insurers continue to control loss ratios?
As an alternative, some carriers contract with third-parties to provide similar incident response services for policyholders. Carriers choosing to do this must find providers that offer tailored services and in-region technical expertise, along with a network of ancillary experts such as breach coaches and incident response firms. An integrated partnership that understands the policy, process and the carrier’s claims philosophy is key. Like an in-house team, this option enables a fast, effective response following cyber incidents.
More sophisticated policyholders may build programs that give them discretion over who they work with, particularly if they have existing or preferred IT partners. While this can make sense from an organizational perspective, carriers must understand their line of sight into the organization may be reduced and try to incentivize a collaborative approach to incident response and loss mitigation. This can be done by introducing a loss adjuster or similar function to remove the uncertainty surrounding cost control and coverage.
Comprehensive education – Carriers that strive to educate brokers and policyholders about cyber risks and preparedness best practices regularly see success from those efforts. A lot of cyber vulnerability is tied to human error – business email compromise, social engineering and fraudulent instruction attacks are all high-frequency events that can be mitigated with education.
Related: Do cyber policy exclusions apply to AI-driven fraud?
For a high-severity incident like a ransomware attack, emergency preparedness and speed of response drive successful mitigation. Ensuring stakeholders are familiar with their incident response protocols and coverage will ensure that quick, collaborative steps can be taken. Beyond helping policyholders understand and protect against these vulnerabilities, it’s important to revisit and re-educate policyholders after an incident, or as the threat landscape changes. This will ensure ongoing cyber hygiene and reinforce strong underwriting practices.
As Canada’s cyber market accelerates, new entrants will be drawn in and push additional organic growth. This will inevitably produce more sophisticated cyber markets and opportunities for cyber underwriters in the Canadian marketplace.
Rob Holmes is national director for Global Technical Services Canada at Crawford & Company.
