What P&C insurers can expect from OSFI next year

Cyber preparedness features prominently in the supervisory strategy of Canada’s solvency regulator for the 2026-27 fiscal year.

The Office of the Superintendent of Financial Institutions (OSFI) released its Annual Risk Outlook last week. Among its insurance priorities for 2026-27 is “conducting targeted supervisory work on cyber preparedness and third-party risk related to critical outsourced operations.”

Third-party cyber risk remains a concern for Canadian businesses, according to research commissioned by commercial insurer QBE Canada last June.

More than half of Canadian businesses (53%) have experienced a cyber event in the past 12 months, QBE’s study found. Fifty-eight percent of those businesses said the events were supply chain- or vendor-related cyberattacks. QBE Canada’s survey included 400 IT departments in Canadian businesses.

For selected property and casualty insurers, OSFI says it will conduct thematic monitoring of cyber insurance underwriting and the emerging coverage of artificial intelligence.

“For selected insurers, we plan to conduct targeted cyber and technology risk reviews as well as ongoing monitoring of business integration and risk oversight of AI,” the regulator says in the report. “We will continue our intelligence-led cyber resilience testing for large insurers.

“For all insurers, we will review their response to cyber incidents and assess their cyber preparedness.”

Malicious cyber activities remain a “significant and evolving threat” to the financial sector and its critical service partners, OSFI notes in its annual risk outlook.

“Reported incidents demonstrate the growing sophistication of threat actors leveraging advanced and AI-enabled tools, which increase both the speed and scale at which cyber threats can materialize,” the regulator says. “Software vulnerabilities in common and required technology are expected to remain the most persistent and high-impact technology risk.”

For 2026-27, OSFI’s other two insurance priorities include a focus on ensuring carriers maintain resilience and sound risk management by:

• evaluating insurers’ responses to market volatility, including oversight of investment, liquidity, and policyholder behaviour risks, and
• assessing boards’ effectiveness in overseeing the risk appetite framework and alignment to insurers’ strategy as well as financial and capital plans

Continued resilience

For the insurance industry as whole, OSFI says Canada’s federally regulated insurers continue to demonstrate resilience amid persistent structural and cyclical pressures.

“The operating environment remains characterized by geopolitical uncertainty, elevated integrity and security risks, rapid technological change, and ongoing catastrophe-related losses,” the report says. “Competitive forces are accelerating shifts in operating and distribution models, as well as inorganic growth strategies, contributing to increased execution risks.”

Investment risks also remain elevated, OSFI says, reflecting continued market volatility. “This continues to expose insurers to reinvestment and valuation risk across asset classes. In addition, private market assets are playing a greater role in insurers’ investment portfolios, introducing increased opacity, complexity, and potential illiquidity constraints.”

In particular, P&C insurers face ongoing underwriting pressure, OSFI says. “Claims inflation, particularly in auto insurance, and a softening commercial lines market, test financial and operational soundness.”