This is the highest ranking cyber risk has received since the inception of the global broker’s survey, topping sixth place in 2019 and fifth in 2017.
The COVID-19 pandemic has created prime conditions for hackers and criminals to exploit cyber vulnerabilities. This has been seen clearly in Canada and elsewhere around the world, with threat actors targeting businesses of all sizes and sectors. In fact, the number of cyberattacks on corporations broke all records in 2020, according to Aon’s 2021 Cyber Security Risk Report.
In particular, insurers are experiencing a higher frequency and severity of ransomware claims, with the number of attacks exploding by 400% from the first quarter of 2018 to the fourth quarter of 2020. As a result, the cyber insurance market in Canada and worldwide has hardened dramatically, with insurers restricting coverage, increasing rates, and creating a more rigorous underwriting environment in order to reduce their exposure.
“Cyber is really the new problem child in the insurance world,” said Kevin Neiles, president of Western Canada & chief markets officer at Gallagher. “A rapidly increasing number of cyber liability incidents is causing a very cautious approach by insurers in this class. There’s a lot more aggressive ransomware and extortion activity going on continuously, and, as a result of that, carriers are putting lower limits on this coverage or eliminating it altogether.
“It will continue to be challenging in 2022, with significantly higher increases in premiums and in the self-insured retentions that clients are having to take. There are even coinsurance scenarios where the client becomes a co-insurer because of the lack of availability of full coverage.”
According to Aon’s Q3 Global Market Insights Report, the current pricing environment in Canada’s cyber insurance market is “very challenging,” with average increases of over 30% in the three months ended September 30. Given the frequency and severity of cyber claims, and the aggregation of exposures to specific types of attacks, i.e., solar winds, Aon reported that insurers are significantly reducing their capacity on any one risk. They’re also introducing “rigorous technical underwriting” with a focus on risk management and security controls.
Greg Markell, president and CEO of Ridge Canada Cyber Solutions, said the increase in frequency and severity of cyber incidents “have compounded into the industry facing major headwinds”. He added: “[For several years] pricing had been going south through the stock market. But now, looking at the actual loss patterns, the payouts, and the actual loss ratios, rate alone is not something that can change this.”
Continuous education around cyber risk management for insurers, brokers, and end-clients is key, according to Markell. He said: “I think there are some control elements that need to be more widely adopted […] We’re seeing standardization of multi-factor authentication [MFA] come across the entire organization. There are some other things that businesses themselves can do to help protect data – for example: back it up securely, back it up offline, have different copies of it, test your plans, test your back-ups, there’s no shortage of other things. And these things don’t have to be expensive, especially for small businesses.”
Neiles said he’s seen cyber insurance rate increases of 40-60% already in 2021, and “things don’t seem to be getting any better”. He added: “One of the things that’s becoming clearer is that insurers are looking to make sure that proper loss control measures are being put into place as the perpetrators of this ransomware and extortion are becoming more creative. A great example of that is multi-factor authentication, which is basically becoming a mandatory thing to have in place for remote system access. And many insurers will not even consider coverage if MFA is not in place.
“So, the other thing is ransomware demands keep on getting significantly larger in terms of the dollars that they’re looking for, and it’s causing many carriers to really reconsider their willingness to either be in the cyber coverage space or to offer coverages related to this. It’s definitely the most volatile area of all, and our team is really working extremely hard with our clients to get the best terms available, but it’s becoming increasingly more difficult.”
One challenge that brokers have, according to Markell, is that they’re trying to help clients reach constantly moving goalposts when it comes to cyber security. He said: “We know certain controls are very preventative against certain exposures, and so, having every end-user and every client working on a path towards becoming secure, and hopefully getting there, just to have the goalposts moved – that’s a challenge for the brokerage community.
“It’s an impossible story to communicate because if you’re constantly going to move the goalposts, then it’s just not going to be fun for anyone.”