Research
November 2019;
New Cyber Risks Report Has 3 Key Findings
The Institute has produced a new cyber report, Cyber risks 2019: Implications for the insurance industry in Canada. It builds on the findings of a 2015 report that assessed the state of cyber security and impacts on insurance. The new report analyses the risks in today’s market and draws three key conclusions that every insurance professional needs to know.
1. “It’s really bad out there. Protect yourselves!” – The insurance industry is susceptible to attacks.
The risk of malicious cyber attacks continues to grow in severity and complexity as we become more interconnected with the Internet of Things, cloud computing and 5G in the future. The nature and volume of the attacks continues to evolve and escalate, representing a threat to society at large, including the operations of the insurance industry in Canada.
There is a growing understanding that disruptions will be experienced even with the best protective efforts in place, and it is essential for everyone involved in the industry to plan for how to minimize the consequences of cyber attacks. Insurance companies, brokers, agents, adjusters and other parties must do more to protect themselves and their customers. A commitment to cyber security goes beyond the IT department, and includes employee training, and having processes in place to ensure early detection and a quick and comprehensive response.
2. “We can sell this!” – The cyber market is young and there’s a lot of opportunity out there.
Cyber coverage is recognized as higher risk than established lines due to a lack of historic experience and the ever-changing nature of cyber attacks. Yet, the product now generates considerable revenue, representing what may be the fastest sustained growth for any line of business.
In the 1990s, most insurers worked to exclude cyber risks from basic commercial liability and property coverage. In the last decade, they begun introducing stand-alone cyber coverage or package policies, and most recently, coverage has shifted and broadened to account for emerging risks and the growing dependence on third party technology and cloud service providers. Coverage can include business interruption, supply chain disruption, access to an incident-response team, and even loss of income directly resulting from adverse media attention and loss of reputation following an actual or alleged event.
Meanwhile, at the individual level, coverage for identity theft and fraud is offered as an optional endorsement or included in basic coverage for homeowners and tenants, and has been widely available for more than a decade.
With growing acceptance by businesses across Canada of cyber insurance as an effective risk transfer tool, there is opportunity for the insurance industry to position cyber insurance as an important element of cyber security management.
3. “We need a seat at the (policymaking) table” – The industry is currently paying about 1% of total losses, and policymakers are unsure of the role insurance can play.
There is a lack of knowledge about cyber protection options. Consumers and policymakers in Canada are often unaware of the identity and fraud protection available from personal lines insurers. Cyber security policymakers, cyber experts and consumer advocates appear unfamiliar with cyber insurance coverage available to businesses.
The absence of historic data has made it difficult for the industry to respond to current risks, and more information about the frequency, severity and nature of the attacks can greatly improve that response in the future.
Insurance is the business of managing risk and the insurance industry has the potential to play a much larger role in society’s management of cyber threats. Insurance is an essential part of how Canadians already manage the risk of vehicle collisions and damage from fire and is recognized as critical for managing the risk of physical damage from flood, climate and seismic risks. Cyber protection needs to become a normal part of the conversation in the same way.