This interview is part of a special report published by Insurance Business Canada.
You can read the full report here.
In a discussion with Insurance Business Canada, Trisura’s assistant vice-president of professional solutions, Michael Kalakauskas, weighed in on some of the biggest cyber concerns facing brokers in 2020.
IB | How is the cyber insurance market shaping up in 2020?
MK | The cyber market has been very volatile for most of 2020. We have seen pricing increases range around 10% to 50%, as well as a substantial increase in deductibles. Furthermore, most markets are reducing their capacity, with limits being greatly lowered on both third-party and first-party coverages. While some markets have pulled back, others have increased their appetite and capabilities. It’s a very interesting time in the cyber insurance world.
From a cybersecurity trend standpoint, the sheer volume of cyberattacks and compromised personal information on a worldwide level is at an all-time high and will only continue to grow with the expansion of things like company interconnectivity, the Internet of Things, the use of cloud services, artificial intelligence and machine learning, automation, and small to medium-sized business vulnerability. These trends point to the need for all organizations to increase their security and awareness in protecting themselves against cyberattacks and data breaches. Cybercriminals and attacks are only getting more sophisticated, so as an industry, we need to keep up with and respond to emerging threats.
Another important trend is the evolving landscape of international data privacy laws and government/regulatory body involvement. These new or updated laws – for example, GDPR in Europe or PIPEDA here in Canada – are making companies move from a reactive approach to a proactive approach towards cybersecurity. We’re now seeing a greater focus on system security and the ability to safely store and use personal information.
In terms of cyber coverage, brokers need to be aware that third-party liability coverage for data breaches is only one piece of the overall cyber insurance puzzle. The trends from a coverage standpoint – and the most causes of current cyber claims, in our experience – are ransomware, social engineering and business interruption. Not all businesses carry large amounts of personal data that may be targeted in data breaches; however, all businesses are dependent on computers, cell phones and the internet – things that ultimately make them vulnerable to different types of cyberattacks. The one thing that all companies do hold is employee data, which exposes all companies, regardless of size, to a potential data breach.
It is easier to target small and mid-sized companies, as they may not have adequate security measures and resources in place to protect themselves. To safeguard against today’s cyberattacks, small companies must reassess their security position and ensure adequate measures and controls are implemented, including the purchase of cyber insurance coverage and speaking with a true insurance professional.
IB | How has the COVID-19 pandemic – and the accompanying increase in remote work – impacted the cyber insurance market?
MK | COVID-19 remains a challenge for the insurance world. The cyber insurance market should be very concerned with heightened cyber exposures while people work from home with lesser security, employee awareness and procedures. This is the perfect time for cybercriminals to make their move, and we’re already seeing phishing attacks and viruses on the rise in every sector. Also, when working from home, it’s harder to react and deploy an incident response plan or disaster recovery plan, which may result in more frequent and possibly more severe attacks.
It’s a time of great stress and worry, and people are paying less attention. Things that might impact cybersecurity during COVID include older/out-of-date computer software and antivirus software/firewalls, a lack of cybersecurity procedures/policies, a lack of encryption protocols, infrequent password changes, audits not being performed, general misuse of computers and emails, and employees not on high alert. We must all stay vigilant.
IB | Which client groups should be the target markets for cyber insurance this year?
MK | All businesses – small, medium and large – have cyber exposures, and each company should be having conversations with their insurance broker about adequate cyber insurance coverage and risk transfer options. That said, I would prioritize some of the industries that have not previously bought cyber insurance on a widespread basis. Industries including finance, banking, healthcare, retail and hospitality – all well known for holding and using personal information – have already been exposed to cyber insurance and the risk of data breaches. Industries like construction, transportation and manufacturing, as well as smaller professional offices, however, are slowly being exposed to cybersecurity needs and do need more awareness in this space.
At Trisura, we are trying to increase the exposure of cyber insurance with all of our small to medium-size business clients, regardless of industry type. As mentioned, it is easier to target small and mid-size companies, as they may not have adequate security measures and resources in place to protect themselves. Trisura has a large surety book that comprises clients of all sizes in the construction industry – for example, builders, developers and contractors – and with them being more reliant on technology and computers, it is imperative that we offer cyber solutions as part of their overall insurance and surety bonding package. Likewise, we insure many small to medium-sized professional offices for errors & omissions insurance and directors & officers liability, and we are currently trying to target them for cyber coverage as part of their insurance portfolio.
IB | What features should brokers look for in a cyber policy today?
MK | Overall, good cyber insurance provides coverage for both an insured’s first-party and third-party losses associated with a network security breach, as well as the loss, theft, or unauthorized disclosure of personal information or confidential corporate information. The coverage should include expenses related to breach notification, extortion threats, public relations, credit monitoring, forensic investigation, defence costs, the costs of judgments or settlements, regulatory claims, business interruption and media liability, among other things. The reality is, every business has an exposure and should be protected accordingly. Exposures come in the form of employee information, customer information, internet access, electronic and network activities, and the overall use of technology.
Specifically, the most important element of any good cyber insurance policy is the claims handling service and response team associated with it. A cyber insurance policy should give clients access to experts in all fields of cybersecurity and make them feel comfortable throughout the whole process, whether it’s a full-blown claim, a possible breach or a system hack. The response team should be quick, flexible and able to handle any type of scenario. A good response team should include law firms and breach coaches; forensics and investigation professionals; public relations and communication specialists; and breach notification, identity repair and credit monitoring firms.
Legal experts can help minimize the risk of litigation and fines in the wake of a breach. They can provide legal advice based on your specific incident, such as determining how to notify affected individuals, government agencies, third parties and others who may be impacted. The law firms and breach coaches can also manage breach response teams and oversee all aspects of the response.
Forensic and investigative providers can advise your organization on how to stop the current data loss, prevent further harm and secure evidence as necessary. They can also determine where, when and how the breach or hack occurred, analyze data sources to determine what information has been compromised, and assist in data restoration.
Public relations providers can help develop both the internal and external communications needed during an incident, as well as oversee crisis management services. They can also provide advice on how to best position the incident to key audiences, update social media and help manage media questions related to the issue. Breach notification providers can help in the form of credit monitoring, credit reports, call centre services and direct mailing campaigns.
IB | If brokers are looking to sell cyber insurance to a client for the first time, what key points should they stress?
MK | All businesses, regardless of size and industry type, have cyber exposure. Regardless of whether they hold or store their customers’ or suppliers’ personal data or corporate information, these businesses have data on all of their employees and stakeholders that is at risk. Furthermore, all companies are reliant on computers, cell phones and the internet and therefore are susceptible to loss in the event of a cyberattack like ransomware, a hack, data loss, payment diversion or phishing, malware, and software or hardware failure.
Cyberattacks are indiscriminate and could come from anywhere. Even if it’s not from an attacker, one of the biggest forms of cyber exposure is the error of an employee clicking the wrong link, sending an email to the wrong person or leaving an unencrypted laptop or cell phone at a public place. Giving a tiny window of access to someone is all it takes. Cyber exposure could come from anywhere, and if it were to happen, it could give rise to significant financial loss.
My rule of thumb is to advise businesses that cyberattacks are not a matter of if but more of a when, and whether the company is able to withstand the financial impact of such an attack or loss. If it is not, or the business would like some additional protection, then cyber insurance is a key to their risk management process, no matter their size of business.