Cyber security needs to be "democratized" for small businesses

Cyber security needs to be "democratized" for small businesses | Insurance Business Canada

Cyber security needs to be "democratized" for small businesses

Working in cyber insurance is “not for the faint of heart,” according to Greg Markell (pictured), president and CEO of Ridge Canada Cyber Solutions, who said he’s “lost a significant amount of sleep” over the current cyber market, which is under extreme pressure due to the rising frequency and severity of ransomware attacks.

The situation’s not all bad, the cyber specialist stressed at the Insurance Bureau of Canada’s 2021 Commercial Insurance Symposium. He pointed out that the cyber insurance market in Canada has grown from about $135 million in gross written premium (GWP) in 2019, to approximately $222 million GWP in 2020. That is good news because it means more businesses are buying cyber insurance.

However, the losses consumed by the industry have also increased, and at a far higher rate than the growth in GWP. That is partly due to the fact that cyber threat actors have become “far more sophisticated,” according to Markell, and that businesses’ investments in cybersecurity controls and defences are being outpaced by savvy cyber criminals.

“Ransomware has been a major player in loss ratio development within the cyber world. The instances have increased in both frequency and severity,” said Markell. “Impact-wise, the demands have gone way up. You used to be able to get in and out of a ransomware incident pretty quickly - and by pretty quickly, I mean a couple of weeks. However, those times are gone.

“The sophistication of the attack patterns has also increased significantly. There’s double extortion tactics, which are just crippling organizations now. The threat actors are extracting data in order to get people back to the table in the event that they can try and restore from backups by threatening them with privacy exposure, and the threat of potential regulatory work.”

Read next: Nearly half of Canadian small businesses do not allocate budget to cybersecurity

Those trends, on top of increases in legal costs and potential notification costs to affected individuals whose personally identifiable information has been exposed, have compounded into “major headwinds” for the cyber insurance industry, according to Markell, who added that rate increases alone are not going to fix the current market imbalance, which is being largely dictated by the threat actors.

To this day, only about one fifth of Canadian businesses buy some form of cyber insurance. This is a “major exposure” that needs to be addressed, said Markell, but so far that’s been easier for some businesses than others.

He explained: “There are some control elements that need to be more widely adopted. Historically, some of them have not been democratized for small business at this point, so there’s a bit of catch up that’s going to happen over the next couple of years in terms of technology adoption across the SME market in Canada.” 

The underwriting requirements for cyber have not yet been standardized, and, as a result, there is a broad swath of coverage conditions for insurance brokers and insureds to seep through, understand and implement. The one control that most (if not all) insurers are requiring these days is for businesses to enable multi-factor authentication (MFA) across their organizations.

In addition to MFA, there are other things that businesses can do to help protect their organizations, including conducting regular employee training, having a secure remote desktop protocol, and if the security budget allows, implementing endpoint detection and response tools. Contrary to popular belief, a lot of these risk mitigation strategies are inexpensive, Markell noted, and can be adopted by SMEs. Those that do implement security controls will have more luck securing affordable cyber insurance in what has become a rapidly hardening marketplace.

Read more: How many Canadian organizations have been hit by ransomware attacks?

Moving forwards, Markell hopes for “more stability” in the cyber insurance market. He commented: “We know that next year, there’s probably not going to be much in the way of new capacity in terms of capital flowing in through reinsurance. If there’s no reinsurance capital coming in and flowing down into the direct markets, then prices are going to go up, because demand for cyber insurance is continuing to increase.”

The issue for small businesses is that the wider cyber underwriting community is making better returns, focusing on larger placements and larger towers that are occurring in countries other than Canada, Markell explained.  

“But if we look at our general population being 1.197 million businesses out there, and 97.9% of them being deemed small, they’re not buying towers,” he said. “So how does that get democratized? I think over the next little while that risk management element is going to be paramount in order for the cyber insurance world to even survive in this country, because rate alone is not going to fix the issues that we’re having.

“There’s a whole lot of communication [and education that needs to happen], and to a certain extent, democratization of security tools. Coming from the security community, I think there’s got to be a lot more collaboration, and we’re starting to see some really great stuff happening. Then, in five to 10 years, if there’s a little bit more stability and capital continues to flow back into the market, then I think we will start to see certain classes become more insurable, because right now there are certain classes out there that … I don’t know if there’s capacity for them.”