The massive Capital One data breach, which exposed the personally identifiable information of six million Canadians, brought many cybersecurity concerns to the fore. But one thing was loud and clear: individuals’ understanding of cyber risk and how to mitigate that risk with cyber insurance remains limited. The countless questions of: ‘What happens now? What do I do if my information was breached? Can I get any compensation?’ highlight how more education is needed in the cyber realm.
Shortly after the breach, the federal government of Canada announced a certification program called CyberSecure Canada, which is designed to educate small to medium-sized businesses about the fundamentals of cybersecurity. While this will have been in the works for some time, its launch date was timely given the explosion of public interest following one of the biggest cyber incidents of 2019.
Understanding of cyber insurance varies enormously among Canadian businesses. There are some who think the product doesn’t cover anything tangible, so they don’t buy it; and there are others who expect the product to cover absolutely every exposure that’s linked in some way to a computer, so they do buy it but expect too much from it. Then there are the people in between – essentially those sitting on the fence about whether to buy cyber insurance or not because they don’t really understand the scope of the product.
“I think that those who say cyber doesn’t cover anything, or are sceptical about cyber, are missing the mark,” said Brian Rosembaum, senior vice president, national cyber & privacy practice leader, Aon Reed Stenhouse Inc. “The cyber insurance policy has evolved at a very rapid rate to match advances in technology. As a lawyer, I’ve tried to develop and push the envelope on the coverages I’ve worked on over the past 15-years I’ve been with Aon, and I can tell you that in errors & omissions insurance and commercial crime, policy development has been snail pace. Enhancing those policies takes some time […] but cyber has evolved quickly and has tried to respond to the expectations of clients better than any other policy I’ve seen.”
In the past five years, the cyber insurance policy has changed massively. It now incorporates coverage for things like: payment diversion fraud, social engineering, business interruption as a result of systems failure, computer systems betterment, bodily injury and property damage. In fact, the policy has expanded so much that it “has caused some confusion,” Rosembaum admitted. This confusion is especially true when a company’s cyber exposure is ‘non-affirmative’ or ‘silent,’ meaning that it’s not explicitly included or excluded in one of its other, more traditional policies, like commercial property insurance.
More cyber news: Desjardins spends tens of millions to address data breach incident
“It’s challenging to be able to offer insurance solutions or policy language that is addressing evolving risk,” commented Ruby Rai, manager, cyber and professional liability, AIG Canada. “Businesses are trying to translate that [evolving] risk with cybersecurity, but sometimes security and risk don’t always go hand-in-hand. I agree wholeheartedly with the statement that insurance policies have stepped up to this task. But I also think it has been challenging to extend the marketplace in terms of how many people are buying cyber insurance because, to be very honest, we’ve made it challenging for insureds and organizations to make that decision.
“Here at AIG, we’ve done a lot over the past three and a half years to try and understand our own cyber risk, and, during that course, we’ve gained a better understanding of how to underwrite the risks (especially those that have been hiding) and how to communicate those risks clearly and with more transparency with our brokers and our risk partners. It’s definitely a tough task for insurance markets, and also for insureds and organizations themselves when they’re looking at their risk profiles and thinking about how to plan their insurance portfolios around cyber scenarios that haven’t really happened yet.”
One of the problems in the cyber insurance industry up until now, according to Greg Eskins, managing director, specialties leader, Marsh Canada, is that everything has been too siloed, especially when it comes to underwriting. This is challenging when cyber risk impacts technology, and technology “cuts through everything that businesses do today,” he said.
Eskins added: “You get into an issue where there’s a lack of communication between departments, both on the insurance side, and on the client side for people who buy insurance on a portfolio basis. As an industry, we have to acknowledge our responsibility to reduce complexity from an insurance buyer’s perspective – but we haven’t done a wonderful job at that at this point in terms of removing some of the silos around the products themselves.”