“Buying cyber is the last piece of the risk management puzzle” - Chubb

“Buying cyber is the last piece of the risk management puzzle” - Chubb | Insurance Business Canada

“Buying cyber is the last piece of the risk management puzzle” - Chubb

A survey from a Silicon Valley analytics firm has revealed that cyber insurance take-up rates among Canadian companies are growing, as numbers jumped from 18% of companies with full coverage cyber insurance in 2017 to 40% of firms in 2018. On the other end of the spectrum, Canadian businesses that reported not having any cyber insurance dropped from 36% last year to 22% this year.

The survey’s findings divulge a pattern that one expert says is taking shape on the ground as cyber risks continue to evolve and the volume of submissions keeps on rising.

“Over the last several years, Chubb has certainly seen an increase in marketplace interest from companies looking for comprehensive coverage,” said Matthew Davies, VP and product manager for professional, media and cyber liability at Chubb Canada. “There are new vectors of threat that we see on a regular basis and there are new things that people are thinking about – if I get hit by a cyber threat, that’s one thing, but what if I’m reliant on somebody else, like my cloud provider, or one of my customers and they get hit by a cyber event, how’s that going to impact me? The cyber market is continually evolving to think about new threats as they come out and new issues as they are contemplated or discovered, and where coverage is desired by the buyers for these kinds of exposures.”

Brokers are meanwhile recognizing that they have an obligation to talk about cyber with all of their customers, and Davies recommends they do a deep-dive of their clients’ risk profiles to find them the best coverage.

“It’s sitting down and doing an analysis with the client as to what they think their exposures are – if you handle private information, customer credit card numbers or account numbers, then you need to think about why are you collecting that information, what are you doing with it, who are you sharing it with, what are you doing with it when you finish with it, and how are you getting rid of it,” explained Davies, adding that business interruption implications should also be considered. “What would be the consequences if you couldn’t use your computer at your business for an hour, for a day, for a week, and being able to measure with the client what would be the financial consequences to the organization if you had a ransomware event that led to a business interruption event or that led to your private information being breached.”

Despite a move in the right direction, more than one in five Canadian companies surveyed still don’t have any cyber insurance – a gap that signals there’s more work to be done, and not just on the insurance front.

“The first line of defence is always going to be deploying proper risk management. Buying cyber is the last piece of the risk management puzzle. There’s no point in buying cyber if you aren’t prepared to handle an event anyway because it’s like buying car insurance – it doesn’t prevent you from getting into an accident; it’s going to help you manage the consequences of the accident,” said Davies, though he points out that many larger organizations do have cyber threats on their mind. “Boards are certainly asking questions of senior management about organizational readiness and governance, and the ability to be in compliance. Smaller businesses don’t necessarily have the resources to dedicate, but they still have an obligation to themselves to have plans.”

The easiest item to hit on a cyber preparedness checklist is to educate employees on recognizing suspicious emails from royals abroad seeking wire transfers and not plugging flash drives discovered in a parking lot into a computer. Making sure systems are up to date and investing in software upgrades is another important to-do.

With industry giants, like Air Canada, not being safe from breaches, all companies needs to take ownership of their own cyber risks.

“Every organization has a cyber exposure, whether they collect private information or not. They can be victimized by a ransomware event and it’s not a failure if you actually are a victim – you’re joining a large group of people,” Davies told Insurance Business. “It’s really how you deal with it and how you respond to it, how you mitigate it, how you get yourself back up on top and how you manage your customers’ expectations that are more important than anything else at the end of the day.”