In an environment where data is currency and breaches damage reputations, Greg Markell sees Canada slipping behind.
“We were the first country in the world to have mandatory notification requirements at a federal level... that was November 1, 2018,” said Markell (pictured), president and CEO of Ridge Canada. “We’ve gone from a forward-thinking [landscape] to being so far behind that it's going to be difficult to catch up.”
Markell said the insurance industry needs to confront an inconvenient truth: traditional privacy insurance no longer meets the complexity of global regulation or the rising tide of cyber risk. As the EU, California, and New York move forward with aggressive privacy frameworks, Canadian reform efforts – like Bill C-26 – remain stalled. “I'm hopeful that our federal government actually puts forward some guidance... to bring us back into global relevance,” he said.
For insurers, the gap is more than policy – it’s market relevance. “Overall privacy laws globally [are] reshaping things,” Markell said. GDPR-style models have set new standards, yet many Canadian insurers still treat privacy coverage as a bolt-on to cyber insurance.
That’s no longer viable. As Markell explained, cyber policies address the breach itself – technical failure and system compromise – while privacy risk involves fallout: data exposure, reputational harm, and restitution.
“The privacy component can be a trigger,” he said. “How do you make those people whole? How do you make them feel like their information is not being frivolously used?”
“The biggest piece of advice I can give... is harmonizing that plan with your cyber insurance product.”
That means more than writing a bulky plan. “This doesn't need to be an exercise to produce a 200-page document,” he said. “Small businesses still need to know who to call, what the policy covers, and where the gaps lie.”
Brokers, Markell stressed, are essential to execution. “We always involve our broker partners,” he said. Their established relationships accelerate claims and strengthen client communications. “Those channels of communication being opened up can be very powerful.”
In sectors like healthcare, finance, and education – where data is valuable and regulation tight – tailored approaches are emerging. But the post-hardening market needs caution. “Pragmatism and control-based underwriting needs to be looked at, as opposed to just throwing coverage options to try and market-make,” he said.
That’s especially true in sectors with operational technology (OT), like healthcare or energy. “Segment by segment, market by market, risk by risk,” Markell said. “All of the threats they are facing are also evolving very, very quickly.”
Persistent gaps remain. Regulatory fines, for instance, are often misunderstood. “Where, in what other sectors are they ever covered?” he said – clarifying that coverage only applies “where coverable by law.” Legal defence, however, is generally included. “There is always coverage in our policies to help make sure that you are represented well.”
Third-party incidents are another blind spot. “How do you underwrite to someone else's systems?” Markell said. The answer lies in data control and vendor contracts. “If you're not controlling that through your vendor agreements... how is it looking at being covered under your own risk transfer contracts?”
Again, brokers are key. “It’s a wonderful opportunity for brokers to showcase their expertise,” he said. “Where can you tolerate this? Where can you contractually transfer it?”
While microbusinesses may struggle to build tailored programs, Markell sees opportunity in the middle market and above. “If clients and brokers are willing to dig in,” he said, “the customization is possible.”
Ultimately, his warning was clear: the global privacy regime is advancing fast – and cybercriminals aren’t waiting. Privacy insurance must evolve now to stay relevant.
