In the first year that Canadians companies were subject to mandatory breach reporting regulations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), a total of 680 breach reports were submitted to the Office of the Privacy Commissioner of Canada (OPC). That’s six times the volume that regulators received in the same time period the year prior, and it offers a clear picture of the challenge Canadian businesses face in the cyber realm.
According to the 680 data breach reports submitted to the OPC between November 01, 2018 and October 31, 2019, the number of Canadians affected by data breaches was well over 28 million. A couple of notable incidents include the Desjardins Group data breach reported in June, which impacted 4.2 million members of the financial services co-operative, and the Capital One breach, which affected six million Canadians and 100 million in the United States.
Against this backdrop, it’s no wonder that the cyber insurance market in Canada is thriving. There are many well-established insurance players offering solutions in the market, such as CNA, Chubb and AIG for domestic capacity, as well as Beazley and CFC out of London. Despite a number of high-profile, high-severity, and highly publicized cyber events, there remains ample insurance capacity in the marketplace.
Jacqueline Detablan, vice president, specialty, at CNA Insurance, commented: “There’s a significant amount of capacity in the market. A tower for most large accounts can be built quite readily up to $300 million. The appetite for the primary middle market business depends on the industry, the risk management controls, and the loss history.”
However, like all relatively new markets, cyber insurance has its challenges. Over the past few years, there has been a lack of consistency among markets around policy pricing, terms and conditions, possibly due to the general lack of historical data for actuarial analysis.
“Some markets are needing to adjust their portfolios,” Detablan commented. “Rates depend greatly on the risk at hand and developments to cyber concerns in a specific industry. Large complex programs are seeing modest rate increases, whereas a standard middle market account can generally expect a flat renewal. This does, however, depend on the terms which have been presented.”
The lack of consistency in the marketplace presents challenges for insurance brokers, according to Detablan. Cyber is a “tough product to place” because there’s a lack of standardization in terms of coverages, underwriting criteria and pricing, she added.
This is something that the broker contingency has been arguing in Canada for some time. As Greg Eskins, managing director, specialties leader, Marsh Canada, put it: “Really, what we want to do is reduce complexity. We want to get some certainty to an insured around exactly what risk they’re transferring.”
It should be possible for insurers to offer unique solutions with a common set of terminology, according to Greg Markell, president and CEO of Ridge Canada Cyber Solutions. He said: “There’s an opportunity to create consistency around the intent of what it is we’re trying to cover. One of the really good signs we’re seeing is that broker partners are investing in this. There’s more research being done, and there’s more time being spent on the dissection of the cyber insurance product. There’s absolutely room for improvement and we’re pushing towards that as an industry across the board.”
While common terminology in cyber might not be on the cards for 2020, there’s plenty more room for learning and development in the Canadian marketplace, which should bring more standardization, according to Detablan. She said: “Reinsurers are in a position to drive consistency and discipline in the market. They’re also in a position to educate the market on larger portfolio trends, given that individual carrier portfolios remain relatively small and there’s a lack of data in general.”
