Which industries in Canada are most in need of cyber insurance?

Amid the rising threat of cyberattacks, an increasing number of businesses in the country are turning to cyber insurance to manage their risks, a recent study conducted by the Canadian Internet Registration Authority (CIRA) has revealed.  

The organization polled a national representative sample of 500 IT specialists between July and August last year and found that the majority, or 59%, of respondents said their companies have taken out cyber coverage as part of their cyber defence measures. Half of these businesses have purchased cyber cover as part of their business insurance policies, while the other half bought a separate “cybersecurity-specific” policy.

The findings also showed that many of those surveyed were concerned that the pandemic has triggered a rise in cyberattacks against Canadian enterprises. According to the research, more than a third, or 36%, of businesses believe that the volume of cyber incidents has increased because of COVID-19, up 29% from when CIRA conducted the survey at the onset of the coronavirus outbreak in 2020.

“[In 2021, the] adoption of cybersecurity insurance is growing in parallel with the growing number of cyberattacks,” CIRA wrote in its analysis of the survey results. “At the same time, expenses are soaring due to hefty ransoms paid to hacker groups and massive fines paid to regulators policing the storage and transfer of personal information online.”

Read more: Top eight cybersecurity risks Canadians are facing

Are cyber insurers getting picky about who they cover?

According to CIRA’s analysis of the survey results, the spike in cyber insurance applicants and their perceived levels of risk have created a situation where “the insurance providers can be pickier about who they cover and what requirements they can ask of their clients.” These requirements include having cybersecurity measures in place and these being regularly audited by third-party specialists.

The study also revealed that most businesses reported their brokers making at least one change in their cyber insurance policies in the past year. Increased premiums topped the list of these changes at 35%, followed by “requests for new forms of proof/verification of cybersecurity measures being in place” at 34%, and revised eligibility requirements for obtaining or renewing coverage at 29%. About a quarter of respondents also said that the reimbursement amounts for ransomware attacks were reduced.

“Stepping back and taking a wider perspective of the cybersecurity insurance picture shows an industry that’s still emergent and still agreeing on the standards,” the organization explained. “The increased risk environment puts the power in the hands of insurers, who can demand higher premiums from customers while putting more escape clauses in their contracts.

“That leaves some companies either wondering if it’s worth it to buy cybersecurity insurance, or if it’s worth it to continue paying rising premiums. Considering the potential impacts of a cybersecurity attack against the difficulty in securing it and the costs of recovery might help factor into the calculus of buying a policy.”

Read more: Five factors impacting cyber insurance costs in Canada

What kind of coverage does cyber insurance provide?

In its cyber liability insurance guide, the Insurance Bureau of Canada (IBC), pointed out the importance of having sufficient coverage against cyber risks for businesses across the nation.

“We live in a time when many organizations do all of their activities electronically, and the majority of their assets are in the data they collect,” the bureau explained. “There have been several high-profile personal information breaches that have compromised tens of millions of records and cost the affected companies millions of dollars.

“Organizations that rely on an online presence and use e-commerce as a distribution method or have employees who carry electronics that hold customers’ personal, commercial, or financial information should contact their insurance representatives, who can help them find coverage to best protect themselves.”

According to the IBC, a good cybersecurity policy provides a range of coverage, including:

• Regulatory defence expenses: These include civil fines a company incurs while responding to a regulatory proceeding resulting from a data breach.
• Legal and civil damages: Cyber policies cover defence and settlement costs incurred from lawsuits brought by clients due to privacy or network security breaches.
• Cyber breach remediation and notification expenses: These include costs associated with notifying consumers that their data may have been compromised in a breach and managing a cyber incident.
• Crisis management costs: Cyber insurance may also cover the costs associated with hiring a public relations firm to protect a company’s reputation following a cyberattack and the implementation of any measures the public relations firm has recommended.
• Forensic investigations: Cyber insurance covers expenses incurred in the investigation and removal of a cyber threat, including the cost of hiring IT professionals, who review the company’s systems and backups, and determine the scope of a cybersecurity breach. Policies can also cover the cost of business interruptions caused by the cyberattack.
• Computer program and electronic data restoration: Cyber insurance covers the cost to restore or recover damaged or corrupted data caused by a cyber incident.
• E-commerce extortion and reward payments: This type of cover pays out the cost of hiring a professional negotiator and potential ransom payments for a cyber extortion event.
• Business interruption and additional expenses: Policies may also cover income losses and other costs incurred due to an interruption in services.

Read more: What Canadian businesses should be looking for from cyber insurance

Which industries in Canada are in most need of cyber insurance?

Several studies have been conducted to determine the industries that are most vulnerable to cyberattacks. The results vary depending on which organization did the research, but one common denominator is that the sectors found to be most at risk were critical infrastructure providers.

IBM Security’s X-Force Threat Intelligence Index 2022, for instance, revealed that manufacturing was the most attacked industry last year, registering nearly one in three cyber incidents. This is above the global average of one in four. The sector unseated financial services, which dropped to a tie for third, at the top of the list.

Energy-related businesses, meanwhile, climbed to second place, accounting for 21% of all cyberattacks in 2021. The industry surpassed healthcare and financial services, which include insurance, with each sector taking up 16% of all attacks against Canadian businesses.

These findings reflect those of a ransomware trend report published by the Communications Security Establishment (CSE) – Canada’s foreign signals intelligence agency – at the end of last year showing that the energy, healthcare, and manufacturing industries are particularly prone to this type of attack.

Of the 235 ransomware attacks against Canadian organizations the agency recorded between January and November 16, 2021, more than half of the victims were from these sectors.

Meanwhile, in PwC’s Canadian Cyber Threat Intelligence report, the telecom and technology sector topped the list of industries that are vulnerable to cyberattacks, experiencing 14.1% of all incidents. This was followed by healthcare at 11.9% and government agencies and other public entities at 11%. Retail, finance, and manufacturing rounded up the top six sectors in the accounting giant’s list.