The scope of the cyberattack that hit the city of Atlanta in 2018 might not have been replicated yet in Canada, but as small towns and other public entities fail to escape cyber perils, claims are starting to mount.
In fact, while claims stemming from public entities still make up a small percentage (3%) of overall claims found in the NetDiligence database, the number of claims has doubled every year since 2015, increasing from five to 10 to 20 in 2017, according to the 2018 NetDiligence Cyber Claims Study.
“We have seen ransomware events hit towns and municipalities of all sizes in Canada,” said Michael Phillips, previously with Beazley Canada and now the regional head of cyber, media, and technology claims for North America at Allianz Global Corporate & Specialty (AGCS). “For public entities, it is imperative that they invest in both cybersecurity and risk transfer mechanisms. They need to follow the private sector in this space. They have data of immense value, they have the sacred trust [of] their citizens, and they can’t lag their private sector peers when it comes to making sure that they’re secure.”
Mandatory breach notification regulations that came into effect last fall have helped increase awareness around the need for cybersecurity measures, including cyber insurance, but there’s still a big gap to plug in bringing companies, public or private, up to speed on the need for cyber defences.
After all, according to a study from Accenture, 25 Canadian companies recorded an average of 75 cyberattacks, or about 1.5 attacks per week, in 2018.
“I think claims examples for peers are still sometimes hard to come by,” explained Phillips, adding that finding examples of how a neighbour or competitor down the street experienced a cyber event could help drive awareness. “People don’t have the same fluency around that experience, and so they’re not sure what it would cost if they had an incident. The notifications have become mandatary, but there haven’t been enough mandatory notifications yet. I actually think that there’s still cultural learning and expectations changing that are still happening as a result of the November switch.”
One positive shift has been the more robust role that the Office of the Privacy Commissioner (OPC) of Canada is taking on in inquiries.
“It’s not just a ‘tell me what happened.’ They’re asking what kind of preparation did you have beforehand, did you have a plan in place before the incident happened, as well as did you take best practice steps to respond to the incident. They want to know that this is part of a company’s hygiene and best practices,” said Phillips. “Watching the Privacy Commissioner prepare their fact findings is a great opportunity to see the market change and see the risk be brought home to corporate boards and the like.”
The broker community can likewise lend a hand by continuing to bring up cyber issues to their policyholders. Phillips has seen brokers invest substantially in analytics and other ways to measure risks as well as understand the value proposition that carriers are bringing to the table, though there’s more work to be done.
“I do think there’s still a disconnect, and continuing to educate about the strength of the cyber market and the fact that we are paying exactly those claims day in, day out is a message that I want to [keep] bringing to the marketplace,” said Phillips.
