As Canadian businesses are increasingly targeted in cyberattacks, many are turning to cybersecurity insurance to mitigate risk, according to a recent study conducted by the Canadian Internet Registration Authority (CIRA).
The survey, which included a national representative sample of 510 cybersecurity “decision-makers,” discovered that nearly 60% of businesses in the country have purchased cyber insurance as the threat of cybercrime has steadily increased. Half of these businesses purchased cyber insurance as part of their general business insurance policies, while the other half purchased a separate “cybersecurity-specific” policy.
The study also found that many respondents believed the number of cyberattacks increased during the pandemic, with more than a third (36%) of businesses claiming that COVID-19 caused an increase in cyber incidents in 2021, up from 29% the year before when the coronavirus outbreak began.
In her survey results analysis, Erin Hutchison, product marketing manager at CIRA, wrote “Adoption of cybersecurity insurance is growing in parallel with the growing number of cyberattacks… at the same time, expenses are soaring due to hefty ransoms paid to hacker groups and massive fines paid to regulators policing the storage and transfer of personal information online.”
According to Hutchison, the increase in cyber insurance applicants and their perceived levels of risk has created a situation in which “The insurance providers can be pickier about who they cover and what requirements they can ask of their clients.” These requirements include implementing cybersecurity measures and having them audited on a regular basis by third-party specialists.
The survey revealed that the majority of businesses reported their brokers making at least one change to their cyber insurance policies in the previous year. Increased premiums were the most common change, accounting for 35% of all changes, followed by “requests for new forms of proof/verification of cybersecurity measures being in place” (34%), and revised eligibility requirements for obtaining or renewing coverage (29%). A quarter of respondents also reported that reimbursement amounts for ransomware attacks had been reduced.
Hutchison also stated, “Stepping back and taking a wider perspective of the cybersecurity insurance picture shows an industry that’s still emergent and still agreeing on the standards… the increased risk environment puts the power in the hands of insurers, who can demand higher premiums from customers while putting more escape clauses in their contracts.”
She went on to say, “That leaves some companies either wondering if it’s worth it to buy cybersecurity insurance, or if it’s worth it to continue paying rising premiums… considering the potential impacts of a cybersecurity attack against the difficulty in securing it and the costs of recovery might help factor into the calculus of buying a policy.”
What Factors Influence the Cost of Cybersecurity Insurance?
According to a recent report from financial services giant S&P Global, premium prices in the cyber insurance and reinsurance market have skyrocketed between 2021 and 2023, in some cases more than doubling, as the “protection gap” widens due to the pandemic.
The pandemic has also accelerated “digital transformation and systemic vulnerabilities,” resulting in massive economic and insured losses in the cyber insurance sector, according to the study. As a result of increased business awareness of cyber risks, demand for cyber re/insurance coverage has increased.
The report stated, “The pandemic exacerbated the huge cyber insurance protection gap by causing existing and new clients to request larger limits and more inclusions in their policies’ terms and conditions… In addition, some insurers are offering more advanced services, including value-added assistance services, and we have seen a shift from non-affirmative (silent) to affirmative (explicit) cyber coverage, leading to previously unrecognized premium volume.”
S&P predicts that insurance companies will continue to restructure their cyber offerings, raising rates further and adjusting their terms and conditions, including exclusions and payout limits, in order to increase retention levels.
Meanwhile, before deciding on which policies to purchase, businesses should consider the factors that influence the cost of coverage. Here are some of the major cyber insurance considerations for Canadian businesses:
1. Size and Industry of the Company
The number of employees a company employs has a significant impact on cyber insurance premiums because it affects the company’s risk exposure.
On its website, cybersecurity firm WatchGuard Technologies stated, “Although SMEs in general have more discrete cybersecurity tools, the greater the number of devices, users, and systems an organization has, the larger its threat surface and therefore the greater the possibility of being the victim of a cyberattack… policies are tailored according to size and complexity.”
However, the industry in which the business operates is equally important in determining premium prices.
WatchGuard also stated, “There are sectors that are more prone to be victims of cyberattacks than others… apart from the number of cyberattacks suffered, insurers also take into account cases where the associated costs generated are sizable, such as the financial sector. Therefore, if an organization belongs to any of these sectors, policies will be more expensive.”
The manufacturing sector topped the list of most targeted industries in North America, accounting for 28% of all cyberattacks in the region, according to IBM Security’s latest X-Force Threat Intelligence Index. Professional and business services (15%) were followed by retail and wholesale (11%).
2. Data Volume and Sensitivity
MicroAge, a Fort McMurray-based IT products and services provider, stated in an article on its website that each business faces a unique set of risks because each holds unique data.
The company explained, “The number of clients a business has, the data that is collected from these clients, and the sensitivity of the data collected are all factors that influence the risk levels of the business… The risk level will influence the requirements from insurers as well as the type of cyber insurance coverage and premiums businesses can apply for.”
3. Revenue
Insurance providers typically believe that businesses with higher revenue are more likely to be targeted by cybercriminals. In consequence of this, these companies often pay more for cyber coverage.
WatchGuard noted, “Company revenue can be a major element in determining the maximum amount of losses generated by the cyberattack that the insurer covers, and this influences the cost of policies significantly.”
4. Cybersecurity Measures
According to the Insurtech firm Embroker, insurers frequently offer lower premiums to businesses that devote significant resources and efforts to preventing cybercrime.
“[To save on costs,] high-risk companies should educate their workers about these risks and employ experts to install security protocols, monitor hardware and software security,” the company stated on its website. “[Businesses should also] put together proper procedures and plans for what needs to be done if a cyberattack does occur.”
5. Types of Coverage
Foster Park Brokers, an Edmonton-based brokerage firm, noted that as the number of businesses experiencing data breaches has increased in recent years, so has the market for cyber insurance. However, unlike other types of insurance, cyber coverage does not have a “one-size-fits-all” approach, according to the firm.
They stated on their website “Most cyber policies are offered a la carte, allowing policyholders to negotiate terms and conditions and purchase the coverage that fits their needs… To ensure your business has best-in-class cyber coverage, it is critical to assess your business and consider the specific risks you wish to insure. The level of coverage your business needs can vary depending on your range of exposure.”
Vendor acts and omissions, limits and sub-limits, panel and consent provisions, standard exclusions, and retroactive coverage are among the items related to cyber insurance policies that businesses should consider when developing the best coverage, according to the firm.