“Financially, it was a horror movie”
Perceived a few years ago as the product of the future, cyberinsurance has instead become an unprofitable burden for insurers. Caught between cybercriminals who are more active and greedy than ever and the scarcity of insurance available, companies must juggle considerable increases in premiums and tightened admission criteria. The market is “in a serious period of correction”, note experts.
All professionals interviewed by The Press observed that cyber risk insurance premiums had increased considerably for at least two years, a phenomenon that is still poorly documented for which there are no overall statistics.
“In some cases, we are talking about increases of more than 100%,” notes Imran Ahmad, chief, technologies and cybersecurity, at Norton Rose Fulbright Canada.
The Canadian Federation of Independent Business (CFIB) and the Regroupement des cabinets de courtage d’assurance du Québec (RCCAQ) are currently preparing studies on this subject. The former president of the latter organization, Jean-Pierre Tardif, knows a lot about it: in one year, the cyber risk insurance premium for his firm, Assurancia Groupe Tardif of Thetford Mines, went from $14,000 to $32,000. $, an increase of 129%. “Financially, it was more than a horror movie,” he sums up.
Same observation at the Société de transport de Montréal (STM), where we suffered “a significant increase in [la] premium with a reduction in coverage,” said spokesperson Philippe Déry by email.
The whole thing would not be linked to the fact that we have been victims of a cyberattack in the past, since this trend would be observed everywhere in large companies, according to the exchanges we have with our counterparts.
Philippe Déry, STM spokesperson
Ten pages of questions
Added to these rising premiums is a new phenomenon: insurers are now more difficult and will sometimes refuse companies deemed too risky.
At CFC, established in London and which has 10,000 clients in Canada, for example, we push the investigation further by combing the underground web (dark web) to see if the company has ever been the victim of a data breach. “We have 135 people dedicated specifically to cybersecurity,” said Lindsey Nelson, cyber development manager, on the phone.
The Press was able to consult the form now required by two major cyber risk insurers, Beazley and Zurich, which are 5 and 10 pages respectively. Penetration tests, employee criminal background checks, data destruction policy, two-factor authentication, everything is reviewed by a hundred questions.
Underwriting cyber risk insurance is very tight, just getting a quote is difficult. Insurers are selective, they will prioritize well-presented files.
Mathieu Brunet, President of the Regroupement des cabinets de courtage d’assurance du Québec (RCCAQ)
The reasons
It is only since 2015 that the Office of the Superintendent of Financial Institutions separately compiles cyber risk insurance. In seven years, the number of policies in force in Canada has increased from 620 to 131,361. Insurers considered Canadian represent 96% of the market.
At the same time, the number of claims has followed an upward curve, rising from 2,601 in 2015 to 28,083 in the second quarter of 2022.
Finally, we better understand the reluctance of insurers when we compile what is called the “loss rate” since 2015. This is the gross ratio between the indemnities paid and the premiums collected. To this ratio are added all administrative costs. “For insurance to be profitable, it must be below 60%,” explains Walid Khayate, practice director in integrated risk and cyber risk management at BFL Canada, one of the three largest brokers in the country.
“Serious fix”
At the Insurance Bureau of Canada, it is estimated that the net ratio, which adds claims and operating costs, has been more precisely at 230% for the past three years.
“For every dollar of premium requested, the insurers paid out $2.30,” summarizes Anne Morin, spokesperson. Insurers must in particular assume the loss of productivity, the replacement of computer equipment, collective actions and even the reimbursement of the ransom, a solution chosen by 58% of the companies affected for an average cost of $458,200, according to a survey commissioned in 2021 by Palo Alto Networks.
In 2018, we saw ransoms of $300,000, maximum. Now, any file goes up to 2 or 5 million, it can go up to 40 million, even if it’s rare.
Imran Ahmad, Chief, Technology and Cybersecurity, at Norton Rose Fulbright Canada
In summary, offering cyber risk insurance is no longer profitable, and has been so only three times since 2015. Hence the meteoric rise in premiums demanded over the past two years. “The market in Canada is in a serious period of correction,” notes Lindsey Nelson of CFC. The attacks are now costing hundreds of millions of dollars worldwide. »
disappointing eldorado
Presented a few years ago, in particular by the firm Standard & Poor’s, as the product which will be the most important by 2030, cyber risk insurance has provoked an avalanche of offers from insurers relayed by brokers. “We have moved from Esso and Walmart to more intangible, digital-based assets,” explains Walid Khayate of BFL Canada.
The pandemic, which has accelerated the digitalization of businesses and generalized remote working, the rise of cyberattacks as well as government regulations which make companies more vulnerable to lawsuits have turned this industry upside down.
Insurers were “a little too motivated, and not very equipped” for this new market for which there was no history, he notes. “They had a revival, they couldn’t take the losses anymore. It’s complex for everyone, the data is partial, and in cybersecurity, what happens in the past is not decisive for the future. Attack vectors are changing, a system that had 50,000 vulnerabilities won’t be there in three years. »
21%
More than one in five businesses with fewer than 500 employees in Canada reported being the victim of a cyberattack in 2021.
Source: Insurance Bureau of Canada, Leger survey
279 million
Amount paid in cyber liability indemnities in Canada in 2021. It was 24.4 million in 2015.
Source: Insurance Bureau of Canada
24%
Proportion of companies having taken out cyber risk insurance, integrated into global coverage or, in 15% of cases, individually.
Source: Insurance Bureau of Canada, Leger Survey August 2021
Chilled insurers
Disturbingly, many public and parapublic organizations have difficulty finding cyber risk insurance at a reasonable price.
“Chubb, one of the largest insurers in Canada, no longer touches certain sectors, such as schools, CEGEPs, hospitals,” reveals Walid Khayate, at BFL Canada. “They don’t like it: these organizations have a lot of data and it’s often poorly managed. »
CEGEPs, for example, must keep their student files, sometimes containing highly confidential data, for 35 years. “A CEGEP official told me recently that cyberattacks often come from their own students, who try to break into the system…”
The Union of Quebec Municipalities (UMQ) found an interesting way out, which temporarily sheltered it from premium inflation and lack of interest from insurers: a group for cyber risk insurance whose conditions were established following a call for tenders, from 2019 to 2024. In total, 102 municipalities, “of all sizes, but especially between 20,000 and 60,000 inhabitants”, have joined, says Patrick Lemieux , spokesperson for the UMQ.
The advantage we have, and that’s why we aroused interest, is our purchasing power and the ability to negotiate that the group allows. That makes it more interesting for an insurer than if a municipality goes it alone.
Patrick Lemieux, UMQ spokesperson
Harsh, but helpful
Higher premiums are often combined with reduced coverage and amounts, and customers are encouraged to opt for higher deductibles that they will have to assume in the event of an incident.
Small and medium-sized businesses are particularly affected, reports Michel Leonard, chief economist at the Insurance Information Institute, based in New York. “These companies are suddenly more aware of the risks, they are looking for cover, but the demand is growing faster than the capacity. This is also why premiums have more than doubled. »
The fact that insurers are made more picky does not only have disadvantages, believes Lindsey Nelson of CFC. It is that they now offer upstream services to strengthen the cybersecurity of their customers. “As a cyberinsurer, of course we are interested in having fewer claims, as much as our customers who want to suffer fewer attacks,” she explains. We’ve prevented 12,000 attacks in the past two years. »
For Walid Khayate, this is “the right approach”, where insurers and customers find their account.
The majority of insurers even make scans of vulnerability, carry out penetration tests in companies, ask to segment the WiFi networks which are often so poorly protected.
Walid Khayate, Director of Consulting Practice in Integrated Risk and Cyber Risk Management at BFL Canada
Insurers also have the technical capacity to intervene in the event of a cyberattack, which is often lacking in smaller companies. “Customers who don’t have cyber insurance often ask me the question: who do I call in the event of an incident? A TI friend, my law firm? reports Imran Ahmad of Norton Rose Fulbright Canada. With an insurer, we have all the service providers, a package that can be used instantly. »
To read on Sunday: “Digital identity: a solution, a thousand questions”, a file by Nicolas Bérubé in the Context section.