“Financially, it was a horror film”
Perceived a few years ago as the product of the future, cyber insurance has instead become an unprofitable burden for insurance companies. Caught between cybercriminals who are more active and greedy than ever and the scarcity of insurance available, companies must juggle significant increases in premiums and tougher enrollment criteria. The market is “in a serious period of correction”, experts note.
All professionals interviewed by The press observed that cyber risk insurance premiums had increased significantly for at least two years, a phenomenon that remains poorly documented and for which there are no overall statistics.
“In some cases, we’re talking about increases of more than 100%,” notes Imran Ahmad, head of technologies and cyber security at Norton Rose Fulbright Canada.
The Canadian Federation of Independent Business (CFIB) and the Regroupement des cabinets de courtage d’assurance du Québec (RCCAQ) are currently preparing studies on this topic. The former president of the latter organization, Jean-Pierre Tardif, knows a lot about it: in one year, the cyber risk insurance premium for his company, Assurancia Groupe Tardif of Thetford Mines, went from $14,000 to $32,000. $, an increase of 129%. “Financially, it was more than a horror film,” he sums up.
Same observation at the Société de transport de Montréal (STM), where we suffered “a significant increase in [la] premium with a reduction in coverage,” spokesman Philippe Déry said via email.
It wouldn’t all be connected to us being victims of a cyber attack in the past, as this trend would be observed everywhere in large companies, according to the exchanges we have with our colleagues.
Philippe Déry, STM spokesman
Ten pages of questions
Added to these rising premiums is a new phenomenon: insurance companies are now more difficult and will sometimes reject companies deemed too risky.
At CFC, which is based in London and has 10,000 clients in Canada, for example, we push the investigation further by combing the underground web (dark web) to see if the company has ever suffered a data breach. “We have 135 people dedicated specifically to cyber security,” Lindsey Nelson, cyber development manager, said by phone.
The press was able to consult the form now required by two major cyber risk insurers, Beazley and Zurich, which are 5 and 10 pages respectively. Penetration tests, employee criminal background checks, data destruction policy, two-factor authentication, everything is reviewed by a hundred questions.
Underwriting cyber risk insurance is very tight, just getting a quote is difficult. Insurance companies are selective, they will prioritize well presented files.
Mathieu Brunet, President of the Regroupement des cabinets de courtage d’assurance du Québec (RCCAQ)
It is only since 2015 that the Office of the Danish Financial Supervisory Authority prepares cyber risk insurance separately. In seven years, the number of policies in force in Canada has increased from 620 to 131,361. Insurance companies considered Canadian represent 96% of the market.
At the same time, the number of injuries has followed an upward curve and has increased from 2,601 in 2015 to 28,083 in the second quarter of 2022.
Finally, we better understand the reluctance of insurance companies when we plot what is called the “loss ratio” since 2015. This is the gross ratio of claims paid to premiums collected. All administrative costs are added to this ratio. “In order for insurance to be profitable, it has to be below 60%,” explains Walid Khayate, practice director of integrated risk and cyber risk management at BFL Canada, one of the top three brokers in the country.
At the Insurance Bureau of Canada, it is estimated that the net ratio, which adds claims and operating costs, has been more precisely 230% over the past three years.
“For every dollar of premium requested, insurance companies paid out $2.30,” summarizes Anne Morin, spokesperson. In particular, insurers must cover loss of productivity, replacement of computer equipment, collective actions and even ransom reimbursement, a solution chosen by 58% of affected companies at an average cost of $458,200, according to a study commissioned in 2021 by Palo Alto Networks.
In 2018, we saw ransoms of no more than $300,000. Now any file goes up to 2 or 5 million, it can go up to 40 million even if it’s rare.
Imran Ahmad, Chief, Technology and Cybersecurity, at Norton Rose Fulbright Canada
In summary, it is no longer profitable to offer cyber risk insurance, and has only been three times since 2015. Hence the steep increase in premiums required over the past two years. “The market in Canada is in a serious period of correction,” notes Lindsey Nelson of CFC. The attacks are now costing hundreds of millions of dollars worldwide. »
Cyber risk insurance was presented a few years ago, notably by the company Standard & Poor’s, as the product that will be the most important in 2030, and has provoked an avalanche of offers from insurance companies mediated by brokers. “We’ve moved from Esso and Walmart to more intangible, digital-based assets,” explains Walid Khayate of BFL Canada.
The pandemic, which has accelerated the digitization of companies and generalized remote work, the increase in cyber attacks, as well as government regulations that make companies more vulnerable to lawsuits, has turned this industry upside down.
Insurers were “a little too motivated and not particularly equipped” for this new market, for which there was no history, he notes. “They had a revival, they couldn’t sustain the losses any longer. It’s complex for everyone, the data is partial, and in cybersecurity, what happens in the past doesn’t determine the future. Attack vectors are changing, a system that had 50,000 vulnerabilities won’t be there in three years. »
More than one in five businesses with fewer than 500 employees in Canada reported being the victim of a cyber attack in 2021.
Source: Insurance Bureau of Canada, Leger survey
Amount paid in cyber liability claims in Canada in 2021. It was 24.4 million in 2015.
Source: Insurance Bureau of Canada
Proportion of companies that have taken out cyber risk insurance, integrated into global cover or, in 15% of cases, individually.
Source: Insurance Bureau of Canada, Leger Survey August 2021
Cooled insurance companies
Worryingly, many public and para-public organizations find it difficult to find cyber risk insurance at a reasonable price.
“Chubb, one of the largest insurance companies in Canada, no longer touches certain sectors, such as schools, CEGEPs, hospitals,” reveals Walid Khayate, of BFL Canada. “They don’t like it: These organizations have a lot of data, and it’s often poorly managed. »
CEGEPs, for example, must keep their student files, sometimes containing highly confidential data, for 35 years. “A CEGEP official told me recently that cyber attacks often come from their own students who try to break into the system…”
The Union of Quebec Municipalities (UMQ) found an interesting way out that temporarily protected it from premium inflation and lack of interest from insurers: a group for cyber risk insurance, the conditions of which were established after a tender, from 2019 to 2024. a total of 102 municipalities are “of all sizes, but especially between 20,000 and 60,000 inhabitants”, came along, says Patrick Lemieux, spokesman for UMQ.
The advantage we have, which is why we have attracted interest, is our purchasing power and the ability to negotiate, which the group allows. This makes it more interesting for an insurance company than if a municipality goes it alone.
Patrick Lemieux, spokesman for UMQ
Harsh but helpful
Higher premiums are often combined with reduced coverage and amounts, and customers are encouraged to choose higher deductibles to bear in the event of an incident.
Small and medium-sized businesses are particularly affected, reports Michel Leonard, chief economist at the New York-based Insurance Information Institute. “These companies are suddenly more aware of risks, they are looking for coverage, but demand is growing faster than capacity. This is also the reason why the premiums have more than doubled. »
The fact that insurance companies are made more discerning does not only have disadvantages, believes Lindsey Nelson from CFC. It is that they now offer upstream services to strengthen their customers’ cyber security. “As a cyber insurance company, we are of course interested in having fewer claims, as much as our customers want to suffer fewer attacks,” she explains. We have prevented 12,000 attacks in the last two years. »
For Walid Khayate, this is “the right approach” where insurance companies and customers find their account.
Most insurance companies even do scans of vulnerability, perform penetration tests in companies, ask to segment the WiFi networks, which are often so poorly protected.
Walid Khayate, Director of Integrated Risk and Cyber Risk Management Consulting Practice at BFL Canada
The insurance companies also have the technical capacity to intervene in the event of a cyber attack, which is often lacking in smaller companies. “Customers who do not have cyber insurance often ask me the question: Who do I call in the event of an incident? A TI friend, my law firm? reports Imran Ahmad of Norton Rose Fulbright Canada. With an insurance company, we have all service providers, a package which can be used immediately. »
To read on Sunday: “Digital identity: a solution, a thousand questions”, a file by Nicolas Bérubé in the context section.