Insurance Institute of Canada report encourages p&c organizations to build cyber resiliency; cites business opportunity in expanding coverage

Canadian property and casualty insurance organizations should bolster the defences of their organizations and those of their clients against cyber threats by developing a culture of cyber security, recommends a new research report issued Tuesday by the Insurance Institute of Canada (IIC).

“Insurance organizations are encouraged to build a corporate culture of cyber security that includes actions to address technological threats and security training for employees,” notes an IIC statement announcing the release of Cyber Risks: Implications for the Insurance Industry in Canada, which assesses cyber risk from the perspective of the Canadian p&c insurance industry.

The research report cites a study by Intel’s McAfee and the Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime, which estimates the global cost of cyber crime in 2013 at US$375 billion to US$575 billion. “The global impact of cyber crime is similar to estimates by the United Nations of the international production, trafficking and sales of illicit drugs (US$400 billion) and the worldwide damage resulting from vehicle collisions (US$518 billion),” states the report.

According to the report, the most common forms of cyber attacks were theft and other data attacks, malware (phishing and pharming) and mechanisms to infect computers (viruses, worms, Trojan horses). The report notes that in 2013, the 3,700 clients of IBM’s Managed Security Services experienced seven or eight cyber incidents each month, on average. About half of those attacks – including scams to steal credit card information, website vandalism, corporate espionage and denial-of-service attacks – were directed at the manufacturing (27%) and financial services (21%) industries.

The largest source of loss from cyber crime involves the theft of trade secrets or other intellectual property, the report says, followed by theft of funds, theft of confidential information and opportunity lost (confidence eroded in the Internet as a trusted place for commerce and communications). “Widespread, prolonged disruptions in global communications and commercial networks have not occurred,” the report noted. “However, cyber experts believe that these attacks will come in the next five to ten years. Many anticipate that the first cyber crisis will involve an attack on the critical infrastructure of a major economy, such as shutting down the power grid in the United States.”

The McAfee/center report estimates that cyber crime rates in Canada are well below the international average, with estimated losses of $3 billion to $4 billion annually (0.2% of GDP, or Gross Domestic Product) compared to 0.8% globally.

With respect to cyber crime rate as a percentage of GDP, it is 0.02% for Japan, 0.16% for the United Kingdom, 0.17% for Canada, 0.41% for the European Union, 0.63% for China, and 0.64% for the United States.

“International variation in losses appears primarily to reflect differences in the frequency and severity of attacks, rather than differences in defensive capacity,” states the IIC report.

“Losses in Canada are lower than in many other countries, but are a serious and growing threat,” it emphasizes, noting that the losses include insurable risks, such as identify theft and data breach attacks on banks and retail companies. “The majority of cyber losses, however, are not presently insurable, including cyber espionage. The strong dependency of Canadians and Canadian businesses on the Internet increases Canada’s vulnerability to future cyber attacks,” the report adds.

“Cyber incidents can result in significant damage, including the cost of response to the theft of consumer information, forensics, notification, fraud monitoring, crisis communications and legal fees. Reputational risks may be more significant,” the report cautions.

“Cyber incidents are constantly in news headlines and insurance organizations now rank cyber security among the Top 3 issues facing Canada’s p&c insurance industry,” Peter Hohman, IIC’s president and CEO, says in the institute statement. “The Institute has an important role to play in conducting research for the benefit of the industry, and this seminal research report on cyber risk will provide a valuable foundation for the industry’s ongoing discussions about this critical issue,” Hohman comments.

Prepared by Paul Kovacs, founder and executive director of the Institute for Catastrophic Loss Reduction, and president and CEO of the Property and Casualty Insurance Compensation Corporation, the report establishes a framework for p&c insurance organizations to discuss their own resilience to cyber risk, as well as that of their clients.

The report asks a number of pressing questions:

• What is the threat?

• Who are the criminals?

• Why is there a growing concern about catastrophic incidents?

• How can p&c insurers reduce their risk of loss?

• What is the prospect for growth in the cyber insurance market?

• How will regulation of the Internet, disclosure and privacy legislation evolve over the next five to 10 years?

The report also makes recommendations with regard to how Canada’s p&c organizations can better protect themselves against cyber attack (primarily by building resiliency), and better protect Canadians against cyber risk (chiefly by working with governments and other stakeholders to expand cyber coverage beyond breach and identity theft). Specific recommendations include the following:

• Appoint a senior executive to develop and implement a comprehensive plan to manage and reduce the long-term consequences of cyber risks;

• Identify the consumer information and the corporate knowledge that matters most, and direct the highest protection effort to shield these critical assets;

• Determine calculable loss by securing data about the likelihood and consequences of cyber attacks;

• Understand accumulation risk, including the threat of catastrophic attacks on critical infrastructure;

• Build the market over the next five to ten years until most businesses, homeowners, and tenants consider cyber insurance for the risk of loss from data breach and identity theft;

• Work with governments and other stakeholders to establish conditions over the medium- and long-term to expand insurance coverage to other cyber risks in Canada; and

• Work with the federal and provincial governments, law enforcement officials and other stakeholders to champion practices to keep Canadians safe online.

The report quotes from the Deloitte report, Global Cyber Executive Briefing: “The Internet of tomorrow will almost certainly be less resilient, available and robust than today. Local cyber incidents may cascade into global shocks.
Canadians and the Canadian insurance industry are particularly vulnerable because of heavy reliance on technology.”

Characterizing cyber space as the great, unknown frontier for society in general and Canada’s insurance industry specifically, the IIC report notes “the scope and potential capacity of cyber criminals is growing. Meanwhile, the capacity to defend and the capacity to transfer the risk may be limited.”

A business opportunity exists for the country’s p&c insurance industry, IIC notes, pointing out that global cyber insurance premiums are currently less than one half of 1% of the estimated cost of cyber crime.

Citing findings in A.M. Best’s Fall 2014 Insurance Industry, the report states that the majority of companies in Canada, including most insurers, currently do not purchase cyber insurance. In addition, a 2014 global survey of risk managers from Munich Re shows that organizations are taking a number of approaches, from maintaining cyber coverage to not even purchasing coverage.

“Over the next five to 10 years, this is expected to change. Breach coverage is one of the fastest-growing insurance markets in the United States, Europe and Canada,” the IIC report notes. “The size of the cyber breach and identity theft insurance market may increase by more than five-fold over the next decade.”

A study issued by the Ponemon Institute indicates that, in terms of the main causes of data breaches, criminal attack accounts for 42% of these, human error for 30% and system glitch for 29%.

IBM, for its part, reports “opportunistic” is cited as the most common motivation behind breach attacks.

Beyond the insurance industry’s success with breach and identity theft coverage, the IIC report points out “this is a critical time for the Canadian insurance industry to explore cyber security.” There is considerable scope for insurance to penetrate into new fields of cyber security.

“Corporate espionage, catastrophic cyber incidents, and several other cyber risks are largely uninsurable at this time. For individuals, insurance is available to cover the costs associated with identity theft. Most other cyber threats are presently not insurable, such as insuring the cost of repairing or replacing an infected computer,” the report notes.

“A barrier to the expansion of cyber insurance markets involves the lack of information about the likelihood, severity and consequences of major attacks needed to determine the calculable loss,” states the report. “A second barrier to the expansion of cyber insurance markets involves accumulation risk associated with catastrophic attacks that must be managed to ensure that they do not overwhelm the financial capacity of insurance companies.”

That said, Canada’s p&c insurance industry is well-positioned to promote cyber security, albeit in an evolving federal and provincial privacy legislation environment that will have a significant influence over insurance practices.

“There is scope for insurers to work with the (federal) government to secure increased information about the frequency and severity of cyber incidents, and to determine the role of the federal government if a catastrophic event should occur,” the report explains.

“When a serious effort is made to collect data about the likelihood and consequences of cyber attacks, it will likely take more than a decade until sufficient information is available to support a rigorous actuarial analysis of the risks,” the report predicts. “Insurability will likely extend to a variety of cyber risks over the long term, but the primary focus of cyber insurance over the next five to 10 years is expected to remain on data breach and identity theft.”

The report emphasizes that Canada’s p&c insurance industry has the potential to build important partnerships in the emerging efforts to promote cyber security, including the following:

• partnering with the federal government’s Get Cyber Safe public awareness campaign;

• supporting the proposal by the Canadian Association of Chiefs of Police to develop a national cyber crime strategy with enhanced interagency capacity, operational plans, and data collection;

• pressing for greater disclosure about the frequency and consequences of cyber attacks; and

• sponsoring simulations and research to assess the impact of large-scale incidents.

“Insurance is built on a foundation of trust. It is easy for insurance consumers to move their business if that trust is broken,” the IIC report notes. “A major cyber incident may erode consumer confidence, harm an insurer’s reputation, and reduce the market value of the company.”

Kovacs, Serge Solski, vice president of business development for Watsec Cyber Risk Management, and Jacqueline Detablan, vice president of professional liability for AIG Canada, will be featured in a panel discussion on report findings as part of IIC’s inaugural Emerging Issues Forum in Toronto on May 28.

The cyber report is the first in a series of IIC research reports that will examine other emerging risks facing Canada’s p&c insurance industry.