How Canada’s data breach reporting law can help brokers sell cyber based on facts, not fear

Canada’s forthcoming implementation of mandatory data breach reporting may create an opportunity for the country’s commercial brokers to have conversations with their clients about cyber insurance risk based on concrete data instead of fear, a Marsh Canada broker says.

Improved cyber risk data arising from breach reporting would give Canadian brokers “the ability to frame the discussion [with clients] in a way that relies less on people’s concerns and fears, and more on some objective quantification of what the risk might look like to an organization,” says Gregory Eskins, national specialties and cyber practice leader for Marsh Canada Limited.

“Being able to quantify the risk, to determine a risk appetite or a risk tolerance, once it has been quantified, goes a long way in helping [the client] make the decision about whether or not insurance is going to be of any utility to the organization,” added Eskins.

Eskins advised on the creation of a panel on cyber insurance and resilience for the 4^th annual International Cyber Risk Management Conference (ICRMC). Sponsored by MSA Research, the ICMRC takes place at the Metro Toronto Convention Centre on Apr. 11-12, 2018.

The quantification of risk – knowing, for example, that the risk of a business shutdown for an average of three days is worth $10 million to the company as opposed to $100 million — is one factor among many in assessing an organization’s needs. A broker would discuss the quantification of risk in the context of an organization’s risk appetite or tolerance, the probability of a particular event, and the potential severity of an event over any given period of time. “We would then be able to help our clients make a very informed decision about, ‘Is this a good bet?’” Eskins says.

Eskins prefaced the remarks by discussing the difference between cyber awareness in Canada and the United States. Canadian awareness and regulation of cyber risk is lagging behind that of the United States, mainly because the U.S. has had a 14-year head start in bringing forward mandatory breach legislation, he told Canadian Underwriter.

In California, for example, mandatory notification under certain circumstances became law in 2003. In comparison, in 2010, Alberta, under the Personal Information Protection Act, became the first Canadian jurisdiction to require breach notification from private sector organizations. In Alberta, notification is triggered where there exists “a real risk of significant harm” to an individual as a result of the loss or unauthorized access to or disclosure of personal information.

Largely because the regulatory environment in the United States has been prescriptive over a longer period than Canada, cyber events – not just privacy breaches, but all types of cyber attacks and events – are generally more publicized in the United States.

In contrast, Eskins observes, “a large swath of cyber events that take place every day within our borders in Canada go unreported. When that happens, people have a perception that [the risk] is intangible here. But neither the Internet, nor the risk, is constrained by geography.”