One long-term impact of the novel coronavirus pandemic may be an uptick in the sale of commercial cyber insurance policies, industry experts predicted during a recent Canadian Underwriter webinar.
In addition, the pandemic may provide an opportunity for brokers to promote the sale of standalone cyber policies. One webinar panellist noted standalone policies generally provide commercial clients with better protection against emerging cyber-threats such as ransomware and financial phishing scams than add-ons to commercial packages, which are focused more narrowly on risks such as data breach.
Tim Zeilman, global owner of products, cyber, for HSB (part of Munich Re), predicted “the expansion of purchasing of cyber insurance” in the wake of the pandemic.
“If there is one thing people have realized over the last couple of months, that has been how completely reliant they are on their IT systems,” Zeilman observed during Part Two of Canadian Underwriter’s COVID-19: Business Interruption webinar series. “Some people are…undoubtedly using and relying on their IT systems, particularly their remote IT systems, more than they ever have.
“I think in the past, when faced with the prospect of a problem — maybe such as a malware problem or a hacking event that hampers the performance or completely takes down your IT systems — that was an unpleasant prospect, but you might have had other plans. You could have done things on paper or have gotten people together in person, rather than using technology. A lot of those Plan Bs have gone out the window over these last many weeks, and there is no Plan B beyond your technology. So I think that’s likely to spur an uptick in the purchase of cyber insurance.”
Canadian banks may provide another reason for the increased sales of cyber insurance in the future, said webinar panellist Philomena Comerford, president and CEO of Baird MacGregor Insurance Brokers LP and Hargraft Schofield LP.
Comerford said banks are wise to the fact that cybercriminals are increasingly using financial social engineering and phishing scams to re-route company or client funds into unauthorized or fake banking accounts. In these types of scams, cybercriminals, impersonating company officers and executives, will send emails requesting that company finance or accounting officials re-direct funds. This is especially prevalent in the COVID-19 era because employees are working remotely from home and must be more diligent about verifying the order with the company executive.
Given the increase in these types of scams, expect banks to start exerting influence on their business clients to procure adequate cyber protection, said Comerford.
“It doesn’t take a rocket scientist to know [that banks] are seeing an uptick in cyber events, and they know that their customers are becoming increasingly reliant on communicating electronically,” she said. “Even [commercial clients] surviving with bricks-and-mortar store closures are using more e-commerce, so it’s only a matter of time before banks start demanding that cyber insurance be part of the line-up of coverage that they [have] before they enter into any loans or lines of credit.”
Panellists were asked a question about the penetration of cyber coverage in the marketplace. Zeilman noted that sophisticated businesses with risk management operations in place tended to be more likely to purchase cyber coverage than small to mid-sized enterprises [SMEs].
Answering the same question, Eduard Goodman, global privacy officer at CyberScout, said it was important to be clear about what is meant by “cyber coverage.” He drew a clear distinction between cyber coverages that were mere “add-ons” to commercial policies, or commercial packages that offered cyber mainly for data breach only, and more fulsome standalone cyber policies.
“We see both in the Canadian and the U.S. market a fair amount of penetration for those add-on coverages, but they are really, really focused on data breach exposures, [and] not every business has a lot of personal data,” Goodman said. “If you want to call data breach ‘cyber,’ I’d say you could argue there’s a fair amount of penetration. But does a $50,000 (U.S. or Canadian) data breach coverage really provide you with what you need as an institution, depending what your risks are? I would argue not. That’s why these standalone policies are becoming much, much more important for this.”
Add-ons to commercial packages typically have very low limits, Goodman noted, which don’t really cover the kind of losses you would see in emerging forms of cybercrimes, such as ransomware or financial phishing attacks. “Some of them are $10,000, which isn’t going to offer you a whole lot,” he said. “That’s not even a forensic examination.”
Goodman said many clients likely don’t know what kind of cyber coverage they have now in their add-on policies. That suggests brokers have an opportunity to sell more standalone cyber policies. “I think the cyber market is growing up to such a degree that we are starting to see an increase in the SMEs that are starting to purchasing standalone cyber that really protects them on all of those [non-data breach] risks.”