May 28, 2015 by Angela Stelmakowich, Editor
Canada’s property and casualty insurance industry has taken important strides to provide coverage for select cyber security risks, but the lack of data around other related threats has prevented insurers from moving forward with more comprehensive offerings, attendees of an Insurance Institute of Canada (IIC) forum in downtown Toronto heard Thursday.
Paul Kovacs, founder and executive director of the Institute for Catastrophic Loss Reduction, and president and CEO of the Property and Casualty Insurance Compensation Corporation, suggested that barriers currently exist and those hurdles will not be cleared absent the industry gathering additional information.
“In the last few years, the industry has really stepped up and offered solutions for breach attacks, for identity theft. There are some key areas where the industry is now playing a role,” Kovacs said during IIC’s inaugural Emerging Issues Forum, the first of a series of discussions that will deal with emerging issues of interest to those in Canada’s p&c industry.
With regard to Canadians and Canadian businesses buying breach and identity theft coverage, “our sense over the next five to 10 years is that’s going to grow very quickly,” he told forum attendees.
What has changed? Kovacs pointed to the “combination of companies doing a much better job in terms of having a product that is really accepted and wanted,” a large number of high-profile attacks, growing interest from governing bodies like Boards of Directors and third parties such as regulators and others asking and expecting cyber coverage to be in place.
While progress related to breach and identity theft coverage is positive, those coverages are a small part of a cyber security profile that is very broad, ever-growing and ever-changing. There are “many, many other risks that the industry has not yet decided to offer cover for,” Kovacs said.
“Why? It turns out that it’s the absence of data to allow the industry to calculate what the real risk is and confidently think of offering coverage,” as well as accumulation risk, he reported. “So, there’s some barriers that have prohibited the industry from going beyond breach coverage and identity theft,” he said.
There is simply not enough data currently available to confidently insure certain events, including such situations as theft of corporate secrets or catastrophic cyber events like taking down a power grid, Kovacs suggested. “The foundation for providing coverage is not there today,” he told attendees.
But the types of cyber security risks currently not covered – or for which no product has yet been developed – carry with them significant potential, although likely not a market over the next five to 10 years.
“You’ll need a number of years to build up the data, the knowledge, before the underwriters become confident to get into these fields,” Kovacs said. Still, there is “potential for a very big market compared to where it is today,” he added.
“We’re off to a good start, but we need to do even better. It’s really important to learn about the nuances of what can be done for protection,” Kovacs advised.
It is critically important to consider both technology solutions and the behavioural side of things, he suggested. Beyond basic technology solutions, he noted that the broader message must be to get individuals thinking about cyber security.
Acknowledging that industry players are already working hard to get a firm grasp of cyber security, its breadth and its potential implications, “the industry has to work even harder over the next five to 10 years to protect itself from what will be a growing threat of cyber attacks,” Kovacs cautioned.
The higher profile created by a number of large breaches over the last year or so – including Target and Sony – is a positive. “These international stories help us here in Canada understand, but there’s also important things we need to know about Nortel, what we need to know about the National Research Council and Montfort Hospital in Ottawa,” he emphasized.
“It’s useful to know what the regulator in New York is thinking about and the regulator in the United Kingdom, but perhaps even more important to know what OSFI (Office of the Superintendent of Financial Institutions) is doing in this area.”
Kovacs noted that OSFI has issued detailed guidance on issues to consider with regard to cyber risk. “Anybody looking to upgrade what you are doing in terms of the security within your own entity, the guidance from OSFI is something that we strongly encourage reviewing,” he said.
“Our industry has not had large losses yet from cyber incidents here in Canada,” Kovacs said, “but the risk of attack is building and growing and over the next five to 10 years, there’s potential for some very big, threatening events to affect our industry directly.”
Noting that it appears “the level of defence in Canada in somewhat similar to some other countries,” he told attendees. Unfortunately, “the big difference is not that we’re defending ourselves better. It’s that we are not being chosen to be attacked at the same rate as some others are.”
A large body of literature makes clear that the nature of cyber attacks has evolved over time and that the next five to 10 years “can be a much more dangerous environment than we’ve experienced in, say, the last 25 years,” Kovacs told forum attendees.
He cited the low cost of equipment (computers) needed to launch attacks, that almost everyone is connected to the Internet and that the most current software to help carry out attacks is available.
“If somebody really wants to cause trouble, it’s getting easier every year. The number of people with the background and skills to do this is growing every year. There’s a number of different cases why the threat over the next five to 10 years seems to be really at the edge of taking off,” Kovacs cautioned.