There has been a slight uptick in organizations buying cyber insurance, but with that level still far below where it should be, industry partners should consider focusing on prevention and mitigation to raise awareness and illustrate need among clients, it was suggested at ARC Group Canada Spring Seminar 2015.
Chief executive officers, chief financial officers and chief information officers are currently saying they are looking not so much for insurance, but rather how best to mitigate cyber risk, reported Eileen Greene, vice president and partner at Hub International, who took part in a four-member panel at the seminar.
“We’re starting to spend a lot more time in this space and I feel like there is a little bit of an uptake, but not nearly where it should be,” Greene told attendees.
Pointing out that just 8% of the population is actually purchasing cyber policies, she reported that clients are beginning to respond, finally, to a front-facing pitch. “I’ve taken it from the opportunistic standpoint, which is the solution, which is insurance, and kept bringing it back to mitigation,” she said.
“I think that network security privacy liability, aka cyber liability, is the most important insurance coverage that companies are not buying today,” noted Patrick Bourk, senior vice president and management risk practice leader at Integro Group. “It’s in about the last year that it has really seriously picked up.”
With the goal being to raise awareness of the risk and the need for protection, Greene said it is key the insurance industry be in front of cyber risk, know how best to mitigate it and have a plan in place should something happen with clients.
There is, however, more convincing to do. In general, CIOs are suggesting cyber incidents are not likely to happen with their companies and CFOs are responding that they are not looking to spend more money on insurance, Greene reported.
“Where I need to get my messaging to is to the CEO and to the board because that governance piece is essential. And then all of a sudden, we’re starting to get a little bit more buy-in,” she told attendees. “I’m scaring people of the reality of what it is out there: it’s not if; it’s when it happens.”
Bobbie Goldie, vice president of professional risk for ACE Group, agreed the focus should be to present a cyber insurance policy as a risk management policy.
Noting that ACE has been providing such policies for almost two decades, “what we found out really, really quickly is that we shouldn’t focus on it as an insurance policy or a standard liability policy like you would any other general liability or professional liability policy. That is not the case at all. This is a risk management policy,” Goldie told attendees. “The more money, the more infrastructure, the more resources we provide as an insurance company, the better the liability suit will be to be none or very small,” she argued.
By providing a number of services following a breach, Goldie said, the insurer’s goal “is at the end, there will be no liability, so that the defence costs stay down.”
The cyber insurance market is currently about $2 billion and the risk is likely to grow as more and more data goes online. “The data online doubles about every two years. So there is a lot of data online and you hear organizations all the time talking about big data. It’s not going anywhere,” Goldie said.
ACE claims data for North America – most of which relates to the United States – shows that although there have been claims in Canada, “the U.S. is a bit more advanced with the uptake in organizations buying cyber liability,” she noted.
Goldie pointed out the uptake on claims frequency is significant, reporting that ACE has had about 700 cyber-related claims in the last 10 years.
Why is cyber insurance coverage so important? “There’s lots of insurance out there that people are already buying, but there are serious gaps in that coverage that will not respond if you are living the dream – or nightmare – of some sort of data breach or privacy breach,” Bourk said. “Your general liability policy is only going to take you so far,” he suggested.
Beyond that, specific cyber policies provide both first-party and third-party coverage, Bourk told attendees. “The value is all in the first party,” he suggested, adding that “it’s when you first identify it (a breach) that these policies can respond and these policies can give you access to the best of the best.”
“There’s an entire breach response community of service providers that assist with this stuff,” he told attendees. “These policies will help to breed those professional service providers in Canada who can really assist and be able to help out,” he added.
Aleksandra Zivanovic, an associate with Hughes Amys LLP, said she does not expect the courts will “look too kindly on a business” that, following a breach, tells the court it did not believe that protection really mattered.
“We’re seeing the courts looking to see what business practices are actually in place prior to a cyber breach, at the time of the cyber breach and thereafter. And it’s becoming a focus,” Zivanovic told attendees.
What is being seen among Canadian jurisdictions differs, she said. “I don’t think we can really draw a common denominator about what’s been happening, but I do think that from the trending perspective, we’re really talking about behaviour modification,” she pointed out. “We’re seeing cases where they’re looking and asking about that level of accountability.”
Zivanovic’s view is that, in some ways, the insurance industry will be positioned ahead of the courts. Perhaps for the next five to six years, she suggested, “industry will be far more sophisticated than the actual courts with respect to cyber losses because we’re not going to have, I suspect, very few, if any, trials by then.”
More coverage of the ARC Group Canada Spring Seminar 2015: