Strong security controls are now the minimum bid in a hard cyber market

With demand at an all-time high, cyber insurance is becoming increasingly hard to obtain. Indeed, the category in Canada is facing its first-ever hard market.

“At the same time that more businesses are waking up to the technology-related risks they face, fewer insurers are able to write it, or at least at the pace the market is demanding [of] the product,” Lindsey Nelson, cyber development leader at CFC Underwriting, told Canadian Underwriter.

“In turn, this is leading — and will continue to lead — to increased underwriting scrutiny across the board.”

And this already bad situation could soon become worse as media talking heads say Canada’s backing of Ukraine in the wake of Russia’s invasion could lead to higher rates of cyberattacks by Russian state actors.

As capacity continues to tighten, underwriters will become increasingly discerning when it comes to risk selection, Nelson said. “What that means in practice is that strong security controls are ultimately becoming an expectation from cyber insurers rather than the basis for a more competitively priced premium.”

Danion Beckford, underwriter of professional liability with Burns & Wilcox Canada, agreed cyber insurance will continue to face a tightened market, with the review of companies’ security measures in the spotlight.

“Insurers are already declining business if the necessary [security] measures are not already in place, which is happening for new submissions and accounts at renewal,” Beckford said.

“Where there might have been more open-mindedness in previous years, the accounts that once benefited from that stance are now subject to a higher level of scrutiny in regard to their security.”

Beckford said multi-factor authentication is the most talked-about requirement for businesses and insurers. “As a minimum requirement, this will assist in making a breach slightly more difficult,” he said “Outside of creating a password for the network that should be difficult for anyone else to determine, staff should utilize some form of authenticator for added security.”

Additionally, businesses should audit the number of sensitive records in place, since the details in those records are key to determining whether coverage should be granted.

Cyber insurance and its pricing has changed a lot in a relatively short timeframe. For example, the Office of the Superintendent of Financial Institutions reported unprofitable loss ratios in cyber lines exceeded 400% in 2021 Q1. More recently, that ratio improved to 114.4% in 2021 Q3.

“Just a couple of years ago, we were saying that coverage was as broad and as competitively priced as it was ever going to be,” Nelson said. “Fast forward to today and obtaining cyber insurance has become more challenging than ever — particularly as you move up the size spectrum.

“The conversation has shifted from what clients can adopt to get a better price on their cyber insurance to what they can implement just to become an insurable risk in the first place.”

Brokers have played a crucial role in helping clients implement basic security controls, Nelson added. “Similar to physical theft exposures, the digital windows and doors of an organization need to be closed before an insurer provides cover.”

This article is excerpted from the Feb.-Mar. issue of Canadian Underwriter. With files from Greg Meckbach.

Feature photo courtesy of iStock.com/Gwengoat