How COVID-19 has changed cyber underwriting

With loss ratios in the Canadian cyber insurance market skyrocketing, purchasing cyber without having to answer a whole bunch of questions may become a thing of the past.

In the recent past, if a client was not very large, or if the account wasn’t overly complicated, clients could get cyber insurance by answering fewer than 10 questions, said Katharine Hall, senior vice-president and our national leader in cyber risk Solutions for Aon Canada.

Some can still bind coverage with 10 or fewer questions, but with cyber loss ratios increasing, this is becoming more rare, Hall observes.

“When cyber first started to be underwritten, it was a 20-page application and it had a lot of technicality in it,” she said. “You needed to work with your procurement teams and you needed to work with IT. Over time, they whittled it down, but you can see they are coming back up again.”

When writing cyber insurance, underwriters are asking prospective clients more questions about incident response plans, encryption habits, multi-factor authentication, and password management, Hall told Canadian Underwriter.

Clients who handle a lot of personal data tend to come under more scrutiny, she added. These include financial institutions, the public sector, hospitality, and health care.

Canadian Underwriter asked Hall whether cyber needs to be underwritten differently.

In Canada, the loss ratio in cyber liability increased to 498.9% in the second quarter of 2020 (up from 153.7% during the same period in 2019), the Office of the Superintendent of Financial Institutions (OSFI) recently reported.

“With the onset of COVID, and the fact that most work forces are now working from home, we have seen far more ransomware attacks,” Hall said in an interview. “As a result, from an underwriting perspective, [the applications are] much more in-depth.”

Accessing corporate networks from personal computers can increase the risk of an organization becoming a victim of a data breach or ransomware, computer security vendor McAfee notes. This is because “commodity malware” is often focused directly at consumers. So the risk is when an employee’s computer is already infected and does not have adequate security measures in place.

Ransomware either prevents or limits users from accessing their system, KPMG reports, quoting Trend Micro. Ransomware either locks the system’s screen or locks the users’ files unless a ransom is paid.

One defence against ransomware is to back up  files, EY advises. But it can take days to get a system back online, so EY also advises corporations to have good patch management, encrypt sensitive information, and to apply software updates, browsers, and plug-ins as soon as they are released.

Feature image via iStock.com/SvetaZi