Market Trends of Canada Cyber (Liability) Insurance Industry
This section covers the major market trends shaping the Canada Cyber Insurance Market according to our research experts:
Evolving Regulatory Reforms are Driving the Market
GDPR in Europe or Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, are making companies move from a reactive approach to a proactive approach towards cybersecurity. Insurers are now seeing a greater focus on system security and the ability to safely store and use personal information. Canada was one of the first countries in the world to have federal legislation on mandatory notification for cyber/privacy breaches. Since Canadian legislation doesn't guide what companies should do at a minimum, there isn't a minimum standard for Canadian companies to follow. As a result, there is still a fair amount of cyber apathy in the Canadian context.
Both PIPEDA and GDPR certainly brought about an increase in the awareness of cyber policies as a method of risk transfer for businesses; however, with regulatory fines very few and far between - particularly for businesses that don't hold any significant personally identifiable information (PII), like manufacturers or construction, there hasn't been any meaningful claims activity for the everyday Canadian business. Less than 4% of the cyber claims are because of any third-party or regulatory action being brought forth. However, privacy laws have interacted with newer variants of ransomware that exfiltrate sensitive data to entice companies to pay their demands. Ransomware was always considered a severity-driven event long before data exfiltration, and it's easy to see why when you add up the business interruption costs for loss of profits per day and re-creating potentially sophisticated and complex networks completely from scratch - not to mention paying the demand itself, which some companies have little choice but to do without appropriate backups. Now, with confidential data at stake, it's brought in implications for having to conduct due diligence to determine whether data was viewed or exfiltrated by the criminals. As a result, businesses could have to bring in costly legal services to draft and issue an appropriate notification to customers under privacy guidelines.
Under PIPEDA, the Office of the Privacy Commissioner [OPC] can apply fines and penalties of up to $100k for a failure to report the circumstance if it involves information that could cause a 'real risk of significant harm to the affected individuals. So, mandatory reporting gives guidance on when organizations need to report and what they need to do after a breach. The bulk of Canadian businesses are small - 97.9%, according to the latest census data. A fine of $100k for a 12-person manufacturing business is going to have a much more material impact on the solvency of that business than a $100k fine against a Facebook, Google or Apple. So, small businesses in Canada should be aware that this legislation is suggesting that they take this seriously or face the consequences.
Increase in Ransomware Attacks
Ransomware shows no sign of abating, making up 31% of the total claims managed globally last year and accounting for almost half those handled for Canadian businesses. However, 2020 is showing the emergence of one worrying trend when it comes to these attacks. Increase in criminals stealing confidential information and then threaten to release it if ransomware demands aren't paid. They're also conducting more due diligence to determine the maximum amount an organization can afford to pay to determine how much they try to extort. So, where ransomware was typically associated as being a business interruption or system damage concern, it's increasingly becoming a privacy concern, triggering notification obligations to customers and key stakeholders. At the same time, businesses shouldn't let the latest ransomware attacks distract them from the fact that run-of-the-mill phishing attacks, leading to business email compromise and wire transfer fraud, still make up a large percentage of claims across the globe, including for Canadian policyholders and accounts.