Brokers urged to review their own cybersecurity posture

In the effort to make sure clients are protecting themselves against cyberattacks, Canada’s P&C insurance industry should be mindful of protecting itself, too, delegates attending IBAOCon’24 heard at the CEO Panel Thursday.

“For brokers, it starts with us, right? It starts with us being well-equipped to prevent being attacked,” Intact Financial Corporation CEO Louis Gagnon told more than 800 delegates attending the Insurance Brokers Association of Ontario’s annual convention, held in Toronto.

Gagnon issued a cautionary note while discussing the unknown scope of cyber risks.

“We have to protect ourselves better than we’re protecting ourselves right now, because we have a lot of data,” he said. “We are connected to the world. We’re connected to many things. And in general, small businesses are not well-protected.”

Panellist moderator Marissa Teeter, an executive coach and advisor, likened the cyber advice to pre-flight safety instructions, which urge passengers to put on their own oxygen masks before helping other passengers. Similarly, brokers should make sure they are protected as part of the drive to ensure their clients’ protection.

“It’s the oxygen mask analogy,” Teeter said.

Data show the odds are stacked against brokers who are not well protected against cyberattacks, said panellist Ben Isotta-Riches, chief distribution officer of Aviva Canada.

“If you get a bad actor who’s looking to create some kind of breach [and] access data from insurance brokers, the weakest 10% in this room are the ones who will get hit,” he said. “So, as Louis said, I implore you all to just have a think about your own cybersecurity posture. Because if it happens to you, it’s brutal. And…the weakest kid is in the playground is going to get picked on, and so just make sure it’s not you.”

Teeter asked how Isotta-Riches defined the “weakest kid” in his analogy.

“Someone who’s left the back door open and is willing to allow someone to come and take all your stuff,” he replied.

A report on cyberattacks in Canada, released by StatsCan last week, shows the number of Canadian businesses reporting a cyberattack is slowly decreasing. In 2023, about one in six (16%) of Canadian businesses reported being the victim of a cyberattack, which was down from 21% in 2019 and 18% in 2021.

Also in the news: What optionality in personal lines means for brokers

However, although the proportion of Canadian businesses reporting cyberattacks is down, certain methods of attack are on the upswing.

“In 2023, over 1 in 8 (13%) impacted businesses reported experiencing ransomware attacks, up from 11% in 2021,” the report states. “The majority of ransomware victims did not make a ransom payment (88%). Of those that did indicate making a ransom payment, the majority (84%) paid less than $10,000, while 4% paid more than $500,000.”

StatsCan says total spending on recovery from cybersecurity incidents doubled in the past three years, from about $600 million in 2021 to $1.2 billion in 2023. This followed an increase of about $200 million from 2019 to 2021. And yet, spending on prevention is “stable,” as the report says.

One of the tricky parts about offering cyber insurance, Gagnon told brokers attending IBAOCon’24, is that the true extent of cyber risk is still unknown. He compared it to the costs to repair water damage, which insurers know.

“Cyber is…probably the most unknown risk. I don’t think we know exactly what is the worst that can happen,” he said.

“I think if there’s water damage, we know what’s going on, right? We can measure the impact of a river flooding over. But when you talk about cyber, I don’t know, seriously, if somebody knows exactly how much it would cost, based on what we know and how we’re connected today. It’s very difficult [to assess].

“So, I think there’s a big opportunity here [for Canadian P&C insurance professionals] to make sure we better understand what’s going on there.”

Speaking more generally about brokers’ business clients, Gagnon noted brokers are reporting a low take-up rate of cyber insurance.

“People are not willing to get protected,” he reported. “From the [brokers] who are selling that coverage to protect personal information after an attack, they’re saying that the take-up of that coverage is between 5% and 10%. So, 5% to 10% are [willing] to be covered.”

Feature image courtesy of iStock.com/Kindamorphic