Not long ago, the Canadian P&C industry’s cyber loss ratio was more than 400%, meaning cyber insurers were paying out an average of more than $4 for every $1 they received in premiums.
Those first-quarter numbers from two years ago improved dramatically to 108.4% in 2022 Q1, per the Office of the Superintendent of Financial Institutions (OSFI). But cyber liability insurers continue to report unprofitable loss ratios.
Industry commentators refer to the state of cyber insurance in Canada as ‘challenging,’ ‘tough,’ and some even say the product is ‘broken.’
For example, Chris Mutcheson, partner and national leader of brokerage Purves Redmond financial and executive specialty products unit, said he believes the cyber product is fundamentally broken in part because insurers are covering both first-party and third-party costs of companies hit by ransomware attacks.
First-party costs refer to the insured company’s own recovery costs — including costs associated with restoring IT systems, hiring public relations experts, and legal costs to investigate. Third-party costs relate to defending lawsuits by third parties affected by the company’s downtime.
Pricing for both first- and third-party costs within the same product is extremely difficult, Mutcheson argued, to say nothing about pricing for intentional criminal acts.
“I don’t think you can underwrite your way out of this, and I don’t think you can just pass this [cost] on to the customers [in the form of higher cyber rates],” he told Canadian Underwriter.
“It’s like covering arson. If we allowed arson, we could never cover the fire insurance with respect to arson. There’s a remedy for that, and it’s called police and jail.”
But not everyone’s outlook is that grim.
“I definitely wouldn’t agree that the cyber product is broken,” said Michael Trendler, managing director of cyber with Travelers Canada.
“We provide valuable coverage that can literally be the difference between a company going out of business after suffering a cyber event if they don’t have a cyber insurance policy and protecting the company while ensuring its future if it does. The industry will continue to make adjustments where and when they are needed.”
Lindsey Nelson, cyber development leader at CFC Underwriting, said, “It’s a bit surprising to hear anybody [express] the sentiment that the cyber product is broken, because it’s arguably worked incredibly well over the last few years in responding to claims.
“Certainly, cyber is a challenging market because the threat landscape evolves so incredibly quickly, but it doesn’t have to be unprofitable. The market unanimously has worked for making sure that the price is right and matches the evolving threat landscape today.”
Back when ransom demands were hundreds of dollars — rather than the hundreds of thousands (or more) dollars they are today — policy pricing matched that, said Nelson. And when the average social engineering loss was $25,000 as opposed to millions, pricing matched that. “It wasn’t the severity-driven claims that we’re seeing today.”
With better pricing, Nelson said the market is in a much more sustainable position than before. “We’re starting to get to the point where we really do believe that the price is what it should be as a market. As a result, it’s been a little less volatile for brokers in speaking to their clients.”
That said, profitability doesn’t necessarily translate into affordability for clients, as noted last July by Marc Major, industry and specialty placement leader at Marsh Canada. He told CU at that time companies will buy cyber as long as it’s available. But pricing does have a bearing on whether or not some company boards opt to self-insure.
“The cyber line in specialty is increasingly being challenged,” he said, “almost to the point where the question on most boards’ desks these days is, ‘Do we even bother buying this? What are we actually buying…if it doesn’t protect the risk we’re most concerned about?’”
This article is excerpted from on that appeared in the February-March edition of Canadian Underwriter. Feature image by iStock.com/D-Keine