Does Canada need a cyber insurance government backstop?

Steps have been taken to improve profitability for Canada’s cyber insurance product. But can more be done?

Are new exclusions an option, for example? Or does the industry need something like a cyber backstop — similar to what’s proposed for flood and earthquake risk?

“Bringing in new exclusions is a worst-case scenario for insurers in an environment in which it is already the most scrutinized product in existence,” says Lindsey Nelson, head of cyber development at CFC. “It also assumes the threat landscape is changing when it, in fact, isn’t…”

Despite the narrative about an ‘ever-evolving threat landscape,’ cyber incidents have looked incredibly similar for years, give or take fluctuations in intent and impact, Nelson argues. “Insurers need to scale data over a period of time, be able to know what to do with that data to make informed decisions about underwriting appetite, invest in their proactive infrastructure to manage claims frequency, and keep the product as broad as possible.”

On the other hand, Greg Markell, president and CEO of Ridge Canada, says bringing in new exclusions is a possibility, but what’s more likely is a strengthening of contract language between businesses and managed security service providers (MSSPs). While insurance is heavily regulated, the same does not apply to MSSPs.

“So, the disparity of contractual language that small businesses and mid-sized businesses are entering into is very different than enterprise-level agreements,” he says. “I think it’s a matter of zeroing in and seeing a maturation of indemnity language and reactivity — [who] leads in these scenarios and whose responsibility is what?”

Related: Do cyber policies cover AI-generated crimes?

Charlie Stenger, CEO of GST Specialty, a boutique insurance wholesaler in Kansas City, Missouri, says some cyber exclusions have already been clarified. He points to Lloyd’s clarification of war exclusions in cyber policies. It’s not clear which exclusions could help the cyber product, but when it comes to endorsements, Stenger sees more medical coverage in cyber policies. He uses the example of a cyberattack at a hospital during a critical heart or brain surgery.

“I could see that being a catastrophic event lawsuit,” says Stenger. “Right now, bodily injuries come in with about a $250,000 endorsement; sometimes, it’s endorsed, sometimes it’s just on there.”

Creating capacity

As for whether a federal cyber backstop could work to further improve cyber profitability, Markell doesn’t think it’s necessary.

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

“We don’t need government meddling in this right now,” he says. “Government needs to demonstrate that they are able to protect their own factions before they start coming in and saying, ‘Hey, we’re going to backstop.’

“Backstops are going to promote poor underwriting practices overall. I think this is still an immature market that needs to continue to mature. So, if we take on a safety net, that’s just going to promote bad behaviour amongst all participants in the market.”

For Stenger, the issue is when a liquidity pool should be created, or which metrics might be used to determine cyber market capacity. “It feels like you’ve got a lot of capacity coming into the market, a lot of reinsurance players who are entering the market that are getting bigger [and] doing those Cat bonds…so I’m not sure at what point if capacity runs out, if that’s when the government comes in…”

Given developments in the insurance-linked securities and warranties space, and new coverages in the cloud outage provider space, “that is going to continue to propel the cyber insurance industry from a capitalization base forward,” Markell suggests. “And so hopefully what that does is take out the depth of the peaks and troughs again.”

In general, most policies are appropriately priced for the cyber coverage they offer. And policies offering fewer exclusions are also typically priced accordingly, says Matthew Friesen, vice president of central sales at Western Financial Group.

“Until flood and earthquake backstops are created and widely in place in Canada, the government and industry need to prioritize partnering in those spaces before moving to considering backstopping other coverages like cyber.”

This article is excerpted from one that appeared in the February-March print edition of Canadian Underwriter. Feature image by iStock/JohnnyGreig