Why cyber insurance turned the corner to profitability

After hemorrhaging money during the pandemic’s first year, cyber insurance in Canada turned a corner in 2023-24 to become a profitable business line.

During the pandemic, the cyber loss ratio for Canada’s P&C industry, including Lloyd’s, reached 371.4%, according to data from MSA Research. But in 2023, under the IFRS 17 insurance accounting standard, the cyber gross insurance service ratio was 83.4% for the industry, including Lloyd’s. That fell to a healthy 38% with Lloyd’s in 2024 Q3.

Why the turnaround?

“I think the baseline of cybersecurity controls during that hard market [during the pandemic] levelled up cyber hygiene and the protection baseline that a lot of firms had, so now it’s a more comfortable underwrite,” says Sean Duggan, senior vice president of specialty risks and claims at KRGInsure.

Still, you can sense cyber insurers are waiting for the other shoe to drop.

Cyber insurers remain concerned about large-scale, aggregate risk exposures. Some of that worry is a byproduct of the interconnected nature of businesses, internet service providers and software companies.

“What concerns me is the systemic risk component to cyber and the fact there could be a widespread event, in which case we do need to remain quite vigilant in the underwriting to be able to sustain that,” says Alison Donato, senior vice president of commercial insurance solutions at Tokio Marine.

Sources point out the risk isn’t always connected to the actions of cybercriminals. They highlight the Rogers internet service outage in July 2022, and the July 2024 outage caused by CrowdStrike, a cybersecurity firm. Both related to providers issuing faulty codes on their client networks.

In these situations, system failures led to widespread business interruption, says Patrick Bourke, cyber and professional lines practice leader at Navacord.

And CU sources note carriers do have ways to manage this type of risk.

For example, Bourke says, “CrowdStrike was a system failure rather than a security attack, and so probably a lot of policies did not respond because it was a system failure.”

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

Plus, insurers have developed ‘cooling-off periods,’ meaning they will not cover business interruption losses for certain periods after a system failure, says Marc Major, Marsh’s managing director and global placement leader for Canada.

This buys time so service providers can fix the problem.

“I think the bigger concern for cyber underwriters is the businesses that are impacted, and restricting the downstream impact,” Major tells CU. “They underwrite for a waiting period of at least 48 hours, figuring ‘We know [the service] gets back and so that [outage is] not going to impact us.’ So that downstream impact, I think we’ve seen the screening of that.”

BI worries

But cyberattacks can lead to business interruption as well, says Bourke.

He recalls the 2020 SolarWinds hack, which exposed the systems and data of 30,000 public and private organizations.

SolarWinds is software company based in Tulsa, Okla., providing tools for network and infrastructure monitoring for large companies. Hackers accessed its IT performance monitoring system called Orion, which serviced companies worldwide. And so, when SolarWinds sent a software upgrade to all its clients, it inadvertently sent them all malware.

Bourke remembers a work colleague calling him on Dec. 22, 2020, when SolarWinds was hacked.

“So now, all of a sudden, SolarWinds is in trouble, right?” he recalls his colleague telling him. “Multiple class actions. D&O policy triggered because their stock dropped. Every one of their clients could have an issue. If we’ve insured them all, this one event could be catastrophic.

“That’s something insurers will have to keep in mind, no question.”

Plus, increasing sophistication of social engineering attacks may more widely impact other policies, sources tell CU. For example, corporate boards that refuse to purchase a cyber policy, or purchase inadequate coverage, may be named in lawsuits for that business decision.

“I think one of the reasons why [social engineering] is such a heightened issue is that it really touches on three different kinds of coverage, and sometimes four, depending on the industry,” says Matthew Studley, chief operating officer for the Ontario and Atlantic region of Hub International.

“So, crime, for sure, D&O, for sure, and cyber for sure. The other one would be E&O [errors and omissions], depending on if you have client data, or the industry you’re in. It’s one of those risks that bleeds into a lot of different policies.

“And I’m not sure a lot of insurers, prior to three to five years ago, were really pricing for it, or at least, pricing for it in three different ways. And that’s a big challenge, especially with the proliferation of AI and deepfake technology, and everything that can go on.”

This article is excerpted from one that appeared in the August-September, 2025 print edition of Canadian Underwriter.

David Gambrill

David has twice served as Canadian Underwriter’s senior editor, both from 2005 to 2012, and again from 2017 to the present.