Property and casualty insurers have been told to prepare for an increase in cyber insurance claims as companies in Canada and the United States are at high risk of being online targets for cyberattacks if Russia decides to retaliate against government sanctions.
Since Russia invaded Ukraine, the federal government has warned Canadian businesses and organizations that the threat of cyberattacks and malicious software has increased. U.S. intelligence officials have briefed Congress on potential threats to homeland security, emphasizing that the most serious threats include cyberattacks.
Cybersecurity experts, government agencies and insurance analysts have voiced concerns that state-sponsored attacks will become more sophisticated in the coming weeks, potentially affecting physical and financial infrastructure in most countries.
Cyber insurance, also known as cyber risk insurance or cyber liability insurance, has seen tremendous growth over the past three years, with premiums totalling more than US$7-billion globally in 2020. The specialty insurance typically covers business owners for financial losses from cyberattacks and hacking.
DBRS analyst Marcos Alvarez published a report last week that said insurers are likely to see increases in cyber claims.
Mr. Alvarez says while acts of war are typically excluded from cyber insurance policies, the conflict in Ukraine could increase cyber-related insurance and reinsurance claims in North America, as it is “extremely challenging” to determine whether a cyberattack is an act of war.
“In order to deny a cyber-related claim in this context, insurers will need to demonstrate beyond a reasonable doubt that the claim in question is not related to a government body, or performed by a group acting as a proxy of a belligerent government,” Mr. Alvarez said in an interview.
“… Cyber warfare operations are typically not publicly acknowledged by the aggressor.”
As a result, insurers may have to pay out cyber insurance losses, even for an attack in which a state actor may be strongly suspected. Mr. Alvarez points to the 2017 NotPetya malware attack on U.S. pharmaceutical giant Merck, which lost US$1.4-billion. An insurer denied the claim based on a war exclusion clause, but was overruled later in court.
With the spike in popularity of cyber insurance, and rising frequency of claims, the market has seen a significant surge in loss ratios and deterioration in profitability over the past two years, Mr. Alvarez said.
Cyber insurers have responded by almost doubling premiums, reducing coverage limits and raising deductibles.
“We expect the hardening of cyber insurance rates to continue into 2022, given the potential fallout of the Russia-Ukraine conflict,” Mr. Alvarez added.
Two Canadian-based insurers that offer cyber insurance coverage in global markets are Fairfax Financial Holdings Ltd. and Intact Financial Corp.
During 2020, the top 10 insurers in the United States supplied almost 68 per cent of the cyber insurance market. Toronto-based Fairfax Financial is among them, and accounts for about 4 per cent of the U.S. market overall, according to the National Association of Insurance Commissioners (NAIC).
Fairfax declined to comment on its cyber insurance policies.
Intact Financial provides customers under a commercial insurance policy with privacy breach liability, which offers compensatory damage. Identity theft and cyber protection are available as an add-on for personal home insurance policies.
Intact spokesperson Kate Moseley-Williams said the company “encourages customers to remain vigilant as the Russia-Ukraine conflict continues to unfold.”
The Insurance Bureau of Canada – a national industry group with 74 insurance company members – has been closely monitoring the potential rise in cyber risk.
IBC spokesperson Andrew Bartucci said in an e-mail that the insurance industry continues to educate consumers on cyber exposure and how cyber insurance may help manage that risk, but businesses should be aware that cyber insurance is just one component of an overall mitigation strategy.
“.. An insurance policy is not a replacement for cyber resilience. Cybersecurity is a shared responsibility, and firms must continually renew efforts to bolster their cyber defenses.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.