How cyber pricing is trending for large Canadian companies
Large corporate cyber clients in Canada saw pricing decreases last year and one cyber underwriter expects the market for those risks will flatten out in 2024.
“In 2023, we did see some fairly significant softening in the market; prices were effectively decreasing,” John Sinclair, a senior underwriter with CFC Underwriting, told Canadian Underwriter in an interview Tuesday. “Particularly, that gained momentum in the second half of the year.
“We may expect to see some small decreases in early 2024, but then we expect the market to broadly flatten out.”
CFC defines a large corporation as a company with more than $250 million in annual gross revenue. Small- and medium-sized enterprises (SMEs) are considered under $250 million in annual gross revenue.
Despite the abundance of cyber capacity and new entrants in the market in recent years, the claims environment remains tricky, Sinclair said. In particular, ransomware claims for CFC increased in 2023 from 2022.
“We see that as basically putting the floor on current pricing decreases,” he told CU. “It’s also fair to say that, at least in the large corporate space, a lot of these risks were already getting price decreases as 2023 developed. So, we don’t believe the rate adequacy is in the market for these risks to effectively get compound rate decreases…”
From a CFC claims perspective, ransomware accounts for about 15% of all cyber claims (large corporate and SME) by frequency, but 70% by severity, Sinclair reported. And there’s no reason to believe the ransom and extortion threat will change, given the current economic environment for threat actors.
Longer-tail claims
Outside of ransomware claims, CFC is also seeing longer-tail privacy claims related to biometrics and website tracking technology. For example, a tool called Meta Pixel that monitors websites’ engagement was found to be inadvertently siphoning off sensitive data and sharing it with Meta (Facebook). Healthcare entities in the United States in particular were sharing personal health information with Meta, Sinclair said. “It’s something that underwriters are very live to.”
Although these incidents haven’t occurred that much in Canada, Dolden Wallace LLP partner Brett Stephenson said at a cyber event last year insurers should expect pixel liability to “rear its ugly head” in Canada after recent litigation in the U.S.
Globally, including Canada, the industry is also seeing privacy regulation being beefed up. For example, Quebec and British Columbia changed their privacy legislation to bring it more in line with General Data Protection Regulation-type requirements.
And there is increasing focus in Canada and globally on how businesses are using personal data once they collect it and what kind of consent is required. This means stronger regulatory frameworks for regulators to fine companies, but also potentially more class action lawsuit threats for businesses, Sinclair said.
“We have seen some fairly significant class actions in Canada related to privacy cyber,” he said, using Desjardins’ recent settlement of a 2019 data breach as an example. Although a lot of Canadian class action lawsuits fail to get certified, it still is a threat, Sinclair said.
On a positive note, a number of cyber Cat bonds have been successfully launched, adding much-needed capacity to the market. A lot of capital providers and reinsurers need comfort around systemic risk modelling, or a single event that triggers multiple cyber events.
“No one wants to wake up and find that 10, 20% of their portfolios effectively had a loss from a single event,” Sinclair said. “And so systemic risk is absolutely front and centre, in terms of what everyone within cyber is thinking about.”
And systemic risk remains top of mind, especially as more businesses look at more outsourced cloud-based IT solutions. “All roads lead back to systemic,” Sinclair said.
Feature image by iStock.com/peshkov