Is compliance a barrier to your small business clients buying cyber?

Close up image of a person’s hand using a ballpoint pen to put a check or tick mark in a row of boxes on a paper form sheet.

Compliance with cyber regulations may be a barrier to Canadian small businesses acquiring cyber insurance protection.

“Having a certification, or having a compliance officer, a compliance team in your office, it just makes this stuff so much easier,” Steve Penney, chief technology and digital officer at BOXX Insurance, said at the Reuters Future of Insurance Canada 2023 conference in Toronto Wednesday. He noted cyber compliance surveys can be 25-to-30 pages long.

“A lot of the times the questions you’ll get will go into even more depth,” Penney said. “You need to have the certification. So you have to take it seriously. In the worst cases, it takes small companies almost a year. It does take a lot of focus to get there.”

But as Nicole Seymour, chief regulatory and compliance officer at Lloyds Canada, pointed out, many Canadian small businesses are only shops with five to 10 employees, so they don’t have a compliance officer, or anyone dedicated to cyber security.

“I mean, it’s been heartbreaking,” Seymour said. “You’re telling people these compliance checklists are 20 pages long. They are just checklists, right? I know they’re there to assess and mitigate the risks.

“But when there’s a product development opportunity, one of the key factors of the development is ensuring you have the right people at the table. So, respectfully, a lot of small businesses wouldn’t have a compliance officer, and a privacy officer, and a legal counsel, and a [chief] risk [officer]. But whoever is wearing those hats within your organization should be at the table from Day 1 on the development. It does make completing those checklists so much easier.”

See also  New Solutions for Employee Mental Health

Even for insurers that want to launch new, innovative products, “there’s so much to consider when you’re looking at launching a new product,” Seymour added.  ”Insurance regulation is part of that.”

Part of the Fair Treatment of Customers insurance guidelines cover innovative technology solutions.

Privacy legislation may apply to spousal questionnaires, for example. New regulations on artificial intelligence (AI), expected next year, may require customers to know how AI applies to their insurance products or solutions. Plus, if a business has operations outside Canada, a person would have to keep up to date with U.K. regulations around technology as well.

In some ways, this is a reason why insurance companies may have trended away from acquiring insurtechs and now work in partnerships with them, suggested Piyush Srivastava, partner and head of the North American industry advisory group at Tata Consultancy Services. It’s partly because once the insuretachs were brought in house, they had to comply with all of the various regulations governing the insurance product, so innovation came to a standstill.

Insurance companies are launching digital innovation, but not at the same pace as fintechs or insurtechs, said Srivastava.

“Smaller companies and startups have [been] built from the ground up using new technologies, so obviously they have an advantage,” he said. “Larger companies can work within an ecosystem of partners. I think we have seen that from the industry.”

 

Feature image courtesy of iStock.com/Laurence Dutton