Cyber Insurance Becomes Increasingly Popular in Canadian Business Community
Cyber insurance is experiencing a surge in popularity among Canadian businesses, according to data from a recent survey commissioned by the Canadian Internet Registration Authority (CIRA). This trend is likely fueled by the increasing frequency of ransomware attacks.
The Strategic Counsel, a research firm, conducted an online survey in July and August 2024, polling 500 Canadian cybersecurity decision-makers, including business owners and employees. All participating organizations employed at least 50 people who used computers or mobile devices for at least 20% of their work. Private sector firms included in the survey had fewer than 999 employees.
Eighty-two percent of the surveyed organizations reported having cybersecurity insurance coverage, a marked increase from the 59% reported in 2021. Of those with policies, 42% had cyber-specific insurance, while another 40% integrated it into their business insurance.
Businesses also noted shifts in the cyber coverage landscape. “Most organizations with a policy indicate that their provider has made changes to the coverage,” the study notes. “The most common changes are proof or verification of security measures in place, increased premiums, and changed eligibility criteria.”
Survey respondents indicated the following reasons for policy adjustments (multiple answers were allowed):
- 39% reported their insurer requested new verification of cybersecurity measures
- 38% faced increased premiums
- 37% had insurers modify eligibility criteria
Additionally, 30% of respondents reported a reduction in ransomware attack reimbursement amounts.
Rising Costs of Cyber Incidents
The average expenses associated with managing cybersecurity incidents are increasing, according to IBM’s Cost of a Data Breach Report 2024. This report indicates that the average cost of a data breach reached US$4.88 million last year.
“This number accounts for a rise in the cost of lost business after a cyberattack and the cost of post-breach responses required by organizations to recover from a cyberattack,” write Torkin Manes LLP counsel Roland Hung and Laura Crimi in a blog post on Mondaq.
Ransom demands related to ransomware attacks also have implications for cyber insurance. The CIRA survey revealed that 28% of Canadian businesses were victims of successful ransomware attacks in 2024, a substantial rise from 17% in 2021. Among the 141 cybersecurity decision-makers who reported experiencing a ransomware attack, 79% confirmed their organizations paid the ransom demands. Survey data showed that the most frequently paid ransom amount fell within the $50,000 to $100,000 range.
Reporting and Reputational Damage
It appears that organizations often choose to pay the ransom and remain discreet about the incident. The survey suggests one factor contributing to this trend is the rising frequency of reputational damage suffered as a result of a cybersecurity breach. “The impact of reputational damage has trended up over time (28% select it as an impact in 2024, compared to only 6% in 2018), as has the impact of loss of customers (26% in 2024, compared to only 6% in 2018),” the CIRA report states.
While Canadian law requires businesses to report significant breaches to privacy commissioners, few are willing to involve law enforcement. As Hung and Crimi observed, “A common trend is that organizations will often pay the ransom and remain silent on being the victim of a ransomware attack, where possible.”
The reluctance to contact law enforcement carries a cost. Involving law enforcement, particularly early in a ransomware attack, results in approximately $1 million saved, according to IBM’s report. The benefits of police involvement include a quicker identification and containment of the cybersecurity breach.
