Maryse Rivard

Cybersecurity is a major concern for small and medium-sized enterprise (SME) leaders, and insurance brokers have every reason to encourage their business clients to secure protection in this area. 

"Anything related to cybersecurity is a major issue for firms, both as SMEs and as insurance professionals," says Maryse Rivard, a Vice President at Synex Assurance, a broker at Deslauriers and Associates, and President of the Regroupement des cabinets de courtage d’assurance du Québec (RCCAQ). 

"We have an obligation to offer this coverage to our insureds. It's a new product, and not all firms are comfortable offering it, but we know that we have a professional duty to truly understand our client's needs," she adds. 

In November 2023, the RCCAQ produced a report as part of the parliamentary work on Bill 38 submitted by Quebec’s ministère de la Cybersécurité et du Numérique (Ministry of Cybersecurity and Digital). 

Presented on Nov. 1, 2023, at the National Assembly of Quebec, the Act amending the Act respecting the governance and management of the information resources of public bodies and government enterprises, which became Chapter 28 of the 2023 laws, was sanctioned on Dec. 6, 2023. 

In this report, the RCCAQ cited figures from a KPMG study commissioned by Canadian brokers. It was noted that, according to Coveware, 43% of global cyberattacks target SMEs. However, according to Accenture, only 14% of SMEs are adequately prepared to defend against cyber threats. 

In terms of cybersecurity, SMEs need to think about people, business processes, and technology, says Ms. Rivard. It is important to prepare an intervention plan, conduct phishing test simulations, raise employee awareness, and collaborate with specialized firms to conduct penetration tests. 

For a national campaign 

Eric Manseau

The RCCAQ submitted this report to ask the government to promote cybersecurity in the private sector. Even though the proposal was outside the scope of the law, it does not regret this intervention. "This is such an important issue; the Ministry should also be concerned about and raise awareness among SMEs about cybersecurity," says Éric Manseau, Executive Director of the RCCAQ. 

"He could expand his role beyond public organizations and work to raise awareness among SMEs and private organizations," he adds. The RCCAQ took advantage of its visit to the National Assembly in May 2024 to meet with representatives of the MCN. The idea of a national cybersecurity campaign was renewed. The RCCAQ also shared the study commissioned by the Insurance Brokers Association of Canada (IBAC) with KPMG on the Canadian cyber insurance market. 

Dated August 2023, the study titled Cyber Risks and Cyber Insurance: Managing Cyber Risks in an Ever-Changing Ecosystem includes three main sections. The first addresses current and emerging risks. The second summarizes the evolution of the cyber insurance market. The third aims to equip brokers to better serve their clients. 

Hackers are using increasingly sophisticated means to deceive targeted firms, according to Maryse Rivard. In addition to ransomware, which is used to extort victims of a breach, payment transfer fraud is the most common direct damage. Insurance coverage helps to limit these losses that are related to social engineering, where the hacker obtains sensitive data that allows them to divert funds promised to a supplier, for example. 

Maryse Rivard recounts the case of a client who fell victim to such a fraud. The entrepreneur had declined the coverage in writing. After being defrauded of 400,000 euros, he decided to insure this risk for a year but then stopped, finding the premium too costly. 

"I'm my clients' broker, not their mother," notes Ms. Rivard, reminding that her duty to advise ends when a well-informed client still decides to decline the coverage. 

The KPMG study highlights that the sooner, the better when a client needs to file a claim. The discovery of a real or suspected incident should be reported as quickly as possible to the broker. Insurers want to be informed promptly to activate their services to contain the incident and prevent losses. 

Reasons SMEs refuse coverage 

When offered cyber risk insurance, SME leaders refuse coverage for four main reasons, summarizes Éric Manseau: 

  1. The companies are too small to be targeted; 
  2. The quality of their IT team. "But 80% of breaches are due to human error," notes Mr. Manseau; 
  3. Their general policy already covers their risk; 
  4. In the event of a loss, the insurer won't want to pay. However, the figures show that insurers lost money for years because indemnities far exceeded the premiums collected. The market reacted, and insurers increased premiums, limited coverage, and imposed access conditions. 

In this regard, Maryse Rivard cites the case of a company with locations across Canada and revenues of $100 million. The cyber premium is $40,000 for a $5 million limit. "I still find that reasonable," she says. 

The average cost of a security breach in Canada was estimated at $5 million in 2022, according to KPMG, citing IBM figures. 

Rivard recalls one breach case that had a loss amounting to $500,000, which involved a leak of personal information, including names, contact details, and the social insurance numbers of 30,000 people. "We had to write to all these people. It's a lot of work to manage that," she says, noting that insurance also helps cover these third-party damages. 

"It's the same principle as fire insurance. I hope you pay the premium your entire life without ever having to make a claim. In the event of a fire, insurance covers the financial loss, but it will never erase the trouble experienced following a fire," concludes Rivard. 

This article is a Magazine Supplement of the July issue of the Insurance Journal.