SHAREemail sharing iconLinkedin sharing iconFacebook sharing iconTwitter sharing icon
Menu icon
industry & markets
Managing Cyber Risk in an Interconnected World
Debbie Coull-Cicchini— Executive VP, Ontario, Western & Atlantic Canada, Intact Insurance
As multi-million dollar ransomware cyberattacks grab the headlines, most Canadian small and medium-sized businesses remain both unprotected and unaware of their digital vulnerabilities. It’s our joint responsibility to change this. Fewer than 20 percent of Canadian businesses have written cyber security policies in place. Not insurance policies—just simple, written protocols or safety procedures on how to manage their exposure to cyber risk.
Only 17 percent have some form of cyber insurance, and while this is a significant increase from 2017 when that number was nine percent, these Statistics Canada numbers should worry us. In a knowledge economy characterized by a “work anywhere” workforce and digital interconnectivity, they mean that more than 80 percent of Canada’s entrepreneurs have neither protection against nor a plan to deal with a cyber attack.
And in the digital business environment in which we’ve all spent the past year and a half, cyber attacks are a daily reality.
Entrepreneurs are not unaware of these threats. They track trends that affect their markets and industries.
They know the remote work necessitated by the pandemic accelerated cyber threats driven by our desire for greater connectivity and faster access to information. They see the headlines about privacy breaches, malware, phishing scams and ransomware.
They might not know that the cost of the average ransomware demand has risen from $450,000 in the first half of 2020 to $1.2 million in 2021, but they’re aware ransomware is a growing problem. They’ve likely read that Canadian businesses spend billions of dollars on prevention, detection and recovery from cyber security incidents (a total of $7 billion in 2019; likely significantly more in 2020). They’ve probably heard some of the alarming statistics the Canadian Centre for Cyber Security releases annually.
They know the problem is huge.
And that’s precisely the problem.
Canada, our Big Business success stories notwithstanding, is a small-to-medium sized enterprise (SME) economy. Only 0.2 percent of Canada’s businesses employ 500 or more employees, while 97.9 percent employ fewer than 100 people.
Best Practices from Intact’s IT Team
  • Use business devices only to store and exchange business data.
  • Keep password–protected screen savers for laptops, smartphones and tablet devices.
  • Use the timeout (five minutes maximum) feature to lock the device screen when on idle.
  • Choose not-easy-to-guess passwords to protect your devices and accounts.
  • Change passwords frequently.
  • Educate yourself on social engineering and characteristics of phishing scams.
  • Regularly reinforce best practices among your employees.
  • When in doubt, don’t click on it.
Five Questions to Help Assess Your Customers’ Cyber Exposure
  1. What are your intangible assets? How do you protect them?
  2. Who controls and protects your website?
  3. What would you do if you lost control of your website or social media accounts?
  4. How do you collect and store your clients’ information? What would you do if you lost access to that data?
  5. What training do your employees get on cyber security?
Unfortunately these businesses—in a very typical, humble way—think they’re too small, too unimportant to be at risk.
They’re not.
If they have a website, if they have a mailing list, if they have employees who use email and computers, they’re at risk, and increasingly so. Coalition Inc.’s H1 2021 Cyber Insurance Claims Report reveals that the first half of 2021 saw a 57 percent increase in cyber attacks against organizations with fewer than 250 employees.
Most of these organizations are unprotected. A 2020 Cyberscout research study reports that more than 69 percent of these smaller businesses don’t have cyber liability coverage—worse, as per the Statistics Canada data above, they don’t have cyber risk mitigation policies in place.
Of the two—cyber liability insurance and cyber risk mitigation procedures—risk mitigation practices are the more critical piece of cyber security for SMEs.
The insurance industry was built in a tangible world, and most of what we continue to insure today are things we can touch. The ongoing shift to a knowledge economy and the resulting dominance of intangible assets mean insurers must shift the paradigm so solutions are responsive and protect what’s important to customers right now, whether that asset exists physically or in cyber space.
As we work to shift that paradigm, the most important tool to protect Canadian business against cyber threats is education.
The UK’s Information Commissioner’s Office recently reported that nine out of 10 cyber breaches in that country are caused by human error.
Canadian statistics are likely similar. This means we must increase cyber security education among employees, business partners and customers.
The role of brokers in this initiative cannot be overstated. As Cyberscout’s CMO Jeremy Barnett said in a 2020 Insurance Bureau of America’s white paper on cyber insurance, “Brokers are key to helping small businesses get proactive about managing their cyber risk.”
Insurers can provide all the wordings, tip sheets and best practice guidelines they like. None of these resources will help unless customers understand, embrace and implement them.
If you’re not sharing best practices in cyber risk mitigation with your customers, start today. In a threat landscape that’s evolving daily, you’re their best protection. For co-branded resources to help with your conversations on cyber security, talk with your Intact Insurance representative.

Insurance Brokers Association of Ontario
1 Eglinton Avenue East, Suite 700
Toronto, ON M4P 3A1
416.488.7422 | 800.268.8845
Copyright © 2021 by Insurance Brokers Association of Ontario. All rights reserved. The contents of this publication may not be reproduced in whole or in part without prior written permission.