What's key to cyber risk mitigation? - Insurance News Magazine

What’s key to cyber risk mitigation? | Insurance Business Canada

Cyber

What’s key to cyber risk mitigation?

Employees are often the first line of defence

Cyber

By
Nicole Panteloucos

Following last week’s news that the infamous Change Healthcare data breach has officially compromised the data of 100 million individuals, the threats posed by cyber risks have been thrust into the spotlight once more.

However, despite the growing frequency and severity of such incidents, many companies remain hesitant to purchase cyber insurance, often viewing it as an unnecessary expense rather than a critical line of defence.

As many brokers know, this reluctance often arises from various factors, including misconceptions about coverage, a lack of understanding of the risks among clients, and the belief that their businesses are too small or insulated to be targeted. In fact, a 2023 survey by the Insurance Bureau of Canada found that 69% of small businesses do not view cybersecurity as a financial priority.

“It’s actually quite shocking to see how many companies are still resistant to buying cyber insurance despite the fact that it is such a high frequency and severity exposure,” shared Jonathan Weekes (pictured), senior vice president, cyber practice leader at Hub International Canada.

As businesses become more reliant on technology, the need for comprehensive cyber risk management strategies becomes not just prudent but essential.

Like any effective cyber risk management plan, having a robust insurance policy that covers data breaches and privacy liability, ransomware and cyber extortion, and third-party liability (see the recent CDK Global attacks) is essential. Additionally, brokers should encourage clients to develop strong protection plans within their organizations, with a focus on employee cyber training.

“While many might be tired of hearing about employee training, if you can equip your staff with the necessary knowledge to identify and cut cyber breach attempts short, it goes a long way to preventing significant financial loss,” said Weekes.

Accordingly, estimates indicate that even the most basic cyber training programs can yield up to a seven-fold ROI, with modest investments in security awareness training demonstrating over a 70% likelihood of significantly reducing the business impact of a cyberattack.

As Weekes advised, training programs must evolve to keep pace with cybercriminals’ changing tactics. Standard annual sessions may not be enough. Companies should instead adopt a mix of training methods, such as:

Video training and quizzes: Engaging employees with video content followed by quizzes to reinforce learning.
Gamified learning: Implementing game-like scenarios that allow employees to practice identifying threats in a controlled environment.
Phishing simulations: Running real-time phishing campaigns to test employee responses and identify those who may need additional support.
Deepfake recognition tips: Teach employees that audio/ video deepfakes may sound robotic or delayed, particularly in simple responses. Encourage them to pay attention to speech patterns; unexpected pauses or unusual tone shifts can signal something is amiss.

“Running the same training for your staff every year, thinking it’s still up to date and relevant, is probably not the best approach,” Weekes warned. Such varied approaches help maintain engagement and reinforce the importance of recognizing social engineering threats.

For brokers working to sell cyber insurance to hesitant clients, Weekes shared that adopting a strategic, consultative approach is essential. One key tactic is to help clients quantify their cyber risk.

As Weekes explained: “One of the things that we do with our clients now is, as we go through the process of procuring cyber insurance for them, we encourage them to find a way to quantify their risk.” Whether clients conduct internal assessments or use broker-provided tools, understanding financial exposure to cyber and fraud-related risks helps shift the conversation from pure sales to meaningful risk management.

Rather than pushing a policy, brokers can initiate discussions around cyber exposure, positioning themselves as strategic risk partners rather than traditional salespeople. Weekes recommended opening with questions like, “When is the last time you actually took some time to assess your cyber risk or quantify your risk associated with technology and privacy-related exposures?” Such questions can spark a “light bulb” moment for clients, encouraging them to view cyber insurance as a proactive measure rather than an added expense.