Paul Martin & Colin Rooke continue the discussion on the implications of cyber liability for corporate directors.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, the business commentator on CKOM, and joining me today, Colin Rooke, commercial risk reduction specialist with Butler Byers. And Colin, the last time we got together and had a conversation, the topic de jour was just an update on sort of the newest nuances around cyber liability, cyber security, and obviously we’ve talked a lot about how businesses need to be very proactive and really be on top of this thing. But there’s some legal subtleties around this too and in particular, those who have in your corporate world, there are directors, there are officers, and sometimes boards of directors that there are implications for them as well. That’s not just something that is operational. This goes right up to the very level of those who hold titles such as corporate secretary or president and director.
So maybe we just pick up there, if you don’t mind. We had that conversation last time, you’ve put together a directors and officers step-by-step guide, but just maybe let’s refresh that conversation from last time and there were some sort of new areas that we really didn’t get a chance to get to because of time last time. So let’s do that this go around. Maybe just a quick recap of what’s the lay of the land and this side of the sort of legalese and the fiduciary side of the corporate elements related to cybersecurity and cyber protection, cyber attacks.
Colin Rooke:
Yeah, so we were talking about our assessment for any board. It could be used for the organization itself at the management or leadership level, but really it’s designed to pinpoint or outline as a board thinking of cybersecurity, what you need to make sure the organization or the business has in place to protect the board itself and their liability. So rather than say, again it really is a checklist of what the board should ask for, what the board needs to see, what the board needs to make sure is occurring at the organizational level. And it’s different than a guide we would use for any business. It’s not a, this is what an incident response plan is, this is the step-by-step of how to do it. This is educating the board to say why you need to recommend they have an incident response plan, who to assign to get it done, why it’s important and the impacts.
So I guess I created a lot of fear at the board level from a pre-claim perspective, not doing your due diligence and then also being called to task from a post claim perspective. And so very important one, you got to do the work beforehand. What have you done beforehand? If there’s a breach, how did you handle it? What policies and procedures are in place? And so this assessment covers all that. But I didn’t get to sort of finish off, okay, well where is the insurance industry on this? Are you left just… I outline what you need to do. I uncover all these exposures, I create this fear, but is there coverage available? And so I did want to just circle back and say, yes. So cyber liability, underwriters and directors and officers, underwriters have recognized there may be gaps on both sides of the policies. That in a cyber event, fingers are being pointed at the board of directors and officers or any board that’s formed and they are being questioned on pre-incident policies and pre-incident work.
For example, if the board was aware that the controls were quite low but did not step in to remedy the problem, maybe they just didn’t get to it or the expertise isn’t there, they are adding in coverages. They are working on that to say, okay, we need to extend coverage on both the cyber liability policy and the directors and officers policy to cover these boards. So there is an exposure there. And the main concern being is you’re not going to get qualified board members if there is a concern that their individual assets are at stake in the event they make a mistake like failing to be cyber secure.
So yeah, I did want to just touch on and say this is being worked on. It’s certainly not across the board, but the cyber market and the directors and officers market is aware of this and are working on it.
Paul Martin:
And I guess we should probably just mention too in the run-up to this here, and as I set this thing up, I really talked about corporate boards probably we need to talk about not-for-profits and charities. And this is the kind of thing that many people who are listening to us, they’re involved in the corporate and commercial community, but they’re also very involved in the broader community, whether that’s through their church group or the local service club or just a not-for-profit or charitable entity that they end up on the board of, those liabilities hang in there for them even though they’re doing so-called dogooder work. You’re not immune, are you? Because you do have donors’ information and there’s stuff that the cyber pirates would actually be interested in.
Colin Rooke:
Exactly. Yeah. It’s not just meant for large corporate boards, it’s really anyone sitting in a board position on any type of organization. You really are held accountable for the operations you’re overseeing. And that’s why understanding what to ask for, what to look for from a cybersecurity perspective, and also really understanding the potential liabilities of the board, like an exposure, like being called to task or blamed in the event that controls aren’t there. Or again, post breach boards are coming into question of how they handled the aftermath. And so if you work through this document, it helps you identify and ask what you need to ask be completed to frankly cover your bases.
Paul Martin:
I guess the thought that comes to mind on this is will this kind of potential liability cause people to say no thank you when they’re asked to contribute by sitting on a community board or something? And I guess I’m just asking, there are ways to protect yourself and it’ll give me some comfort that if I do actually agree to sit on the governance board of a local charity or not-for-profit, that I’m not signing my death warrant here, that this is actually manageable.
:
It is tricky. And if you’re thinking of joining any board, it’s important to ask a lot of questions about the board, about policies and procedures. Directors and officers insurance has been very volatile and really it started with covid. Commonly, you see a lot of wrongful dismissal type instances hit the board level. And when you look at the environment we’re in today where we’re coming out of covid, but now you’ve got boards for example, maybe managing investments or managing debt at an increased rate, which again could lead to additional layoff.
So I guess what I’m saying is before joining any board you really want to figure out, okay, you want to ask as many questions as you can about the structure, the policies and procedures. Is the company itself healthy? Are there proposed layoffs? What are the financials? Don’t just say I’ll join because it seems like a good idea or someone has asked you to do it. It’s more important than that. Even if there is coverage in place, really no one wants to be part of a lawsuit directed at a board. And so with so much uncertainty with the product, I guess, and volatility with interest rates, it’s important to do your due diligence.
Paul Martin:
All right. This has been very, very insightful, Colin. I want to thank you for that. And we’re going to take a little break and maybe change topics when we come back, but we’ve got to just step away for a minute. So if you hang with us, you’re listening to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin back after this.
Welcome back to Risky Business Commercial Insurance with Butler Byers, Paul Martin here, and joining me, Colin Rooke, the commercial risk reduction specialist with Butler Byers. Colin, before the break, we’re talking cyber. I want to just maybe change topics right now and maybe something well a little bit more fact and figure based, a little bit more data. Now here we are just entering Q2 of 2023, and this is the time we start to see all the financial reports from 2022. I assume they’re starting to come out and I know you’ve got some data and well, how did the insurance industry perform last year? And that really has significant implications for the cost of insurance going forward. So what did we learn from last year? What have they started to tell us?
Colin Rooke:
So we’ve been spending a lot of time over the last few years talking about the hard market. I’ve spent a lot of time explaining why your premium may be increasing at a rapid rate, why it’s so important that you’re aware of how that occurs, the role that you the customer play in it, and why it’s so important to tell your story effectively from a proactive risk management to be on the winning end of these increases and to get all the available discounts back to the organization by putting in the work. And so yeah, we spend a lot of time talking about, okay, well what’s going on in the world? These insurance companies are not profitable. Loss ratios are 141%. And so with the update, with 2022 in review, it’s interesting and it just shows that there’s some stability in the market and I think we’re headed towards stability.
So if you look at the top five insurers in Canada that would make up 42% of all collected premiums in Canada, they grew at 7% last year, which is just slightly above, they’re barely keeping pace with inflation. And so taking that information, you could say, okay, well would’ve grown by of course new client acquisition, but also in a large part rate increases. And so it just shows that the overall increases that they’ve seen were very on par with inflation and it is reflected in insurance premiums.
We are consistently seeing five, six, 7% increases. And although it seems high, of course we’d like to see no increase or maybe a decrease, but that is the inflationary environment we are in. And so what you can take away from this is that this data shows a trend, a strong trend towards a more normalized rate environment. And so the industry itself was profitable last year, the combined ratio was 85%, meaning that 15% was available for profits for the insurance companies. And so when you look at their growth estimates, again, it really is reflected in renewal premiums that six-ish has turned into the new norm, meaning even there, you put the work in, you could see the decrease while someone else is seeing 15% as well. But I like the trend, it just shows that, you can expect prices to stabilize, at least for now.
Paul Martin:
I guess that’s kind of musical to the ear to hear you say that we’re seeing the end of the hard market at least is in sight. That light at the end of the tunnel is not the train, but actually is daylight that we’re coming out to the other side. Is that a fair assessment of that or am I simplifying it too much?
Colin Rooke:
No, it is. And again, six, seven percent seems high, but when you look at inflation, it’s not. So I think we’re back to profitability. Claims have been in check, there’s good growth and I think that across the board, you can expect that sort of six, seven percent to be the norm. There are certain industries like directors and officers and cyber that may be a little higher, but even some of that, we’re seeing more players enter this cyber market, which is going to drive prices down. And 18 months ago with directors and officers, we were seeing large heavy increases. And even those have relaxed quite a bit. So I think it’s safe to say that, I’m not going to say that the market’s softening just yet, but it’s certainly we’re not having these year over year 30, 40, 50, 300% increases that we have been seeing over the last few years.
Paul Martin:
Well, I just want to harken back to a comment that you made earlier in this part of the conversation where you said if you do the work, and I just want to harken back to that because it’s really been kind of I guess the theme of what we’ve always been talking about in this program is that if you want better insurance rates, coverage, premiums, all that stuff, be a better customer of the insurance company. And that’s really been the argument that you’ve made all the way along where here’s the guides, the step by step plans, here’s the way that you talk the language that the insurance company wants to hear. So as we start to see the market more tilting in favor of the buyer, probably no better time than ever than to dig in with this stuff and say, Colin, give me some of those step-bystep guides and I’ll see if I can’t even beat this inflationary increase and maybe do a little better than average.
Colin Rooke:
Yeah, absolutely. It wasn’t long ago where we did a show saying sometimes 20% increase is winning because the other guy is getting 60, so put in the work today and let’s hope you’re only at 20 where someone else might be at 200. And so it just shows now that if things are normalizing, that the best customers of the insurance industry can put in the work, can actually receive discounts.
Because like I said, if average is now seven well, if you are that hidden gem that the insurance market needs to know about, you can actually benefit from decreases from savings. And the tides are turning, where we’re seeing insurance companies say, I want that account now. We want to grow our book. Versus a few years ago, it’s, please explain in detail why I should take this account because statistically we’re going to lose money on it anyway and we’re happy with what we have. So things have changed and it’s just a great time to say, well, if I want to beat inflation and actually look for some discounts, which I haven’t seen in quite some time, work on it.
Paul Martin:
Well, I guess that’s the point that the market has changed and so finally after a few years, the insurance companies are now more willing to actually listen to your story. And if you’ve got a good, cogent, well constructed, well organized story, you actually have a much better chance of winning the day, if I can put it that way. But you, as their broker, you need to be armed with that information so you can make the sale, you can make the pitch on their behalf.
Colin Rooke:
Exactly. Earlier in the show we talked about the guide, the cyber insurance guide for any board really. And again, if we’re putting in an application and we say, oh, by the way, we have this guide that we filled out and we’ve got all the answers, we can support that with the submission, versus you know what? Treat this board like everyone else because on paper they look like everyone else. It’s those putting in the effort, putting in the work, the true top performers that are going to be on the winning end of the pricing.
Paul Martin:
Well, Colin is always great insight on how to improve my business and how to improve the coverage and the prices that I pay for insurance. So thanks again for that. You’ve been listening to Colin Ruck, the commercial risk reduction specialist with Butler Byers. This is Risky Business. I’m Paul Martin. Thanks for joining us. Talk to you next time.