Cyber threats have evolved far beyond crude phishing emails and file-encrypting malware. “AI has changed the threat landscape as a whole,” said Kelly McGuinness, cyber, tech and pro-development leader at CFC Group. “The threats that we’re seeing are far more sophisticated attacks.”
Today’s digital threats are often professionalized and hard to detect. Ransomware, once the domain of skilled hackers, is now widely accessible. “You can now buy ransomware as a service,” McGuinness said. Combined with generative AI tools, even low-skill actors can simulate legitimate business language and conduct negotiations. “It’s difficult to identify different threat groups… spelling errors and things of that nature that we would have been able to use before are no longer reliable signals.”
The focus of cyberattacks is shifting from data theft to operational disruption. “There’s a shift… to more severe and catastrophic attacks,” McGuinness said. These incidents target operational technology, interrupt business continuity, and result in higher-severity claims.
That evolution has forced a corresponding change in underwriting. No longer a static pricing exercise, cyber underwriting now demands constant adaptation and fluency in information security. “There’s far more of an element of adaptability that you need to have,” she said. The digital acceleration driven by the pandemic made that clear. “We’ve experienced a worldwide pandemic forcing everyone into a virtual world… underwriters have had to adapt to the fluctuating market at speed.”
Underwriters are now expected to assess cyber hygiene – multi-factor authentication, endpoint detection and response, network segmentation – as part of standard risk evaluation. “Certainly be able to speak to the importance of controls,” McGuinness said.
The role of the underwriter is also becoming more collaborative. With cyber risk evolving rapidly, insurers are relying on both internal specialists and external partners. “As an industry, we are very collaborative… relying on internal experts,” McGuinness said. CFC’s Masterclass program, developed in response to these changes, aims to upskill generalist brokers on cyber-specific issues.
Unlike other lines of coverage, cyber insurance does not lend itself well to traditional actuarial modeling. “It’s never really followed… a traditional modelling approach,” McGuinness said. Success in this space, she added, depends on investing in people as much as in product. That philosophy informed the development of CFC’s CPR product, which eliminated six standard exclusions and introduced two world-first coverages.
Still, only about 10% of Canadian businesses hold standalone cyber policies. McGuinness sees that as a gap that needs urgent attention. “Try and push that 10% … across Canada upwards,” she said. Increasing penetration requires better communication, not just better products. “The aim is not only to grow market share but also to protect the end client.”
Cyber underwriting is increasingly merging with risk advisory. “We see the losses and the gaps when the claims occur,” McGuinness said. “But equally, we’re also in a unique position… to speak with the broker and the client about their overall cyber hygiene.”
This advisory role is especially critical for small and midsize businesses, many of which face tough decisions about resource allocation. “We’re providing a holistic product that can ultimately deter a cyber-attack from happening,” she said, “and in the event that it does, actually cover the client.”
CFC’s proactive measures include vulnerability scans, dark web monitoring, and direct alerts during the policy term. “We actually have skin in the game with the client,” McGuinness said. It’s a model that blends prevention with protection – and extends into collaboration with government and law enforcement agencies. “We do collaborate with… local authorities, government agencies and the RCMP… to help detect trends amongst bad actors.”
For McGuinness, the message is clear: cyber insurance today is about more than claims. It is an ongoing partnership, embedded in clients’ day-to-day digital defense. “Cyber insurance is more than just coverage,” she said. “It’s proactive. It is coverage and it is claims.”
