Canadian Underwriter

Category: Tech

  • Behind Intact’s legacy system modernization

    Behind Intact’s legacy system modernization

    Digitization and system integration

    When it comes to legacy system modernization, Canada’s largest insurer prefers a rebuild approach rather than a complete replacement, a company executive tells Tuesday’s KPMG’s 2025 Insurance Conference in Toronto.

    “I’m convinced the ‘rip and replace’ doesn’t work unless you have a real strong need for it, and it’s going to be based on risk, reward and the realities that you’re facing in your organization,” says Ralph Virdo, vice president of architecture & transformation at Intact. “So, I’m convinced the incremental rebuild approach is the way to go.”

    Panellists from Intact, KPMG in Canada and the Workplace Safety and Insurance Board (WSIB) were discussing various approaches to legacy modernization: rip and replace, reimagine and rebuild.

    Virdo outlined Intact’s legacy modernization journey, dating back more than 20 years when the insurer was still ING Canada. The insurer had three “rip and replace moments in our history where we started to build new platforms off to the side,” Virdo tells conference attendees. But the platforms — which included two in-house and one outsourced project — never saw the light of day.

    “Looking back, what you find is that the business doesn’t stop,” he says. “And so, you can’t pause for three years while you’re building something new.

    “At the same time, you can’t be off on the side building something while the business continues,” Virdo adds. “Because when you emerge, the business has changed, the economy has changed, the markets change. The technology has changed, so you’ll be constantly chasing some moving targets.”

    Responding to an audience question about how the technology failures were received, Virdo says there was trust in what they were trying to build, “only to find, again, that we’re trying to hit a moving target…After a couple of years with no value being delivered to the business and many, many millions in spend, that’s when the plug was pulled.”

    Over the past approximately dozen years, Intact started looking at its tech mainframe — monolith, packaged software that would run all insurance transactions. The carrier went “capability by capability,” choosing which piece to upgrade first, driven by business imperatives.

    “What it did was it really stretch out our ability to remove all those core capabilities out of the mainframe, applying a switch off, but you’re getting that incremental value as you go and you’re standing up these new products…,” Virdo says. “Our current timeline is up to 2031…so you can see the length of our journey.”

    Building the next legacy system

    At the same time, it’s important to recognize the speed of technology.

    “What you have to realize is that everything you’re building new is the next legacy,” Virdo says. “What we didn’t do well, again looking back, is as we were building these new systems or acquiring configuring systems and integrating them, we weren’t necessarily making continuous improvement and continuous modernization part of that product’s development lifecycle.

    “If you don’t do that, you’re just creating the next modernization crisis…We have to start treating everything that we build as a product with a product lifecycle…”

    Otherwise, a large portion of the investment could go into keeping the technology current and paying down ‘tech debt,’ Virdo says. “I know it’s hard to hear that, but it’s the reality you’re hedging against — being in this situation again five years from now.”

    Virdo recommends setting up a central data governance office, so there’s one enterprise data platform for all data. There should also be a data cataloging tool, along with clear roles and responsibilities.

    “[Be] very clear about who owns the data, who is accountable for ensuring that we have enough metadata about that data, [and] who are the custodians of the data,” he says. “Look at just streaming everything to a central data platform and make sure that it’s well catalogued so you can understand what data is in there…”

  • How digital direct fits into Definity’s Top 3 priorities

    How digital direct fits into Definity’s Top 3 priorities

    Buying insurance online

    Will digital direct offering Sonnet Insurance become a billion-dollar business? It’s a hopeful possibility, Definity Financial Corporation president and CEO Rowan Saunders tells The Desjardins Inaugural Toronto Conference on Tuesday.

    While Job 1 for Definity (Sonnet’s parent company) remains delivering on existing commitments, the operational integration of Travelers’ Canadian business and seeing Sonnet digital shift to profitability and full functionality are the other top priorities for the coming quarters.

    Saunders says significant executive time is being spent on revenue growth, organic growth of the business and maintaining the firm’s sub-95% combined ratio — which stood at 94.5% for the full-year 2024.

    “That’s the real…earnings driver of the business,” he adds. “So, most of the operation is really focused on that.”

    Further, Saunders calls Definity’s acquisition of Travelers’ Canadian business “a transformational deal,” that’s expected to finalize as planned during first quarter of 2026.

    “The teams are very, very busy on integration planning…getting ready for Day 1, and then of course the full integration as we take possession of that company,” he says. “It gets us to being a Top 5 player and really will bring a lot of capabilities to us.”

    Priority 3 for Definity is Sonnet.

    “We spent a lot of time and effort in the last few years working and trying to get that model to work the way we like it, and we feel the best we’ve ever felt about that business,” Saunders tells attendees.

    He says efforts have focused on making Sonnet profitable and crafting a business model that works as a fully digital insurer. “We think we’re there for now,” he says.

    Related: What’s next for Definity following Travelers Canada acquisition

    Sonnet’s important to the larger business going forward, says Saunders, and notes a little over 50% of the personal insurance marketplace is direct to consumer.

    “So it’s disintermediating,” he says.

    “I think what we see in that market…is an acceleration of pure digital versus traditional direct. People used to be comfortable going to an agent in the local mall. They used to be comfortable going to a contact centre — that’s traditionally how most of the direct insurers in Canada operate.”

    What’s different about Sonnet is that it’s fully digital direct. “We have no underwriters in that business, and that is starting to…get more traction with consumers,” says Saunders.

    “The other thing we found there is that we’ve been able to build a…slightly disruptive model to target groups and affinities and [in] our view of personal insurance that’s really one of the most attractive components of the personal lines business.”

    Sonnet has now seen four consecutive quarters “printing an underwriting profit,” which, while small, is still a profit and has a “sub-100 combined ratio,” says Saunders.

    “I think Sonnet’s our next billion-dollar business,” in premium, he adds.

  • Blending AI and the human touch: What insurance customers want

    Blending AI and the human touch: What insurance customers want

    Robot and human hands touching

    Global insurance customers want both the efficiency of generative artificial intelligence (Gen AI) and human empathy, finds a new report from the Geneva Association, a global association of insurance companies.

    The report, Gen AI in the Insurance Customer Journey, found a strong adoption of Gen AI among insurance customers but also concerns over the loss of human touch.

    “Nearly 40% rank loss of human touch as the top concern with insurer-provided Gen AI tools,” the Geneva Association says in a press release Thursday.

    Gen AI in the Insurance Customer Journey uses a survey of 6,000 insurance customers across the six largest insurance markets — the U.K., U.S., China, France, Germany and Japan. It reveals strong adoption of Gen AI among insurance customers — both insurer-provided and general-purpose tools.

    Demand for Gen AI is strongest for product and quote comparisons. Almost 70% of customers have used off-the-shelf AI tools independently when buying insurance.

    “As customers become more comfortable and engaged with Gen AI tools, insurers have an opportunity to reimagine service delivery, strengthen transparency, and create more personalized, value-driven relationships,” says Ruo (Alex) Jia, director of digital technologies at the Geneva Association and lead author of the report. “Strong data infrastructure and hybrid models that keep humans ‘in the loop’ for certain interactions will improve the customer experience and enable the agility needed to thrive in today’s AI-powered world.”

    The report says while Gen AI can automate some tasks within underwriting, claims processing and fraud detection, “human participation remains critical for complex cases and scenarios.

    Hybrid AI-human models

    “Insurers are addressing the ‘lack of human touch’ by adopting hybrid-AI human models that combine automation with human interventions — especially in emotionally sensitive contexts like claims handling, where over-reliance on Gen AI can heighten customer dissatisfaction.”

    For example, one insurer uses OpenAI’s ChatGPT models to draft nearly all its 50,000 daily claims emails, removing jargon and adding compassionate phrasing, before human agents review and personalize the messages.

    Another widely used approach is the chatbot model with an option to speak to a live human agent, “enabling Gen AI to manage routine communications while reserving human involvement for nuanced, high-emotion interactions. Insurers should formalize a hybrid support model where AI handles routine queries and human agents manage sensitive issues,” the report says.

    But while insurance customers welcome Gen AI’s convenience and possibilities for personalization, they remain concerned about data privacy, accuracy, and maintaining access to human support. More than 40% of survey respondents worry about data privacy and misinformation when using Gen AI tools on their own for insurance decisions.

    Many customers remain hesitant about AI-generated responses due to privacy and security concerns. They also worry about potential for biases.

    “This hesitancy reflects broader societal concerns about the accuracy and transparency of algorithmic decision-making and the ‘black box’ nature of advanced AI systems,” the report says. “A particularly critical issue is the risk of Gen AI ‘hallucinations,’ instances where AI generates plausible-sounding but factually incorrect information.

    “In the context of claims processing, this could result in AI erroneously denying a valid claim due to fabricated policy exclusions or misinterpreted contractual terms, leading to financial harm and loss of customer trust.”

    The report says human oversight is critical, especially for high-stakes decisions, to prevent over-reliance on automated systems and maintain customer trust.

  • Cloudflare outage impacts thousands, disrupts transit systems, ChatGPT, X and more

    Cloudflare outage impacts thousands, disrupts transit systems, ChatGPT, X and more

    Cloudflare's logo on the floor of the New York Stock Exchange.

    A widely used Internet infrastructure company said that it has resolved an issue that led to outages impacting users of everything from ChatGPT and the online game, “League of Legends,” to the New Jersey Transit system early Tuesday.

    At 12:44 p.m. EST, Cloudflare said its engineers no longer saw some of the issues plaguing its customers, but that they were continuing to monitor for any further problems.

    Others platforms that experienced outages Tuesday included the social media site X, Shopify, Dropbox, Coinbase, and the Moody’s credit ratings service. Moody’s website displayed an Error Code 500 and instructed individuals to visit Cloudflare’s website for more information.

    New Jersey Transit said parts of its digital services including njtransit.com, may be temporarily unavailable or slow to load. And New York City Emergency Management said there are reports city services being impacted by the outage. The city is continuing to monitor for disruptions.

    In France, national railway company SNCF’s website has been affected. The company warned customers that “some information and schedules may not be available or up to date. Our teams are working to restore these services as quickly as possible.”

    Cloudflare, based in San Francisco, works behind the scenes to make the internet faster and safer, but when problems flare up “it results in massive digital gridlock” for internet users, cybersecurity expert Mike Chapple said.

    While most people think there’s a direct line between their digital device and a website, what actually happens is that companies like Cloudflare sits in the middle of those connections, he said.

    Cloudflare is a “content delivery network” that takes content from 20% of the world’s websites and mirrors them on thousands of servers worldwide, said Chapple, an information technology professor at the University of Notre Dame’s Mendoza College of Business.

    “When you access a website protected by Cloudflare, your computer doesn’t connect directly to that site,” Chapple said. “Instead, it connects to the nearest Cloudflare server, which might be very close to your home. That protects the website from a flood of traffic, and it provides you with a faster response. It’s a win-win for everyone, until it fails, and 20% of the internet goes down at the same time.”

    Last month Microsoft had to deploy a fix to address an outage of their Azure cloud portal that left users unable to access Office 365, Minecraft and other services. The tech company wrote on its Azure status page that a configuration change to its Azure infrastructure caused the outage.

    And Amazon experienced a massive outage of its cloud computing service in October. The company resolved the issue, but the outage took down a broad range of online services, including social media, gaming, food delivery, streaming and financial platforms.

    ___

    Associated Press writers Kelvin Chan in London and Sylvie Corbet in Paris contributed to this report.

  • Opinion: Insurers should reward renewable energy firms’ resiliency efforts

    Opinion: Insurers should reward renewable energy firms’ resiliency efforts

    Maintenance team atop a wind turbine platform

    Climate change is prompting a reevaluation of how renewable energy infrastructure is protected. And insurers have a key role to play in making the industries they serve more resilient to increasingly volatile weather and natural disasters.

    Rising premiums and decreased capacity are prompting asset owners to adopt resilience measures to ensure long-term viability. But beyond imposing coverage restrictions, specialty insurers are evolving into strategic risk management partners.

    Insurers should not just require resiliency measures. They should reward them. When company owners make documented investments to protect physical assets and enhance operational protocols, insurers can confidently offer substantially reduced premiums.

    Insuring renewable energy

    Renewable energy illustrates the benefits of incentivizing resilience. As public demand for energy increases, renewables have become increasingly crucial to the energy infrastructure. Yet, these assets are especially vulnerable to worsening natural disasters.

    Record losses have caused some carriers to retreat from this market, tightening capacity needed to help investors, developers, and communities manage the growing risks posed by these hazards, especially in the renewable energy sector.

    As it expands, renewable energy is becoming a unique asset class. Solar, wind and battery assets are typically built where large amounts of land are available, often in regions predisposed to hail, hurricanes and high winds.

    This demands specialized data and underwriting skills. Solar and wind projects feature multiple moving parts that, unlike coal and natural gas plants, are constantly exposed to the elements. Therefore, knowledge gained from other energy sectors can’t be directly applied. Plus, amid evolving geographic risks, historical data is insufficient. Rapidly changing technology and the lack of consistent global data collection add to the complexity and hinder the ability to accurately assess risk.

    Related: Brokers brace for surge in Canadian renewable investments

    Multiple high-profile hail losses have hit solar asset owners and developers especially hard. Our 2025 Solar Risk Assessment shows 73% of solar insurance losses by dollar value come from hail damage alone. These losses have reverberated throughout the renewable energy industry’s supply chain, negatively impacting coverage availability and terms for all asset owners and developers, not just those who have suffered losses.

    The International Energy Agency predicts solar generation is set to quadruple by 2030. Further, the agency expects solar energy to become the world’s largest source of electricity by 2033, with wind energy growth trailing closely behind. Battery energy storage systems are expected to keep pace to ensure grid stability.

    For those assets to be insurable, they must be resilient to worsening perils. Insurers should step in to incentivize resilience.

    Rewarding resilience

    Insurance carriers and brokers are helping move the renewable energy sector toward protective resilience by conducting their own research, collecting data, and giving actionable feedback to the sector regarding design, construction and maintenance of the best, most-resilient renewable energy assets.

    For example, when it comes to protecting against hailstorm damage, insurers should require solar asset owners and developers to implement, test and document mitigation measures. These might include:

    • investing in thicker, tempered glass modules that are less prone to cracking
    • double-checking weather alerts
    • implementing automated hail stow, which places panels in a high-degree tilt to lessen hail and wind damage.

    Implementing resilience measures and protocols early and frequently can mean the difference between little to no damage from a storm and a total loss event.

    Equally important is taking proactive mitigation steps to protect battery storage assets. Thermal runaway events and flooding pose serious risks that are often preventable. Rapid evolution of battery technology requires owners and insurers alike to understand and implement necessary resilience measures, such as spacing battery assets farther apart and taking precautionary measures to detect and prevent flooding.

    Protected assets have a different risk profile; therefore, they should command favourable terms such as lower premiums. Rewarding such resiliency measures means insurers should take documented mitigation practices into account when analyzing renewable asset owners’ loss risks.

    Akin to a ‘safe-driver discount,’ rewarding mitigation efforts incentivizes favourable behaviors by encouraging renewable energy owners to prioritize safety. This contributes to a more stable — and insurable — renewable energy sector.

    Case study

    For example, one North American utility-scale solar developer recently implemented comprehensive hardening measures for their 140-megawatt, $100-million project in a high-risk hail zone.

    The developer invested in 3.2mm tempered glass panels, verified 53-degree hail stow protocols, and maintained detailed documentation of their proactive stowing for more than 90% of past hail events.

    By providing evidence of resilience measures, including photographic proof and operational logs, the developer secured a 72% reduction in their natural catastrophe insurance rate.

    Related: Insuring renewable resources in Canada: Global lessons

    Accurate underwriting relies on physics models that account for real-time forecasts, long-term climate projections and detailed loss data.

    It also relies on close collaboration between insurers, and renewable energy asset owners and developers to share best practices and documented resilience strategies. Information-sharing is an important part of helping underwriters better understand a project’s risk profile.

    Jason Kaminsky is CEO of kWh Analytics. This article is excerpted from one that appeared in the October-November 2025 print edition of Canadian Underwriter.

  • AI, NatCats, talent and geopolitics: What will 2026 bring?

    AI, NatCats, talent and geopolitics: What will 2026 bring?

    Robot's hand scooping up water

    Artificial intelligence (AI) may not necessarily eliminate jobs in the Canadian P&C insurance industry, but it could result in attrition, says Klaus Navarrete, managing director and chief agent with HDI Global SE Canada.

    “What I envision in years to come is that our hiring pace may gradually slow compared to the past, and will focus on other skills,” he says in an interview with Canadian Underwriter. “So, the hiring might…be reduced, not by eliminating people, but just by not replacing them moving forward.”

    Navarrete spoke with CU about his insurance predictions for the commercial property and casualty insurance space in 2026. Some of his insights for next year revolve around AI, NatCats, talent management and the geopolitical environment.

    Artificial intelligence

    Insurance and other industries are already using AI in a variety of initiatives, including training and awareness campaigns.

    “We do believe that AI will likely become a game-changer for the industry,” Navarrete says. “So, it’s absolutely essential for us that we embrace this new emerging technology and, of course, then integrate it into our operations.”

    For insurance companies, AI is being used for efficiency and effectiveness. For example, on the underwriting side, it’s being used to gather and analyze information for risk profiles.

    Navarrete believes AI may not necessarily eliminate jobs in the industry, but may result in attrition.

    NatCat exposures

    Despite overall terms softening, reinsurers will remain disciplined into 2026 when it comes to NatCat risk, given increasingly frequent and severe NatCat losses in recent years, Navarrete says.

    “We need to be prepared to expect there to be a higher increase in NatCat losses,” he says. “In Canada, we need to make sure that the models that we’re using really build that into our predictions for next year and we’re prepared for it.”

    Talent management

    Talent management will remain a challenge for the industry next year.

    “There’s just a very large number of seasoned experts retiring,” Navarrete says. “We are often in a position where we have to hire younger, inexperienced people and develop them.

    “We need to be sure that we find suitable people in our industry that we can fast-track. We want to equip them with the skills to basically step into the roles of those people who have left the industry.”

    Along with that comes knowledge transfer. “We’ve tried in past years to document as much knowledge as possible so that it can be easily transferred to the younger generation,” he says.

    Geopolitical environment

    The current geopolitical environment, including tariffs and global trade disputes, means more foreign insurance companies are looking to set up base in Canada, Navarrete says.

    “What we’ve noticed is…there’s more interest [for] foreign insurance companies to establish themselves in a safe geopolitical environment,” he says. “I don’t foresee it’s going to change quickly.

    “We actually see there’s an increased interest of foreign insurance companies setting up operations in Canada because of that [geopolitical environment], especially from Southeast Asia…” Navarrete says. “I wouldn’t be surprised if we see new insurance carriers applying for licences.”

  • Behind Applied’s recent acquisition of Cytora

    Behind Applied’s recent acquisition of Cytora

    Using a laptop to access an AI-powered business analytics dashboard

    Digitizing the entire policy lifecycle is the driving force behind Applied Systems’ recent acquisition of Cytora, says Applied Systems Canada’s senior vice president and general manager Steve Whitelaw.

    The strategic acquisition of Cytora was announced Sept. 9. Cytora is a configurable, generative AI-powered platform that enables carriers, MGAs, and brokers to digitize their intake and streamline the full policy lifecycle — from submission to claims servicing, mid-term adjustments, endorsements, and renewals, Applied says in a press release.

    “We’re trying to digitize the full lifecycle from submissions to quotes, to servicing, [and] to back-end accounting,” Whitelaw told Canadian Underwriter during an interview at Insurance Brokers Association of Ontario’s (IBAO) annual conference in Niagara Falls last month. “What we’re going to market with…is the capability to have a digital submission to go into the insurer, regardless of the class of business or complexity.

    “For a broker, that means not having to key in data. [Brokers are] supported by a single workflow to get them to the submission point, potentially, and receive a quote using the same workflow, regardless of whether an insurer will return that quote in real time, or whether it’ll return it in an hour, a day or a week,” he says. “From the broker’s perspective, it’s the same.”

    Real-time quoting is available for 12 commercial lines of business, representing the lines for which Applied is certified by the Centre for Study of Insurance Operations (CSIO). Even if an insurer decides the risk is too complex for a real-time quote, for example, nothing changes for the broker.

    Removing friction

    “Same process for the broker, which is massive…if you think about the current process, where they’re going to different portals and entering [the data] all in [manually]…,” Whitelaw says. “We know that commercial [insurance] is historically fraught with friction, manual processes, and multiple data entry into multiple sources.”

    The Cytora platform takes information from disparate data sources — both structured (e.g., CSIO forms) and unstructured sources (documents, PDFs, Excel and CSV files, emails, images, voice files, etc.) — “digitizes it, and feeds into insurers’ policy admin systems,” Whitelaw says.

    It can also scan data sources to validate information as it’s coming in. For example, a submission may indicate a business is a general retail store, but it may be a cannabis store.

    The platform allows brokers to customize. They can add new data fields or manage the platform themselves without needing to rely on Applied. “[That] differentiates from some others [in that] if you’re [using the platform on an] ongoing [basis], you’re basically signing up for an ongoing service contract…”

    The tech vendor is also building AI into its entire platform with some specific use cases, Whitelaw reports. For example, AI can be used to read or summarize an email and suggest actions. “It saves you time from having to open the email, read it, find my policy in the system,” he said.

    AI can also be used to examine why a renewal increased in price or to compare premiums from one policy to another. This could potentially indicate if a customer is at risk of shopping around for another policy.

    In addition, Applied is revamping its quoting platform to embed quoting right inside of Epic, its broker management system. “Think about your experiences outside of insurance, where everything happens now. But in insurance, it always feels like your waiting,” Whitelaw says. “We’re setting ourselves up with our insurer partners to be able to do that bind and issuance in real-time.”

    The tech vendor is also looking to free up time during the accounting process, by reconciling accounts payable and accounts receivable information in the back end of Epic through Applied Pay. This allows a broker to collect premiums any way the person or business wants to pay, with options like EFT, Apple Pay, and Google Pay.

    “It’s meeting the customers where they’re at with respect to all their other experiences with how they pay for products and services,” Whitelaw says.

  • Forget fully automated cars. How about a fully automated MGA?

    Forget fully automated cars. How about a fully automated MGA?

    AI agent with a laptop head with AI chip icon, holding smartphone. Artificial intelligence collage concept, vibrant pop art style.

    Can you imagine a completely automated Managing General Agent (MGA) using artificial intelligence to serve its insurance company and brokerages partners?

    That day is coming with the rise in agentic AI, says Sridhar Manyem, senior director at AM Best.

    Mayhem was speaking about the applications and implications of agentic AI on the insurance industry at AM Best’s Insurance Market Briefing, held in Toronto last Thursday.

    “In terms of insurance, [people] are starting to talk about agentic AI,” Manyem said. “Agentic AI is not just one AI engine, but it is a artificial intelligence ecosystem that can perform a specific goal with limited supervision. So, for example, it can be a MGA, right?

    “An automated MGA takes submissions from various clients, analyzes that submission, looks at that submission and says, ‘Here’s the risk posed by this particular submission.’

    “And then it looks at a carrier and says, ‘You know what? This carrier has told me that this particular risk matches their risk appetite.’ And they can transfer that risk automatically to the carrier,” he said. “So, it’s like a whole system that can mimic human decision-making in order to solve problems in real time.”

    Manyem said this kind of AI ecosystem is “starting to get traction” in small commercial underwriting and emerging risks like cyber.

    Agentic AI, powered by Big Data

    “The beautiful thing about agentic AI,” he notes, is that it’s able to integrate diverse data sources such as telematics, social media activity, behavioural insights, and more, in order to make a dynamic risk assessment in real time. He cited an actuarial paper he read, which noted AI can even use data sources that underwriters may not think to use in a risk assessment.

    “In that particular actuarial paper, they were saying, ‘You know what? We can collect information like the time of collision, the kind of car, etc. But we don’t really think that a car’s power-to-weight ratio is critical in determining the severity of an accident,” Manyem said. “Because of machine learning and big data, the machine spit out variables like power-to-weight ratio as an important determinant in the severity of an accident. So now that becomes a variable in assisting underwriting and pricing.”

    Also in the news: U.S. specialty insurance firm to acquire SSRU

    The promise of agentic AI is predicated on large data sets, as Manyem noted.

    To make the most out of agentic AI, the insurance industry will need to get ready to take advantage of the explosion of big data. For that, insurers will need to focus on collecting structured data.

    As of now, insurance companies have disparate systems.

    They may have systems that carried over from a merger or acquisition. Or they may have individual operational systems for different functions.

    “They would have a system for claims, a system for underwriting, a system for policies, a system to talk to the regulators,” Maynem said. “All this data that they have collected over hundreds of years is really not ready for AI, because they are all different, they’re all in various places, and [insurers] need to make sure that [their data are] structured, they’re organized, so that they can gain proper insights.”

    Plus the data needs to be updated to reflect current trends and patterns.

    Data poisoning

    This reliance on data makes it very important for insurance companies to collect, use and protect data responsibly.

    “Maintaining the integrity of the data will be very important for the insurance industry in the future,” he said, and segued onto the topic of future cyber threats.

    “One particular aspect of cyber threats I wanted to talk about is this thing called, ‘data poisoning,’ or ‘model poisoning.’ I’m not sure why they would do this, but bad actors apparently inject bad data into your system. And therefore, when the model is getting trained on that data, it spits out wrong results or wrong inferences, etc.,” he said.

    “That’s becoming more common, so you need to make sure that the data that you’re using is protected and you don’t let any bad actors into the system.”

  • Helping Quebec non-profits below ‘cybersecurity poverty line’ strengthen networks

    Helping Quebec non-profits below ‘cybersecurity poverty line’ strengthen networks

    A cybersecurity debriefing

    MONTREAL – Facing the threat of cyberattacks and with limited budgets, non-profit organizations across Quebec are being offered free cybersecurity consulting sessions through a pilot project led by Polytechnique Montréal engineering school.

    Many non-profits are often below the “cybersecurity poverty line,” says Marc Gervais, executive director of IMC2, a cybersecurity institute involving Polytechnique and other Quebec universities that groups more than 50 professors and their research teams.

    “They typically cannot even afford training or basic audits,” he said.

    In response, the institute decided to train students on how to identify weaknesses in digital security infrastructure by having them conduct free audits, supervised by their professors, on non-profits.

    In Quebec alone, there are tens of thousands of non-profits, many of which struggle with the same security issues as larger organizations: phishing, data breaches, ransomware attacks, piracy, artificial intelligence-linked fraud, and malware — software designed to harm a computer or network. What they lack are the finances and technical expertise to counter such threats.

    In 2023, pro-Russian hackers took down some Quebec government-linked websites. The province’s electrical utility, Hydro-Québec, was also hit with a cyberattack in 2023, with hackers shutting down its website and cellphone app; however, critical systems weren’t affected. 

    Non-profits can face similar threats, Gervais said, but they don’t have the in-house expertise to deal with them. Which makes the pilot project, dubbed the “cybercitizen assistance network,” all the more important.

    The pilot is being funded thanks to a $1.3-million grant from Google in January 2024. The first to benefit was Institut du Nouveau Monde, a Montreal-based group with a mission to increase citizen participation in democratic life, said Louis-Philippe Lizotte, its operations director.

    “We are here to promote citizen participation, defend democracy,” Lizotte said. “Ensuring cybersecurity — it’s not a natural reflex.”

    A former employee informed them of the pilot and Lizotte said they jumped at it. “I mean there’s so many issues that we see in the media,” Lizotte said of cybersecurity failings. 

    “I mean big corporations are at risk, so obviously we also are.”

    Gervais says by auditing non-profits, the institute often identifies ways to strengthen what he calls basic cybersecurity hygiene, “little aspects that can really make a difference.”

    Lack of dedicated tech staff

    Non-profits often lack dedicated technology staff to carry out regular cybersecurity audits, leaving no one available to put together written procedures on how to react in the event of a cyberattack, or to track incidents.

    At the Nouveau Monde non-profit, Lizotte is the de facto technical support. He said he was relieved with the results of the audit, which recommended a few extra tools and better training for staff. “Now we know where we stand right now in terms of cybersecurity and I’m quite satisfied because we are not that bad. We are not that far away from having the best practices,” Lizotte said.

    Aside from better equipping non-profit staff to deal with threats, the pilot project is also helping them conform to a 2021 law that overhauled Quebec’s privacy act. The law imposes rules on all organizations, including non-profits, that handle Quebecers’ personal information.

    It requires organizations to obtain explicit consent before they can collect or disclose data, and to maintain a registry of confidentiality incidents, such as unauthorized access to personal information. Breaches are to be communicated to the province’s access to information commission upon request. Non-compliance can result in stiff fines.

    The Nouveau Monde audit was done online, a method that would permit non-profits across the province to be assisted, said Fyscillia Ream, the project manager at the cybersecurity institute. But the plan is to focus on the Montreal and Gatineau areas.

    After the audit, the institute produces a report and offers follow-up support including adapted training sessions with the ultimate goal of helping the non-profit become “autonomous regarding their cybersecurity,” Ream said.

    “But we really adapt to the needs of organizations, whether they only want an audit, or if they just want to raise awareness among their employees or users,” Ream said.

    Gervais said that while the current program is designed for Quebec, there is a need for a pan-Canadian assistance in the non-profit field.

    “I think we’ll have to collaborate (with other institutions) because this is a truly Canadian need,” Gervais said.

  • Emerging liability exposure risks for specialty insurers

    Emerging liability exposure risks for specialty insurers

    Risk meter with colour coded levels

    Specialty insurers in Canada are facing a number of emerging liability exposures ranging from well-known to new risks, Markel senior executives tell Canadian Underwriter.

    Liability exposures include technology-related risks (i.e. blockchain, nanotechnology, 3D printing, and artificial intelligence); class action lawsuits; environmental, social and governance (ESG) principles; misinformation; and ‘forever chemicals.’

    Tech risks

    Emerging tech risks are related to the implementation of — or disruption by — blockchain. Also, lawsuits are targeting toxicities associated with nanotechnology in the medical field, says Dave Crozier, president and managing director of Markel Canada.

    Even 3D printing brings risks.

    “If everyone has a 3D printer and can suddenly make anything they want, do we have product liability now coming down to a person?” Crozier asks. “Do we have people making things maybe they shouldn’t?

    “Is the printer responsible for that? Is the person responsible for that? There can be many heads of damage.”

    When it comes to AI, the question is if it’s fit for purpose, Crozier says. “And do we put it to purposes for which it is not fit? Again, does liability spring from that? Who’s responsible?”

    Class actions

    Beyond technology, older emerging risks like class action lawsuits continue to spread.

    “They’re not plentiful yet, but there are hints of more and more attempts at class actions in Canada,” Crozier says. “Something that is creeping across the border with some measure of speed is third-party litigation funding.

    “And third-party litigation funding in Canada is not even as regulated as it is in the States, so we’ve got some catching up to do there.”

    Third-party litigation funding essentially refers to a funder who’s not a party to the case. Nevertheless, the funder pays some or all of the plaintiff’s legal costs, and often indemnifies against adverse costs, in exchange for a share of any settlement or judgement. Law firm Dentons LLP found class-action litigation has “significantly increased across Canada, likely fuelled by an expansion in aggressive legal advertising that encourages Canadians to launch lawsuits,” Insurance Bureau of Canada reported in June.

    ESG

    ‘Greenwashing,’ or companies making themselves appear more enviro-friendly than they really are, is also a concern. “You’ve seen some of the response to diversity and inclusion in the States,” Crozier adds. “Does that give rise to potential? Because you’re reacting to a political situation or changing the way you approach those kind of initiatives.”

    Misinformation

    Misinformation is a relatively new liability risk.

    “Again, who’s responsible for it?” Crozier asks. “Who’s responsible for spreading it? When does it cross the border from people just saying their opinions into people trying to massage outcomes?”

    Other risks, including forever chemicals

    Other potential emerging liability risk exposures revolve around increased Cat activity; pandemic liability; per- and polyfluoroalkyl substances (forever chemicals), such as microplastics in firefighting chemicals; opioid/fentanyl issues; and even permafrost thaw that could lead to increased flooding.

    “There is a huge amount of uncertainty out there,” adds Markel International president Andrew McMellin. “We’ve got a lot of geopolitical uncertainty…you’ve got economic uncertainty.”

    This uncertainty highlights the importance and relevance of insurance, which transfers the risk and provides certainty to clients, McMellin says. “Risk has just catapulted upwards in the last few years, but that’s why you need a strong insurance market to be able to respond to that.”