Troy Woodland

Date: June 3, 2025
Location: RBC Insurance, 155 Wellington W, 11^th Floor, Toronto ON, M5V 3K7

CAFII held its second in-person reception event of the year on June 3, 2025, hosted by RBC Insurance at their downtown Toronto office. After drinks and hors d’oeuvres were served, Julie Gaudry, Vice President of Insurance Product Development and member of CAFII’s Board of Directors, welcomed all attendees and introduced the evening’s esteemed keynote speaker, Goldy Hyder, President and CEO of the Business Council of Canada.

Goldy Hyder began his speech by thanking the President of the U.S., Donald Trump, for uniting Canada across provinces and languages. Mr. Trump has profoundly shaken Canadians to their core and, in turn, has created the opportunity for unity across our otherwise divided nation. Mr. Hyder then spoke about Canada’s historical complacency with its singular economy; our biggest trade partner has always been the U.S. Now, with our economy under threat, Canada is expanding.

The world is changing; Canada needs to change with it. The U.S. is undergoing monumental change, as they are allowed to do. Mr. Hyder explained that America has long been working towards this sort of political and economic upheaval. Looking back to the year 2000, the U.S. has been moving towards a focus on the domestic economy for decades. Now, with Trump asking the average American whether they are better off now than before, sociopolitical sentiment has leaned more and more towards an isolationist one.

Mr. Hyder explained that he spends much of his time trying to understand the average American’s psyche. While the US is divided, the election was not close; Trump won handily. What can this tell us about Americans? The millions who voted for him cannot all be racist, sexist, bigoted people. Trump spoke to something that resonated with the working class, the average American. Mr. Hyder said that many folks feel that we should prepare for another 12 years of MAGA. As Canadians, where does this leave us? What does this mean for Canada? In short, we must control the controllables. Canada needs to adjust and pivot. We cannot continuously blame the Americans for our dependency on them. Now we must adapt and look elsewhere for economic growth.

Where does the growth come from? Canada is surrounded by oceans and bordered by the U.S. This means that, geographically, we are pretty safe. Historically, Canada has landlocked itself to sell its abundant goods to the US; with the trade wars imposed by the current president, this is changing. Canada is diversifying. The question then is, how can we get out of our own way? The answer, Mr. Hyder explained, is regulations. Canada does not need more, but less. Regulations have limited our trade, thereby hurting us. Change is inevitable, but geography will remain. We will always trade with the US; now, we must simply do more elsewhere.

Besides international trade, Canada has significant interprovincial trade barriers. Mr. Hyder explained that the social programs Canadians love, which make Canada the nation it is, could be better supported if we could engage in interprovincial trade more easily. We must build infrastructure, like railways, to allow for this cross-country engagement. To do so, provincial governments must act swiftly and thoughtfully to create the infrastructure that will allow for this sort of trade.

Mr. Hyder concluded his speech by stating that the White House is blasting noise at Canada; we must ignore it or respond appropriately. We cannot hyper-focus or fixate on it because then we will be derailed by it.

J. Gaudry then opened the floor to questions from the audience.

An audience member asked what Canadians can do in the meantime while we work on building the necessary infrastructure. Mr. Hyder responded that we must begin work to remove those interprovincial trade barriers that are hindering and halting trade altogether. Infrastructure will take some time, but our internal, cross-country trade is something we can address now. He added that the previous Liberal government lost the widespread consensus on immigration because it stopped being seen as a driver of growth. Canada’s GDP per capita has been stagnant for a decade, and Canadians feel that. Much of our growth is being stimulated by population increases, but this alone is insufficient; we need to enable internal growth.

Another audience member asked Mr. Hyder, from a market perspective, what his thoughts are on the best ways to effect change with the regulators. He replied that it involves building consensus and partnerships. We need to develop unexpected allies. Mr. Hyder stated that the collective Canadian consciousness is intelligent; he has faith in the unity of our country. He urged people to leave politics and ego at the door and find common ground. This is about unity. This is about economic growth and stability to support social causes and programs.

The final question from the audience inquired about the current federal government, which is a minority. What happens if certain provinces don’t want to “play nice”? Doesn’t this hinder growth? Mr. Hyder commented that, under the previous government, the debt and deficit spiralled out of control. The new government, led by Prime Minister Mark Carney, is clearly focused on Canada’s economy, what with Carney being an economist and a globalist. Furthermore, he is known and respected on a global level. As useful as this may be, business requires output; confidence derives from this. Therefore, while Carney may have immense good intentions, there is a reality to address.

Mr. Hyder’s final call to action urged all attendees to promote Canada to Canadians. We must start looking inwards to find stability.

BOXX Insurance’s Website: www.boxxinsurance.com

On May 6, 2025, CAFII hosted a webinar titled A Conversation on Cyber-Security Challenges in the Insurance Industry— The Risks and How to Mitigate Them. CAFII’s Research Analyst, Robyn Jennings, moderated the webinar and was joined by leading cybersecurity expert, Neal Jardine, BOXX Insurance’s Chief Cyber Intelligence and Claims Officer. The crux of the conversation focused on the prevalence of cyber threats and explored ways in which financial institutions (FIS) can safeguard against security breaches and cybercrime.

Many representatives from CAFII’s 14 member companies and 12 Associates attended the webinar, as did representatives from allied industry associations such as the Canadian Life and Health Insurance Association, or CLHIA, and the Travel and Health Insurance Association, or THIA. Many insurance and financial services regulators and policy-making authorities attended as well, including the following government organizations:

• The Insurance Council of British Columbia;
• The Government of British Columbia;
• The Government of Alberta;
• Québec’s Autorité des marchés financiers, or the AMF;
• The Financial Services Regulatory Authority of Ontario, or FSRA;
• The Financial Consumer Agency of Canada, or FCAC; and,
• The Federal Department of Finance.

R. Jennings began the webinar by expressing gratitude to Neal Jardine and inquiring about what attracted him to cybersecurity. He elaborated that he has long had an interest in this subject; however, when he entered the insurance sector in 2005, it wasn’t yet a matter of interest. This changed in 2014, when cyber claims began to surface, many of which were initially managed by lawyers. Jardine was curious about how hackers were gaining access to various mainframes, what they were doing, and whether new attack vectors were emerging. This marked the beginning of his gradual shift towards cybersecurity and the facilitation of recovery for attacked companies. 

N. Jardine explained what traditional cybersecurity is and how BOXX Insurance differs from other companies in this space. In the 1980s, the traditional cyber market focused on application-based cyber insurance, posing a series of questions to companies to evaluate the controls they had in place. This was a point-in-time verification process; however, the problem with this approach is that attack vectors in the cyber market are continuously changing. The threats are evolving, and the safeguards a company had in place a month ago may become ineffective in the future. He compared traditional cyber insurance to multifactor authentication (MFA). Five years ago, the industry believed MFA would protect against everything. While MFA is still beneficial, it is not as powerful as originally thought, as hackers have discovered ways to circumvent it.

Traditional insurance was initially based on a question-and-answer format, followed by underwriting. Now, underwriting has evolved into a more dynamic approach that utilizes both technology and traditional models. Clients still work through a broker to understand and apply for cyber insurance. Arguably, the most valuable aspect of the application is the client’s domain, as it enables insurers to adopt a more modern style of insurance where they scan the client from an external port. Port scanning is a security assessment that evaluates leak sites, data breaches, internet keyword sweeps, and more. Thus, where traditional insurance is a point-in-time question-and-answer system, BOXX Insurance has moved towards an underwriting model that conducts scans and checks throughout the entirety of a client’s policy, not just at the time of purchase. This is about proactive rather than reactive models.

Insurance should not merely function as a loss transfer; it must serve a preventative role. Many cyber policies now equip clients with tools to manage potential future attacks. BOXX Insurance is progressing towards an interconnected ecosystem, positioning itself as a component of its clients’ cyber prevention services. This approach is particularly beneficial for small to medium-sized businesses (SMEs), of which there are many in Canada. N. Jardine pointed out that, in the future, most cyber buyers will be SMEs lacking access to those services independently.

R. Jennings asked whether larger financial institutions (FIs) or small and medium-sized enterprises (SMEs) are more at risk of a cyber attack, or if the risk is equal. N. Jardine explained that larger FIs were once considered the primary targets for cyber attacks, but this is no longer the case; these organizations already have robust cybersecurity controls in place. Recently, BOXX Insurance has observed larger organizations seeking to strengthen their supply chains, including the SMEs they work with, because this area is vulnerable. Breaches at the supply chain level can impact the FIs’ reputation and affect its business, as they depend on those smaller at-risk organizations. Furthermore, there are fewer large businesses in Canada than small ones. Consequently, hackers have more options and opportunities with SMEs.

Applying this to CAFII, N. Jardine explained that the Association’s members would likely be interested in contingent business interruption exposure. CAFII members are exposed because of their suppliers, not because of their network failings. Large FIs are interested in monitoring and identifying leaks in their entire supply chain to determine if they want to continue working with that business or diversify.

R. Jennings asked N. Jardine to provide a real-life example of a cyber attack and discuss how organizations should or should not respond. He noted that several types of cyber attacks exist, but financial crime and fraud is the most common. This type is the most lucrative without requiring significant sophistication. One such example is email fraud; hackers will identify that one company is working with another, either through social media posts or online advertisements. They will then craft an email chain that appears to come from the president of one of the companies to the other company, detailing a conversation that confirms payment for a service or technology voice. This email chain will be forwarded to the accounts payable group, with the fake presidential email CC’d, requesting payment. If the accounts payable staff decide to check with their president, they often use the CC’d email, which will be almost identical to the president’s real email. In short, those employees are speaking to the threat actor posing as the president. Years ago, hackers broke into emails looking for real invoices; now, with MFA, hackers are taking a step back and crafting emails and invoices designed to look legitimate.

What should FIs do then? BOXX Insurance recommends that clients send yearly notices to their clients confirming that their banking information has not changed. The client must call the FI at a designated, pre-specified number to provide this updated information if financial information has changed.

Previously, ransomware groups would infiltrate an organization’s backend or data system, encrypt everything, and steal the data. The problem with this method is that stealing data requires significant time and effort; one must have the appropriate system to conduct an operation of that scale. As this cyber attack progressed, many companies recognized what was occurring and began utilizing redundant backups outside their backends to store data. This prompted ransomware groups to transition from ransomware as a service to ransomware as data exfiltration. Now, ransomware groups deploy small programs that can be embedded into software components, such as email, that infiltrate a company’s system and siphon off its data. The hackers then extort the company for that data by threatening to release it online, often on the dark web. 

Decades ago, hackers often operated as individuals. Today, hackers, or cybercriminals, are more likely to be part of organized groups. Although individual hackers still exist, the majority of these criminals function like businesses. They often have a president, various divisions, and a coding team. According to information gathered by the FBI in the U.S., some of these organizations even have HR departments and employee retention bonuses. R. Jennings inquired whether these criminals operate as established organizations and if that makes them easier to locate. N. Jardine clarified that it makes them both easier and harder to find. Many of these criminal organizations maintain a presence on the dark web, including sites that list who they’ve hacked and where the information is for sale. This information is readily available, but locating the physical group is challenging. They often mask their IP addresses or target regions of the world different from their actual location. Some countries have less stringent laws concerning cyber crimes; in fact, some of these groups are state-sanctioned because governments see it as a means to generate revenue as well. The issue is that when an individual from one of these groups is taken down, the remaining members disperse and form their own organizations, thereby increasing the number of active criminal organizations.

Some of these organizations describe themselves as gangs. They believe that if you pay an invoice or change your banking details because you were targeted, you have made a mistake and are therefore at fault.  Decades ago, the world was told that email was the safer form of communication; now, we need to do the opposite: that email is no longer a secure form of communication.

R. Jennings asked, what is the balance between government regulations on cybersecurity and organizations’ own protective frameworks? Is one more important than the other? N. Jardine responded that both are essential to addressing this issue. Financial institutions have a role internally, as does the government. People have asked him whether he believes the government should legislate cyber insurance for companies by making it a requirement. He does not think this would be an effective way to protect organizations. Instead, he recommends that the government outline requirements that companies must follow so those companies can decide how to manage risk. R. Jennings asked a follow-up question regarding the international aspect of cybercrime in relation to governmental versus organizational protection frameworks. N. Jardine commented that while cybercrime is borderless, some countries or regions within a country are more frequently targeted than others; the U.S. is the most attacked country in the world for cybercrimes. Cybercriminals aren’t necessarily choosing one location over another unless it benefits them to do so. Regarding global cybercrime regulation, the General Data Protection Regulation (GDPR) in the E.U. was excellent and prompted some others to develop better controls. The U.S. has strong reporting requirements, which elevate the issue to the Board level. Canada is also performing well with its privacy bills. He noted that, around the world, BOXX Insurance has observed better controls being implemented. Companies are becoming increasingly cautious about information gathering and handling, including proper employee training. N. Jardine expressed that he is pleased companies are being criticized less for simply experiencing a breach and more for what was stolen and how. He gave the examples of Google, Amazon, and Microsoft, all massive companies that experience data breaches and security failures. Should they be punished for being attacked or for having inadequate controls to protect against such an event, and were those controls reasonable at the time of the attack?

N. Jardine commented that every company will experience a cyberattack at some point. R. Jennings asked him to elaborate on how concerned insurers and FIs should be on a daily basis. N. Jardine reiterated that it is not a question of if but when. He then explained that the fast-growing sector of cybercrime includes cloud outages due to issues with third-party software providers. This echoes earlier comments about the supply chain. An event like this isn’t necessarily malicious, though it can be. For example, CrowdStrike experienced an outage that was not malicious but resulted from a code error that managed to bypass their controls. The silver lining is that as more individuals purchase cyber insurance, we achieve a better spread of risk; with improved risk distribution, we can collect more data, and the more data we have, the better premiums we can develop.

Where are insurance companies most vulnerable? R. Jennings listed issues such as legacy systems and the hesitancy to adopt emerging tech. N. Jardine replied that these are inherent hindrances because we will always have to deal with the aforementioned problems. AI has enabled more creative cyber attacks, but there are no restrictions within cyber policies. The industry is already starting to see losses stemming from AI; it understands that and is okay with it. Vulnerabilities have emerged in areas such as accountability and privacy. Air Canada, for instance, created a chatbot that provided a passenger with incorrect information regarding a refund. The passenger sued. Air Canada argued in court that they were not responsible for this misinformation, but the courts disagreed, ruling it was blameworthy since it was Air Canada’s chatbot. N. Jardine cautioned that risks may arise from completely rejecting AI and emerging techs, as employees are likely to use them secretly without proper protections.

R. Jennings commented that a lot of cybercrime seems to succeed by taking advantage of human error. How can organizations protect against this, given that there will always be a human component to work? Companies need to build a supportive and transparent culture. Upper management must let their employees know they can question and second-guess decisions, so that when an attack happens, an employee feels comfortable contacting their manager to confirm, for example, payment details. Companies should avoid blaming their employees, the victims of an attack, since these cybercrimes are so sophisticated. R. Jennings commented that it is ironic that human interaction is crucial to circumventing cyberattacks amidst all these emerging technologies and security protections. N. Jardine agreed.

N. Jardine spoke about businesses that are not typically considered at-risk for cyberattacks. Some cybercrimes are not about data extraction but halting a company’s ability to operate. Cybercriminals can use this kind of leverage to extort money from non-FIs, like hydro companies or hospitals. Speaking of hospitals, N. Jardine commented that many threat actors avoid hospitals because it can damage their reputations. Reputation matters for these criminal organizations to operate.

While there isn’t one sector within the insurance industry, sectors and organizations with large amounts of data tend to be attacked more often.

R. Jennings concluded the webinar by asking N. Jardine if he is optimistic or pessimistic about the future of cybercrime. He replied that he is optimistic. More and more people are talking about cybercrime and cyber insurance. Education matters. The worst thing that happens when a cyberattack occurs is that no one talks about it. We need to continue spreading awareness of this issue without any shame or stigma attached.

R. Jennings thanked N. Jardine for his time and the insightful conversation and invited K. Martin to conclude the webinar.