By: Kesavan Senthamilselvan, Senior Specialist – Business Analysis

The COVID-19 pandemic has severely impacted how businesses across the world operate. Businesses are looking at innovative ways to revamp their operations and build sustainable models to withstand and overcome unprecedented disruptions. The insurance industry is no exception. From being slow to adopt the latest technologies, the industry has evolved into a pioneer in adopting and experimenting with new technologies over the last decade.

The advent of COVID-19 has accelerated the growth of technology and digitization further. However, history shows us that for every technological advancement, there is a directly proportional rise in cyber risks and threats such as cybercrime and fraud, compliance and data privacy, third-party risk management, and cyber resiliency.

Cyber-security concerns for the insurance industry include:

1. Losses incurred due to cyber-insurance product-related claims.
2. Insurers being vulnerable to cyber-attacks themselves.

Rise in claims settlement for cyber-attacks

Frauds, data breaches, and ransomware are some of the most common and dangerous cyber threats impacting businesses. Data breaches can go undetected for long and are realized only when the business faces a significant loss. Ransomware causes business interruption and locks the workforce out of the system. Businesses are willing to pay the attackers to release their systems and get back on their feet, as the cost of ransom is generally said to be less than the cost of having the business shut down.

Thus, the need for cyber insurance has now increased more than ever. As per Munich Re, by 2025, the global cyber insurance market is expected to be USD 20 Bn approximately. The demand will be driven by small and medium commercial businesses.

Even though the cyber insurance segment is seeing a rise in premiums, insurers still face profit pressures. A large unforeseen attack such as cloud intrusion or ransomware like WannaCry can empty the loss reserves of the insurers. The direct loss ratio for standalone cyber insurers rose sharply in 2020.

Insurers have been taking steps to mitigate losses incurred due to cyber-attacks.

1. Implementing stringent rules around the risks for which cyber coverages are offered. Insurers are fine-tuning the terms and conditions for their products with meticulous attention to detail. Customers are expected to take proper measures for cyber security, like setting up strong firewalls and encryption protocols, multi-factor authentication, scheduled plans for software updates, regular assessment of vulnerabilities and fixing them, proper handling of third-party or sensitive data, and securing financial transactions. This will enable them to shift from risk indemnification to risk prevention. Products are customized based on customer needs and the insurer’s risk appetite.
2. Regulatory norms such as GDPR or HIPAA and socio-economic changes are evolving to regulate data protection and related claims. In 2021, AXA Europe announced that it would not be settling claims related to ransomware attacks in response to the concerns raised by the judicial and cyber-security authorities of France. Similar discussions are being held in the US as the settled money is used as funds for global crimes by cyber-criminals.
3. The cyber insurance industry is volatile due to the evolving nature of risk. Actuaries and data scientists seek more data to identify patterns, possible threats, and model risks. Premiums have increased in the last few years with the updates to the pricing models based on the knowledge that insurers have gained. Insurers who have recently started offering cyber products are starting small and large insurers have started regulating their exposures. For instance,  IG has started to reduce cyber limits and is implementing tighter terms and conditions to address increasing cyber loss trends, the rising threats associated with ransomware, and the systemic nature of cyber risk.
4. Risk assessment-as-a-service: Many insurers and brokers have started to provide risk assessment or cyber awareness consulting services as an add-on to their customers. Some examples are:
   1. Zurich NA provides an assessment report to all the customers who purchase their stand-alone cyber security policy. Zurich has partnered with CYE, a cyber-solutions firm, to carry out the assessment by evaluating its systems and identifying vulnerabilities.
   2. Travelers have partnered with Symantec to provide risk assessment-as-a-service to its customers. Customers can consult with Symantec cyber security experts and have access to the training materials and services for their employees.
   3. An IG provides a risk assessment report to all its applicants, evaluating possible threats. This is available to all applicants, irrespective of whether the policy is bound or not.
   4. Aon provides security risk assessment as an offering and has an expert team to evaluate the customers’ systems and provide recommendations to strengthen them.

Insurers being potential cyber-attack targets

The number of cyber-attacks on insurers in the past two years has increased significantly. Insurers have become lucrative targets as they hold large amounts of customer or policyholder data. This gold mine of data generally includes Personally Identifiable Information (PII) such as Social Security Numbers (SSN), bank account or digital wallet details, health records, phone numbers, and addresses. Attackers use such data for identity theft, cyber fraud, and illegal financial transactions.

Increasing work from home (WFH) and remote operations have opened up pathways for attacks. A survey conducted by the Financial Services Information Sharing and Analysis Center shows that there has been a significant increase in email scanning, phishing, and malware threats against web pages through which employees access the company’s network while working from home. Banking, financial services, and insurance companies have become hotspots for hacks and attacks.

Some recent cyber-security breaches in renowned insurance firms are:

1. In March 2021, a large commercial insurance group reportedly paid USD 40 Mn to free its data and restore its systems from a ransomware attack. The attackers used authentic credentials and tools to infiltrate the system and took a copy of the data into their cloud.
2. A US-based property and casualty insurer suffered a data breach towards the end of January 2021. Attackers were stealing driver’s license numbers from the company’s database. The breach lasted for over a month until March 2021. Even though the impact of the breach was not clear, the insurer offered an identity theft protection cover for all the victims for a year.
3. In September 2020, an insurance brokerage firm was reportedly a victim of a ransomware attack. It came to light that the personal information of over 722,000 customers was compromised. However, it was not disclosed if the ransom was paid. A lawsuit was filed that the broker did not inform the customers whose data was compromised until June 2021.
4. In a data breach that happened in 2015, a large health and supplemental benefits insurer had to settle around USD 40 Mn for its customers. It was reported that the PII information of about 79 Mn people was stolen. The attackers accessed the data using the credentials of the company’s employees obtained using a common email phishing technique.

Such incidents cause business interruptions and cause financial loss, affecting the reputation of the insurers. Insurers have started implementing new measures and strengthening existing systems to identify or prevent cyber threats.

The way forward

The immediate need for insurers is to:

1. Adopt modern technologies like Blockchain, AI, analytics, Deep Learning, and a zero trust model to strengthen core systems and databases, identify cracks in security opportunities for data exploitation, and close the gaps.
2. Stay vigilant and conduct periodic risk assessments. Set up systems and protocols to scan and monitor the application ecosystem for potential threats. Establish strong firewalls and secure gateways for integrations with third-party applications or partner application systems.
3. Plan the roadmap for legacy modernization, update applications regularly to the latest versions, and ensure the security patches are up-to-date.
4. Set up an extensive data protection strategy, restricting access to data based on user roles, encrypting sensitive data, scheduling back-ups, securing infrastructure for data storage, and deleting unwanted data.
5. Train employees, agents, brokers, and partners about impending threats like phishing emails and malicious software and constantly update them regarding the latest threats in the industry. Set up dedicated teams of cyber-security professionals to oversee all security-related initiatives.
6. In the adverse event of an attack, have a response plan to recover in the shortest time possible, preventing being locked out of the systems to ensure business continuity.

How can LTIMindtree help?

LTIMindtree has extensive experience in implementing cyber-security measures with a wide range of customers. Some of our key solutions include:

1. Authorized access control using identity and access management solutions enabling role-based control and governance.
2. Protecting enterprise assets using privilege identity and access management solutions enabling the least privilege application access model.
3. Cloud security through experience in protecting applications and data hosted on the cloud and detecting and preventing cloud intrusion.
4. Preventing security vulnerabilities through integrated risk-based vulnerability management and security testing practices.
5. Compliance and monitoring dashboards, on-demand security testing, red team exercises, external attack surface management, automated remediation, and providing comprehensive threat and vulnerability management services.
6. MSOC – MSOC is one of LTIMindtree’s cyber-security platforms, with built-in AI/ML and SOAR services, that rapidly detects and responds to threats across the on-prem, hybrid cloud, or multi-cloud environment in real-time, coupled with an expert research/analyst team with proven accelerators and frameworks driving operational maturity. Transform to intelligent security operations and accelerate operations by reducing the MTTD, MTTA, and MTTR.
7. Detect and protect using next-gen modern solutions such as SASE, next-gen FWS, advanced email and web filters, CASB, WAF, BOT managers, endpoint protection, and XDR.
8. Discover, classify, label, and implement data leakage policies to secure classified data against data breaches and comply with data regulatory requirements.
9. Drive and govern the zero trust strategy implementation and maturity using LTIMindtree’s zero trust approach and accelerators.
10. Risk and compliance management solution to adhere to evolving compliance and regulatory requirements.

References:

1. https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-insurance-risks-and-trends-2021.html
2. https://www.reuters.com/business/aig-is-reducing-cyber-insurance-limits-cost-coverage-soars-2021-08-06/
3. https://www.zurichna.com/insurance/cyber
4. https://www.aig.com/business/insurance/cyber
5. https://www.travelers.com/cyber-insurance
6. https://www.aon.com/cyber-solutions/solutions/security-risk-assessment/
7. https://www.bis.org/publ/bisbull37.pdf