By: Kesavan Senthamilselvan, Senior Specialist – Business Analysis

Today, businesses have started to rethink and redesign their operations by implementing innovative solutions to build sustainable models that can withstand and overcome unprecedented disruptions. The insurance industry is no exception. From being slow to adopt the latest technologies, the industry has become a pioneer in adopting and experimenting with new technologies.

However, history shows us that for every technological advancement, there is a proportionate rise in cyber-risks and threats, such as cybercrime and fraud, compliance and data privacy, third-party risk management, and cyber-resiliency issues.

Cybersecurity concerns for the insurance industry include:

1. Losses incurred due to cyber-insurance product-related claims.
2. Insurers being vulnerable to cyber-attacks themselves.

Rise in claims settlement for cyber-attacks

Digital attacks such as frauds, data theft, security breaches, and ransomware are some of the most common and dangerous cyber-threats impacting businesses. Such digital attacks and data compromises can go undetected for a long period and are detected only when the business faces a significant loss. Ransomware causes business interruptions and locks the workforce out of the system. In such cases, businesses are willing to pay the attackers to release their systems and get back on their feet, as the ransom cost is generally less than the cost of having the business shut down.

Thus, the need for cybersecurity insurance has now increased more than ever. As per Munich Re, by 2025, the global cyber-risk insurance market is expected to be approximately USD 20 billion. Small and medium commercial businesses will drive the demand.

Even though the cybersecurity insurance segment is seeing a rise in premiums, insurers still face profit pressures. A large unforeseen attack such as cloud intrusion or ransomware like Wannacry can empty the insurers’ loss reserves. The direct loss ratio for stand-alone cyber insurers rose sharply in 2020.

Insurers have been taking steps to mitigate losses incurred due to cyber-attacks.

1. Insurers are implementing stringent rules around the risks for which cyber-risk insurance coverages are offered. They are fine-tuning the terms and conditions for their products with meticulous attention to detail. Customers are expected to take proper measures for cybersecurity like setting up strong firewalls and encryption protocols, multi-factor authentication, scheduled plans for software updates, regular assessment of vulnerabilities and fixing them, proper handling of third-party or sensitive data, and securing financial transactions. This will enable them to shift from risk indemnification to risk prevention. Products are customized based on customer needs and the insurer’s risk appetite.
2. Regulatory norms like the General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPAA) and socio-economic changes are evolving to regulate data protection and related claims. In 2021, AXA Europe announced that it would not settle claims related to ransomware attacks in response to the concerns raised by France’s judicial and cybersecurity authorities. Similar discussions are being held in the US as cyber-criminals use the settled money as funds for global crimes.
3. The cybersecurity insurance industry is volatile due to the evolving nature of risk. Actuaries and data scientists are looking for more data to identify patterns, possible threats, and model risks. Premiums have increased in the last few years with the updates to the pricing models based on the knowledge that insurers have gained. Insurers who have recently introduced cyber products are starting small, and large insurers have started regulating their exposures. For instance, AIG has begun reducing cyber limits and is implementing tighter terms and conditions to address increasing cyber loss trends, rising threats associated with ransomware, and systemic nature of cyber-risk.
4. Risk assessment-as-a-service: Many insurers and brokers have started to provide risk assessment or cyber awareness consulting services as an add-on to their customers. Some examples are:
   1. Zurich NA provides an assessment report to all the customers who purchase their stand-alone cybersecurity insurance policy. Zurich has partnered with CYE, a cyber-solutions firm, to carry out the assessment by evaluating its systems and identifying vulnerabilities.
   2. Travelers have partnered with Symantec to provide risk assessment-as-a-service to its customers. Customers can consult with Symantec cybersecurity experts and have access to the training materials and services for their employees.
   3. AIG provides a risk assessment report to all its applicants, evaluating possible threats. This is available to all applicants regardless of whether the policy is bound.
   4. Aon provides security risk assessment as an offering and has an expert team to evaluate the customers’ systems and provide recommendations to strengthen them.

Insurers being potential cyber-attack targets

The number of cyber-attacks on insurers in the past two years has increased significantly. Insurers have become lucrative targets as they hold large amounts of customer or policyholder data. This gold mine of data generally includes Personally Identifiable Information (PII) such as Social Security Numbers (SSN), bank account or digital wallet details, health records, phone numbers, and addresses. Attackers use such data for identity theft, cyber fraud, and illegal financial transactions.

Increasing work from home and remote operations have opened up pathways for attacks. A survey conducted by the Financial Services Information Sharing and Analysis Center shows that there has been a significant increase in email scanning, phishing, and malware threats against web pages through which employees access the company’s network while working from home. Banking, financial services, and insurance companies have become hotspots for such hacks and attacks.

Some recent cybersecurity breaches in renowned insurance firms include:

1. In March 2021, a large commercial insurance group reportedly paid USD 40 million to free its data and restore its systems from a ransomware attack. The attackers had used authentic credentials and tools to infiltrate the system and took a copy of the data into their cloud.
2. A US-based property and casualty insurer suffered a data breach towards the end of January 2021. The cyber-attackers were stealing drivers’ license numbers from the company’s database. The breach lasted for over a month until March 2021. Even though the impact of the breach was not clear, the insurer offered an identity theft protection cover for all the victims for a year.
3. In September 2020, an insurance brokerage firm was reportedly a victim of a ransomware attack. It came to light that the personal information of over 722,000 customers was compromised. However, it was not disclosed if the ransom was paid. A lawsuit was filed that the broker did not inform the customers whose data was compromised until June 2021.
4. In a data breach that happened in 2015, a large health and supplemental benefits insurer had to pay around USD 40 million to its customers. It was reported that the PII information of about 79 million people was stolen. The attackers accessed the data using the credentials of the company’s employees obtained using a common email phishing technique.

Such incidents cause business interruptions and cause financial loss, affecting the reputation of the insurers. Insurers have started implementing new measures and strengthening existing systems to identify or prevent cyber threats of all kinds.

The way forward

To enable better cybersecurity, insurers must:

1. Adopt modern technologies like blockchain, AI, analytics, deep learning, and a zero trust model to strengthen core systems and databases, identify cracks in security opportunities for data exploitation, and close the gaps.
2. Stay vigilant and conduct periodic risk assessments. Set up systems and protocols to scan and monitor the application ecosystem for potential threats. Establish strong firewalls and secure gateways for integrations with third-party applications or partner application systems.
3. Plan the roadmap for legacy modernization, update applications regularly to the latest versions, and ensure the security patches are up-to-date.
4. Set up an extensive data protection strategy, restricting access to data based on user roles, encrypting sensitive data, scheduling back-ups, securing infrastructure for data storage, and deleting unwanted data.
5. Train employees, agents, brokers, and partners about impending threats like phishing emails and malicious software, and constantly update them regarding the latest threats in the industry. Set up dedicated teams of cybersecurity professionals to oversee all security-related initiatives.
6. In the adverse event of an attack, have a response plan to recover in the shortest time possible, preventing being locked out of the systems to ensure business continuity.

Conclusion

Cyber threats and attacks can impact businesses in an extremely adverse manner. Thus, it has become extremely important for businesses to focus on protecting their own data and their customers’ data. Cybersecurity assures data protection and privacy, helps in being compliant with regulations like GDPR, HIPPA and CCPA, ensures business continuity, and more than anything helps insurers to build and establish trust with their customers, partners and stakeholders.

References:

1. Cyber insurance: Risks and trends 2021, Martin Kreuzer, Jürgen Reinhart, March 11, 2021: https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-insurance-risks-and-trends-2021.html
2. AIG is reducing cyber insurance limits as cost of coverage soars, Reuters, August 6, 2021:https://www.reuters.com/business/aig-is-reducing-cyber-insurance-limits-cost-coverage-soars-2021-08-06/
3. Cyber insurance for business, Zurich: https://www.zurichna.com/insurance/cyber
4. Ransomware Attack Reported at Insurance Giant AXA One Week After It Changes Cyber Insurance Policies in France, Scott Ikeda, May 25, 2021: https://www.cpomagazine.com/cyber-security/ransomware-attack-reported-at-insurance-giant-axa-one-week-after-it-changes-cyber-insurance-policies-in-france/

5. Zurich teams up with global security specialist to expand cyber protection offering as risks grow, Media release, Zurich, February 26, 2020: https://www.zurich.com/en/media/news-releases/2020/2020-0226-01#:~:text=Zurich%20Insurance%20Group%20(Zurich)%20has,effective%20cyber%20risk%20management%20programs
6. Travelers Teams with Symantec to Offers Cybersecurity Services to Policyholders, Insurance Innovation Reporter, Anthony R. O’Donnell, April 13, 2017:https://iireporter.com/travelers-teams-with-symantec-to-offers-cybersecurity-services-to-policyholders/

7. Covid-19 and cyber risk in the financial sector, Iñaki Aldasoro, Jon Frost, Leonardo Gambacorta and David Whyte, 14 January 2021: https://www.bis.org/publ/bisbull37.pdf