The digital world is a minefield for insurers, with giants such as AXA, CNA Financial, Tokio Marine, and Marsh & McLennan suffering cyberattacks in 2021 alone. Insurers are also trying to weather the harsh cyber insurance landscape and are yet to translate the greater need for cyber insurance into improved penetration rates.

With cyber risk rising ever higher due to the persistence of hybrid working models, ongoing supply chain threats, and the Russia-Ukraine war, insurers must navigate the theme cautiously or risk suffering reputational damage from either a data breach or refusing to make a cyber insurance payout. GlobalData’s latest report, Cybersecurity in Insurance, examines cybersecurity developments in the insurance sector and analyses areas of the cybersecurity value chain that insurers should pay most attention to. 

What is currently happening within the theme?

Cyberattacks ravaged the insurance sector during the Covid-19 pandemic, with neither start-ups nor leading insurers remaining immune. CNA Financial was hit by a ransomware attack in March 2021 that saw the company paying a massive $40 million ransom to the hackers. Over the following months, Marsh & McLennan, AXA, Tokio Marine, and Porto Seguro also fell victim to cyberattacks. In February 2022, Aon announced that it had discovered a serious data breach that affected nearly 32,000 customers and exposed names, social security numbers, driver’s license numbers, and benefits enrolment information.

Of course, these data breaches can—and should—come with serious financial and reputational repercussions. In July 2021, US health insurance company Humana was fined for a data breach in late 2020 involving 65,000 customers. The lawsuit criticized the time taken to discover the data breach (two months) and the time taken to notify customers after the breach was discovered (three months). Similarly, insurance broker Arthur J. Gallagher faced a class-action lawsuit in August 2021 for a ransomware attack it suffered in September 2020.

Meanwhile, the increased risk of cyberattacks has made cyber insurance provision far riskier for insurers, with some ransomware gangs reportedly targeting businesses with cyber insurance policies as they are more likely to pay a ransom. Hence, insurers like AXA and AIG are re-thinking their cyber policies to mitigate the higher risk of a payout, with higher premiums and reduced customer coverage.

GlobalData’s SME Insurance Survey 2021 found that cyber insurance uptake among UK SMEs was only 12.6% in 2020, which fell to an even lower 11.2% in 2021. The cost of living crisis and rising energy bills will make it even harder for small businesses to afford cyber insurance as it concurrently gets more expensive with the increasing level of risk.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Why is the need for cybersecurity rising for insurers?

The insurance sector is rapidly adopting digital technologies including cloud, the internet of things (IoT), artificial intelligence (AI), and data analytics to compete with insurtechs and meet consumer demands concerning personalization and convenient digital interfaces. This digitalization was catalyzed by the Covid19 pandemic and is generating a larger surface area for potential cyberattacks.

The rise of insurtechs risks holes being left in application development. They tend to hold even more personal data than traditional insurers and typically have robust platforms—but they are still not immune to sizeable data breaches. In July 2021, insurtech startup BackNine exposed vast amounts of sensitive customer data after its cloud storage server’s privacy setting was accidentally set to public.

Moreover, the Russia-Ukraine war has increased the likelihood of state-sponsored cyberattacks that target critical infrastructure, military operations, and businesses. Such attacks could not only target insurers but could lead to expensive payouts and damage the reputations of those reluctant to pay. This was the case for Ace American, which was sued by its client Merck in 2022 for failing to cover its losses during the 2017 NotPetya ransomware attack.

In addition, a key facet of the ‘governance’ component of ESG, the biggest theme of this decade, is risk management. Companies that manage risks, whether from natural disasters or financial uncertainties, are more likely to remain profitable in the long term. Cybersecurity breaches are a particular governance risk to the long-term sustainability of an insurer and the safety of their employees and customers.

So, what is the outlook?

The rapid digital transformation of the insurance sector will inflate annual cybersecurity revenues within the sector to $10.6 billion by 2025 up from $7.2 billion in 2021, according to GlobalData forecasts. According to IBM, human error is the leading cause of cybersecurity breaches. Some insurers, such as Hiscox, are educating their clients on identifying and mitigating cyber risks to reduce the chance of a human error-induced breach.

Insurers should invest in cybersecurity solutions to protect themselves and their customers, inform cyber insurance policies, or both. With more employees working from home with remote virtual private network (VPN) access or various endpoints needing protection, insurers should prioritize network security, endpoint security, and cloud security. Cybersecurity solutions for the end-users section of the industry value chain—where customers’ sensitive data is more exposed, including identity management and data security—should also be prioritized. Many health or motor insurers are using IoT devices that require investment in chip-based security, too.

Since many corporate directors in the insurance sector lack adequate expertise in cybersecurity, companies should also appoint a chief information security officer (CISO) responsible for implementing an effective cybersecurity strategy.