1. Comment
June 29, 2022

Insurers are struggling to navigate the cybersecurity minefield

The digital world is a minefield for insurers, with giants such as AXA, CNA Financial, Tokio Marine, and Marsh & McLennan suffering cyberattacks in 2021 alone. Insurers are also trying to weather the harsh cyber insurance landscape and are yet to translate the greater need for cyber insurance into improved penetration rates.

With cyber risk rising ever higher due to the persistence of hybrid working models, ongoing supply chain threats, and the Russia-Ukraine war, insurers must navigate the theme cautiously or risk suffering reputational damage from either a data breach or refusing to make a cyber insurance payout. GlobalData’s latest report, Cybersecurity in Insurance, examines cybersecurity developments in the insurance sector and analyses areas of the cybersecurity value chain that insurers should pay most attention to. 

What is currently happening within the theme?

Cyberattacks ravaged the insurance sector during the Covid-19 pandemic, with neither start-ups nor leading insurers remaining immune. CNA Financial was hit by a ransomware attack in March 2021 that saw the company paying a massive $40 million ransom to the hackers. Over the following months, Marsh & McLennan, AXA, Tokio Marine, and Porto Seguro also fell victim to cyberattacks. In February 2022, Aon announced that it had discovered a serious data breach that affected nearly 32,000 customers and exposed names, social security numbers, driver’s license numbers, and benefits enrolment information.

Of course, these data breaches can—and should—come with serious financial and reputational repercussions. In July 2021, US health insurance company Humana was fined for a data breach in late 2020 involving 65,000 customers. The lawsuit criticized the time taken to discover the data breach (two months) and the time taken to notify customers after the breach was discovered (three months). Similarly, insurance broker Arthur J. Gallagher faced a class-action lawsuit in August 2021 for a ransomware attack it suffered in September 2020.

Meanwhile, the increased risk of cyberattacks has made cyber insurance provision far riskier for insurers, with some ransomware gangs reportedly targeting businesses with cyber insurance policies as they are more likely to pay a ransom. Hence, insurers like AXA and AIG are re-thinking their cyber policies to mitigate the higher risk of a payout, with higher premiums and reduced customer coverage.

GlobalData’s SME Insurance Survey 2021 found that cyber insurance uptake among UK SMEs was only 12.6% in 2020, which fell to an even lower 11.2% in 2021. The cost of living crisis and rising energy bills will make it even harder for small businesses to afford cyber insurance as it concurrently gets more expensive with the increasing level of risk.

Why is the need for cybersecurity rising for insurers?

The insurance sector is rapidly adopting digital technologies including cloud, the internet of things (IoT), artificial intelligence (AI), and data analytics to compete with insurtechs and meet consumer demands concerning personalization and convenient digital interfaces. This digitalization was catalyzed by the Covid19 pandemic and is generating a larger surface area for potential cyberattacks.

The rise of insurtechs risks holes being left in application development. They tend to hold even more personal data than traditional insurers and typically have robust platforms—but they are still not immune to sizeable data breaches. In July 2021, insurtech startup BackNine exposed vast amounts of sensitive customer data after its cloud storage server’s privacy setting was accidentally set to public.

Moreover, the Russia-Ukraine war has increased the likelihood of state-sponsored cyberattacks that target critical infrastructure, military operations, and businesses. Such attacks could not only target insurers but could lead to expensive payouts and damage the reputations of those reluctant to pay. This was the case for Ace American, which was sued by its client Merck in 2022 for failing to cover its losses during the 2017 NotPetya ransomware attack.

In addition, a key facet of the ‘governance’ component of ESG, the biggest theme of this decade, is risk management. Companies that manage risks, whether from natural disasters or financial uncertainties, are more likely to remain profitable in the long term. Cybersecurity breaches are a particular governance risk to the long-term sustainability of an insurer and the safety of their employees and customers.

So, what is the outlook?

The rapid digital transformation of the insurance sector will inflate annual cybersecurity revenues within the sector to $10.6 billion by 2025 up from $7.2 billion in 2021, according to GlobalData forecasts. According to IBM, human error is the leading cause of cybersecurity breaches. Some insurers, such as Hiscox, are educating their clients on identifying and mitigating cyber risks to reduce the chance of a human error-induced breach.

Insurers should invest in cybersecurity solutions to protect themselves and their customers, inform cyber insurance policies, or both. With more employees working from home with remote virtual private network (VPN) access or various endpoints needing protection, insurers should prioritize network security, endpoint security, and cloud security. Cybersecurity solutions for the end-users section of the industry value chain—where customers’ sensitive data is more exposed, including identity management and data security—should also be prioritized. Many health or motor insurers are using IoT devices that require investment in chip-based security, too.

Since many corporate directors in the insurance sector lack adequate expertise in cybersecurity, companies should also appoint a chief information security officer (CISO) responsible for implementing an effective cybersecurity strategy.