Daniel is the Senior Vice President and Senior Global Claims Consultant at Guy Carpenter & Company, LLC in New York, USA. As part of the Certified Cyber Insurance Specialist (CCIS) course, he completed a complex assignment on cyber risk in the insurance industry.
While the media focuses on the impact of cyber crimes and cyber policy triggers, there are more direct cyber threats to insurance carriers. The insurance industry, much like banks and other financial institutions, are prime targets of threat actors, due to their high visibility, systems with voluminous amounts of sensitive data, their deep pockets, or ideological statements. It has been reported that cyber insurers have become a specific target, as the data available provide details on available cyber covers (coverages, limits…) that could provide cyber criminals potential targets.
Impact of Digital Transformation on Cyber Risk in the Insurance Industry
On a whole, the insurance industry took a while to warm to digital transformation of their business. Although there had been some adoption of automation and digital workflow by some carriers prior to the pandemic, rates of digital transformation in the industry saw a sharp uptick as lockdowns came into force and the workforce increased their reliance on remote virtual access to business networks.
But with this change to a historic way of working came heightened cyber exposures, exacerbated by remote and hybrid models of working and the RDP and VPN vulnerabilities they induce. In fact, in a recent bulletin by BIS, it was reported that since the beginning of COVID-19 pandemic the financial sector has suffered the most cyber attacks, only behind the health sector. With more business conducted through emails, direct messages, and video conferences, the industry is increasingly vulnerable to remote access attacks, social engineering attacks such as phishing, vishing, and smishing, as well as new deep fakes. The rise of supply chain vulnerabilities adds another layer of complexity to the issue, underscoring the importance of implementing robust cybersecurity measures to safeguard against these risks.
Cyber Risk to Insurance Underwriting and Claims Payments
The insurance industry is acutely aware of the risk posed by cyber attacks, as they could lead to significant losses in two critical areas – underwriting and claims payments. As a result, insurance companies are eager to implement effective strategies to address ransoms and breaches promptly.
Underwriting is a critical area for insurance companies as it is responsible for assessing and pricing risks, and ultimately determining whether to provide coverage to a customer or not. An attack on an insurer’s underwriting system can cause significant disruptions to the business, potentially leading to a halt in premiums flowing into the company. This can have a negative impact on the company’s financial performance and ability to operate effectively
Claims payments are another critical area for insurance companies. A cyber attack on an insurer’s claims payment system can result in delayed or incorrect payments to customers, leading to irate customers and potential reputational risks. In addition, regulatory authorities may impose fines and legal action against the insurer for failing to provide timely and accurate claims payments.
Any disruption to these processes could lead to significant financial losses, reputational damage, and regulatory fines. Therefore, insurance companies are keen to rectify ransoms and breaches as quickly as possible to minimize the impact of downtime and potential financial losses.
Cyber Insurance Academy?
We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.
Significant Cyber Losses
While there has always been exposure for criminal activity against insurance companies, the insurance industry has increasingly become a target for cyber criminals. During a conference several years ago, a global insurance broker’s CEO advised that a large amount of their customers’ data had been exposed (he did not provide details of the how) and they had to send out notification to all impacted customers at a cost of $4 per notice, resulting in a loss of a few million.
With the increasing number of cyber attacks on businesses, the potential losses they face have become significantly more severe. One of the most immediate and pressing consequences of a cyber attack is the inability to conduct normal business operations, as systems are often rendered unusable or compromised by attackers. This downtime can lead to significant financial losses as well as reputational damage. Additionally, cybercriminals may demand higher ransom payments from insurers to restore their systems, further adding to the costs of an attack.
Furthermore, cyber attacks often result in the loss of sensitive customer and policy information, which can expose individuals and businesses to identity theft and other forms of fraud. Such cyber attacks can further result in reputational damage and legal consequences, such as regulatory fines and penalties, as businesses may be held accountable for any data breaches that occur. Physical damage to systems and equipment is also a risk, especially in cases where the attack involves the use of malware or other malicious software.
Cyber Risk in the Insurance Industry: CNA, Desjardin & Chubb case study
Recent cyber events within the insurance industry have resulted in significant losses to insurance companies. For example, it was reported that in 2021 CNA allegedly paid a $40M ransom, plus remediation costs, and business interruption, in 2020 insurance giant Chubb was also an alleged victim of a ransomware attack, and Desjardin had a data breach by a employee in which 9.7 million people were affected, resulting in a class action award of $221M CAD ($155M USD) against them. Ultimately, regulators deemed that Desjardins failed to safeguard it customers’ data by not limiting access for even its employees, allowing easy access
As seen with the Desjardins data breach, not all exposure is from outside threat actors. Employees or authorized users could gain unauthorized access and disclose information/data for malicious intent. While the misappropriate use of data may have existed prior to the digitalization transformation of the insurance industry, the data is much more readily available and vast. Additional exposure is ever present in a time where a majority of work is still at home; more information is being transferred between the office and home, with increasing potential for that information to be lost or stolen through lost or stolen company laptops, personal BYOD or corporate devices, errant email recipients.
The insurance industry is increasingly vulnerable to cyber threats, particularly with the rise of digital transformation and remote working. Cyber attacks can cause significant disruptions to underwriting and claims payments, leading to financial losses, reputational damage, and regulatory fines. Recent cyber events within the industry have resulted in significant losses to insurance companies, and not all exposure is from outside threat actors as employees or authorized users could gain unauthorized access and disclose information/data for malicious intent. The insurance industry must therefore prioritize continuous learning and be aware of new threats and developments to its systems and that of its supply chain. Carriers must be vigilant in training their staff and vendors of potential threats and schemes to limit social engineering attacks.
The opinions and views expressed in this article are solely those of the author and do not necessarily reflect the opinions or positions of their employer or any other organization with which they may be affiliated.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.