According to PwC’s 19th annual CEO survey, 61% of CEOs are concerned about cybersecurity, with everything from phishing to denial- of- service attacks on the rise.For the insurance industry, cybersecurity represents both an opportunity and a threat: an opportunity in that enterprises are crying out for coverage against the cyber risks they face, a threat because carriers, of course, hold large amounts of customer data and are hence targets for cyber-attacks and hacks themselves. A theme across this content series, and one we explored specifically in our feature on marketing and customer-centricity, has been the imperative for insurers to better engage with customers’ needs – before customers start taking those needs elsewhere. On the commercial side, cyber risk is therefore an enticing opportunity for insurers, as their clients’ businesses are only going to get more online, not less, and security risks abound (especially with anything IoT-related). However, cyber events are particularly challenging to insure against due firstly to their manifold knock-on effects, which range from barely quantifiable reputational damage to share-price collapse, and secondly to the lack of historical data. Substantial focus will therefore be required for insurers to fully realize the cyber-coverage opportunity.
"Insurers just don’t have the capability or the skillset to produce things that customers want to buy, particularly with so-called cyber products that mostly don’t cover the specific risks that the clients are concerned about. There’s a total disconnect there between the reality of business for all the Fortune 500 companies in the world and what insurers think they’re going to provide them by way of services and products." — Steve Tunstall, CEO and co-founder at Inzsure.comCybersecurity is a sprawling area, so this part of our series is primarily aimed at cybersecurity as threat, as opposed to cybersecurity as opportunity: What are carriers doing to protect their customers’ data and to mitigate against the threat of data breaches? We start with a look at carriers' attitudes to cyber threats like data breach, followed by a look at how – and how confidently – they are addressing these. To finish off, we cast an eye over the longer-term evolution of cybersecurity as carriers pressing forward with digital transformation seek, at the same time, to future-proof their systems. The following stats and perspectives are drawn from our Global Trend Map; a breakdown of all respondents, and details of our methodology, are included in the full report, which you can download for free at any time. 1) Assessing the Scale of the Cyber Threat 69% of carriers are "very concerned" about information security breaches.
While (re)insurers are open to the same sorts of attack as other large enterprises, the event we choose to focus on here is data breach. There is nothing that strikes so much at the core of the insurance business, which has been a data business since the very beginning; at the same time, (re)insurers – as professional data stewards – ought to be relatively well-placed to defend themselves. The harm that could come from a cyber breach at a carrier is multifaceted: Stolen data could cause customers direct commercial damage, whereas tampered-with data could render carriers’ risk models worthless, affecting both them and their customers further down the line. It is no surprise then to see the overwhelming majority of (re)insurers registering concern with information security breaches (94%). Cyber-attacks affect other players in the insurance ecosystem, too, and there are plenty of weak points in the "water cycle" of customer and company data; so we also encounter a majority concern among the other ecosystem players that contributed to our survey. See also: 2018 Predictions on Cybersecurity Our broader research suggests that data breaches are particularly high up the agenda in Asia-Pacific. We reached out to David Piesse, chairman of IIS Ambassadors and ambassador Asia Pacific at the International Insurance Society (IIS), based in Hong Kong, to understand more about what is happening in the region: "Digitization is leapfrogging in Asia, and so are industrial parks with smart devices and machine learning running the processing. Because of global supply-chain issues, this makes the need to mitigate and protect data integrity an urgency even without regulation where best-practice risk management must be implemented." Piesse continues: "Asia Pacific is only starting to look at regulations for data breach as opposed to data privacy laws, which have been around for some time. This leads us into the debate of the difference between privacy (encryption) and data integrity, which are two different arms of the cybersecurity triangle that must be embedded in all cyber risk management approaches. "The time from compromise to discovery in Asia is now on average 580 days, according to statistics. Therefore, we must assume compromise of data across time, as there have been no notification laws and hence no catalyst to mitigate. This is why there is concern in Asia Pacific. The take-up of cyber insurance in Asia is fairly low as compared with the U.S. and U.K. for this reason." 2) Filling the Breach#databreach is the Achilles Heel of the #BigData economy, and insurance is no exception. More in the #InsuranceMap! https://t.co/QH8z3aYH7y pic.twitter.com/Ac9fbLOPaK
— Insurance Nexus (@InsuranceNexus) July 26, 2017
Our respondents’ data-breach concerns are matched by high confidence that data security is adequate, and this probably has a lot to do with mitigation planning across their organizations. As we see from our graphic, three-quarters of carriers are confident in their security, and we find a similar level of confidence among respondents from the broader ecosystem. While these figures are encouraging, a quarter of respondents lacking confidence on this important measure is still cause for concern when we consider the number of customers that any one company can have. Even just a few percentage points of the ecosystem still represents rich pickings for online criminals and massive disruption for thousands, and potentially millions, of customers.3/4 of insurers are confident about customer #datasecurity & #privacy. More on #cybersecurity in the #InsuranceMap! https://t.co/QH8z3aYH7y pic.twitter.com/81JPs7Qch1
— Insurance Nexus (@InsuranceNexus) July 26, 2017
"Insurers have been very early adapters of computer technology. Given this maturity, one might think they should be able to control technology security on all layers, but the opposite is usually the case." — Oliver Lauer, head of architecture/head of IT innovation at ZurichWhen we turn to look at concrete mitigation plans, we observe that these are relatively commonplace.
However, 11% of carriers having no plan is concerning, given the absolute amount of business interruption this potentially represents (6% answered "don’t know"). Another factor to bear in mind is the potential fallibility of mitigation plans, so the proportion of carriers that are actually safe from security breaches will certainly be less than the 83% quoted above. We should also remember that data breach is just one type of cyber-attack and consequently just one aspect of (re)insurers’ overall cybersecurity strategy, which needs to be comprehensive.According to the #InsuranceMap, 11% of carriers lack plans for #databreach. Get the latest on #cybersecurity here: https://t.co/QH8z3aYH7y pic.twitter.com/oHVspQ7rb6
— Insurance Nexus (@InsuranceNexus) July 26, 2017
"Insurers are very late in the game of opening their systems for the digital age, and most of their software systems are 25 years old and older, and are "secure by nature" due to their legacy walled garden architectures. And now they are modernizing their systems at the speed of light, and their security architectures and capabilities can hardly follow." — Oliver LauerWe expect carriers – and all businesses for that matter – to continue ramping up their cyber defenses over the coming months and years, especially given recent high-profile incidents like the Wanna Decryptor attack in May 2017, which hit nearly 100 countries around the world. When assessing the full spectrum of cybersecurity risks, it can be difficult to know where to start and what to prioritize, so we asked financial services influencer Michael Quindazzi, business development leader and management consultant at PwC, for five key questions every insurer should be asking itself, from the board down:
— Who are our adversaries, what are their targets and what would be the impact of an attack? — What are the most important assets we need to protect? — How effective are our processes, assignment of responsibilities and systems safeguards? — Are we integrating threat intelligence and assessments into cyber-defense programs? — Are we assessing vulnerabilities against emerging threat vectors?As with building on unstable foundations, the risks from getting one’s approach to security wrong at the outset only get bigger the further down the road you go. We spoke to Oliver Lauer, head of architecture/head of IT innovation at Zurich, who frames the security conundrum in the following terms: "Insurers are implementing digital cores with full connectivity to everything, omni- and multi-channel and open API architectures, and usually they have no real idea what these new implementations mean for their security systems – they are still handling security like they did in the past with their ‘closed shop’ approaches. "This will lead – in my eyes – to very dangerous threats in the future. And even if they have recognized these risks and have the money to invest, it’s very difficult to hire the necessary resources. Everybody is looking for security experts at the moment.…" What is clear is that today’s digital platforms introduce a fundamentally new security dynamic requiring a different way of thinking from security professionals at carriers. 3) Longer-Term Evolution 58% of carriers have updated their security strategies to reflect the rise of new digital platforms. As we can see from the chart below, the majority of insurers and reinsurers have made adjustments to their security strategy to reflect the rise of digital platforms, and we get a similar figure when we consider our other ecosystem players.
For now, though, this is a small majority (58%), less than the 83% who had mitigation plans for data breaches. As the industry gets savvier about cybersecurity as a whole, we expect this figure to rise sharply. "With customer data-protection and privacy rules becoming more scrutinized across Europe and the globe, it is not a surprise that the chief information security officer is taking such a prevalent position within enterprises. The role will need to ensure appropriate usage of customer data and overcome digital privacy and security issues." — Sabine VanderLinden, managing director at StartupbootcampMost (re)insurers have updated their #cybersecurity strategies for new digital platforms! More in the #InsuranceMap: https://t.co/QH8z3aYH7y pic.twitter.com/b3ro6W1tV7
— Insurance Nexus (@InsuranceNexus) July 26, 2017