Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.
Amid the rising incidence of cyberattacks and the growing number of high-profile data breaches, the government has stepped up its scrutiny of cybersecurity.
This has led to increasing calls for legislation and regulation for enhanced cybersecurity measures to address the numerous risks posed by a cyberattack, including, but not limited to: (1) identity theft; (2) business interruption; (3) damage to reputation; (4) data repair costs; (5) theft of customer lists or trade secrets; (6) hardware and software repair costs; (7) credit monitoring services for impacted consumers; and (8) litigation costs. Most commercial property and general liability policies do not cover cyber risks, and cyber insurance policies are highly customized for clients.
As per GlobalData‘s Cybersecurity in Insurance report, by 2025, the cybersecurity market size in the insurance sector will have reached $10.6 billion. Revenues are expected to grow at a CAGR of 10.7% between 2020 and 2025.
- Cybersecurity revenues in the insurance sector will grow from $6.4 billion in 2020 to $10.6 billion in 2025, according to GlobalData forecasts
- The sector’s rapid digital transformation will drive this growth. Cybersecurity software will grow the fastest at a compound annual growth rate (CAGR) of 14.6%, followed by hardware (10.7%) and services (5.5%)
- The rise in complex ransomware attacks, the persistence of hybrid working models, ongoing supply chain threats, and the Russia-Ukraine war have all accelerated the need for robust cybersecurity defenses across sectors
Rapid digitalization and geopolitics have increased cyber risk awareness
COVID-19 led to more customers accessing their accounts digitally and insurers selling through digital channels, increasing the sector’s cyber risk. In 2021, leading financial institutions AXA, Tokio Marine, CNA Financial, and Banco Pichincha were hit by cyberattacks.
There are also fears that the Russia-Ukraine war may give rise to state-sponsored attacks that target critical infrastructure, military operations, and businesses. Such attacks could not only target insurers but could lead to expensive payouts and damage the reputations of those reluctant to pay.
This was the case for Ace American, which was sued by its client Merck in 2022 for failing to cover its losses during the 2017 NotPetya ransomware attack. The increased risk and fear of cyber attacks was also reflected in the number of mentions of cyber security and cyberattacks both on social media and in insurance company filings. Despite increased awareness and discussion sentiment towards cybersecurity remains negative.
Global Cybersecurity Market Size in the Insurance Sector (2019 – 2025, $ bn)
Ransomware attacks have become even more damaging, audacious and widespread over recent years, with no obvious let-up on the horizon. The growth of this particular class of cybercrime can be tied in part to ongoing digitalisation and society’s reliance on IT, which the pandemic only served to accelerate. Despite all the benefits of digital technology, the proliferation of ransomware is an unfortunate by-product.
Many ransomware victims may simply find it easier and less costly to pay the ransom demand than to endure interruption to their businesses and/or incur costs to remove the malware and restore data. This is potentially creating a vicious cycle and incentivising criminals to continue carrying out ransomware attacks.
Instead, the future management and prevention of ransomware attacks will be a complex undertaking, requiring a multi-faceted approach.
A natural reaction may be to prohibit ransom payments altogether; some governments around the world contemplate such a move. But the law of unintended consequences suggests caution, as such a ban could mean that organisations most in need of protection are even more exposed to an attack.
Some re/insurers have already invested in new ways to assess insureds’ cyber maturity and security controls. Additionally, insurers can leverage premium discounts, co-insurance and retention arrangements to incentivise organisations to adopt essential cybersecurity best practices, reducing their susceptibility to intrusion.
With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers. They control a critical lever with their ability to incentivise customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience.
Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.
Prohibiting ransom payments or their reimbursement by insurers would likely drive transactions underground, forfeiting the ability of the authorities to record and analyse incidents and prosecute criminals. Furthermore, the last thing we should do is take steps that might discourage smaller firms from taking out cyber insurance, the benefits of which go well beyond reimbursing ransoms.
Cybersecurity Related mentions in Company Filings within the Insurance Sector
Cybersecurity-related mentions in company filings are steadily increasing, but sentiment remains low. Cybersecurity mentions grew by 93% between 2018 and 2021.
In recent years, malware and ransomware cyberattacks have been causing severe disruption for global businesses and their supply chains. In addition to the rise in malware and ransomware attacks, the threat of state-sponsored cyber-attacks has become a significant focus for businesses and governments.
Shifting powers: Physical cyber risk in a changing geopolitical landscape Lloyd`s Report focuses on the importance of effective risk management and the role of insurers in helping customers build resilience to cyber-attacks that could cause damage to physical environments.
The cyber insurance market remains small but nascent
These include updating disclosure laws to increase the understanding of the crime and enable better targeting of disruption activities; tougher regulation to make it harder for criminals to use cryptocurrencies for illicit purposes; more effective mechanisms and institutional structures to exchange threat information among stakeholders, including improved international cooperation among law enforcement agencies; and measures to promote cybersecurity best practice as well as address vulnerabilities in software supply chains.
Whilst most cyber-attacks are digital, some result in tangible disruption or damage to the physical environment – these types of attacks are becoming increasingly common place.
This is, in large part due to the increasingly interconnected nature of systems and services which expose businesses to perils from physical cyber-attacks such as fires, explosions, flooding or bodily injury.
Those trends have been underlined by the COVID-19 pandemic and the rise in criminal ransomware activity it triggered; alongside the changing geopolitical landscape in the wake of Russia’s invasion of Ukraine. Thankfully, the world is yet to experience a truly catastrophic cyber physical attack. But the potential impacts of such an attack could be significant, crippling entire systems and societies.
Insurers must navigate the harsh cyber insurance landscape
Although the pandemic accelerated the need for cyber insurance, insurers are yet to translate this into improved penetration rates. As well as an increased demand due to increased cyber risks, the increase in recent cyberattacks resulted in cyber insurance becoming a risky investment which led to higher insurance prices. With insurers such as AXA no longer continuing to write cyber policies that reimbursed ransom attacks and AIG assessing business security measures before underwriting many insurers may follow suit and rethink their risk exposure, forcing businesses to strengthen their cybersecurity frameworks in case of a ransom attack. The increased demand assessing risks associated with cybersecurity policies is also reflected in the sharp increase in the number of active cybersecurity-related active jobs in the insurance sector.
Cybersecurity-related jobs in insurance companies have rapidly increased between Q1 2020 and Q1 2022. The fastest growth, 48%, was between Q4 2020 and Q1 2021, as per GlobalData’s Cybersecurity in Insurance report.
Cybersecurity-Related Active Job Count in the Insurance Sector
GlobalData’s ‘Cybersecurity in Insurance’ report provides a comprehensive overview of increased cybersecurity risks affecting and its implications for the insurance sector.
- Although cybersecurity risk awareness has increased sentiment towards cybersecurity remains low.
- The increased risk of cyberattacks has made cyber insurance provision far riskier for insurers as the chance of a payout is greater.
- The changing cyber insurance market landscape poses obstacles to the widespread adoption of cyber cover. Insurers have begun to reduce coverage limits and increase premiums.
The report discusses how the increased cyber risk puts insurance companies holding sensitive information at risk of data breaches and therefore lawsuits. Furthermore, the report discusses how despite increased demand for cybersecurity covers, insurance companies face a challenge trying to navigate the risks and improve penetration rates.