Other parts of this series:
Property/casualty insurers face a host of challenges these days, ranging from liquid customer expectations to an evolving economy to lightning-speed changes in technology to digital disruption. But as insurer management juggles all of those time-consuming issues, they cannot for a moment afford to lose sight of a threat that poses tremendous legal, regulatory, operational and reputational perils for every carrier, regardless of its size or specialty: cyber risk.
Yet, in its August Issue Paper on Cyber Risk to the Insurance Sector, the International Assn. of Insurance Supervisors (IAIS) reports that a survey of 30 member companies last year indicates that “cyber resilience did not appear to be perceived as a regulatory priority for most survey respondents.” Most survey respondents reported they plan to or already have addressed cyber security through regulatory or supervisory requirements under their corporate governance. But this effort was not a priority for myriad reasons, including the stage of information technology development at the organizations, a lack of specific regulatory requirements on cyber resilience and staff limitations.
Because of the potential disastrous impact that cyber criminals could have on individual carriers as well as the public trust in the insurance sector, I couldn’t agree more with the standards-setting organization that insurance supervisors must redouble their effort to combat cyber risk. Property/casualty insurers of all stripes are potential targets, as they store private policyholder information, including individuals’ health information in some cases. Insurers are further exposed to cyber criminal activity through their connections to a multitude of other institutions—brokers and agents, reinsurers and various financial institutions—as well as during corporate restructuring activities, such as mergers and acquisitions.
Consider these cyber crime statistics:
- The average cost of a data breach for U.S. companies in fiscal year 2016 was $221 per record, up from $217 last year and $201 in 2014, according to the Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis. In Canada, the average cost was $211 in fiscal year 2016 and $189 in 2015. The United States ranks first in the world in data breach costs, and Canada ranks third. The average cost per organization in fiscal year 2016 was more than $7 million in the United States and nearly $5 million in Canada.
- The average cost of data breaches for 16 industry sectors was $158 million, but the financial services sector’s cost was well above the mean in fiscal year 2016 at $221 million, according to Ponemon.
- Cyber criminals are relentless. In the group of 58 companies that Ponemon studied last year and reported on in its 2015 Cost of Cyber Crime Study: United States, there were 160 discernible cyber attacks per week, or an average of nearly 2.8 successful attacks at each organization every week.
- A cyber attack on the U.S. power grid could result in total losses of more than $1 trillion and insured losses of as much as $71.1 billion and at least $21.4 billion, a recent report by Lloyd’s and the University of Cambridge Centre for Risk Studies predicted.
- Cyber crime costs the global economy at least $400 billion annually, according to the Center for Strategic and International Studies and McAfee.
- The World Economic Forum in 2015 identified technological risks–data fraud, cybersecurity incidents and infrastructure breakdown—as a top 10 risk to the global economy.
In this series reviewing the IAIS paper, I’ll examine some weaknesses in insurers’ cyber security, how insurance supervisors should respond to cyber risk and the best practices in developing insurer resilience against cyber attacks.
Next time: Insurer weaknesses and cyber security incidents.
The International Assn. of Insurance Supervisors’ Issue Paper on Cyber Risk to the Insurance Sector