Cyber risks: what is the impact on the insurance industry?

October is the European cyber security month. As cyber attacks are a continuing risk for insurers, in this article we are discussing their incidence in the financial industry as a whole and among insurers in particular, why insurers are on the radar and what are the consequences for insurers and for policyholders.

The pandemic has accelerated the digital transformation. Financial institutions have increased their use of information technology. They are now more heavily relying on digital and remote solutions to perform their daily operations and to deliver their services to customers. While this has brought along benefits, the increasing reliance on digital solutions has also expanded the risk for cyber attacks.

Cyber risks are considered as a top global risk for the financial sector and the economy as a whole. The type of ICT risks to which the undertakings are exposed have not changed in the past years, however the frequency of incidents and the magnitude of their impact on financial entities has increased.

A recent study on Covid-19 and cyber risk in the financial sector revealed that the financial sector has experienced the largest number of Covid-19- related cyber events after the health sector. Payment institutions, insurers and credit unions are the most affected.

Insurers in some jurisdictions are reporting an increasing number of malware and other cyber attempts. Insurance supervisors consider cyber security risks as the main trigger of other risks, as highlighted by the European Supervisory Authorities (EIOPA, ESMA and EBA) in their report on the risks and vulnerabilities in the financial sector. Some of these risks include:

  • digitalisation risks (for 73% of insurance supervisors)
  • cyber underwriting risks (19%)
  • InsurTech competition (8%)

Why insurers are on the radar of cyber attacks ?

Insurance groups are a natural target for cyber attacks because they possess substantial amounts of confidential policyholder data. Products, policies and pricing are all powered by data. This is what makes it so valuable: with data an insurance company is able to offer the consumer just what they need and hopefully at just the right price. More choice and lower costs are what makes consumers so ready to share their data.

In contrast to other sectors, which hold mainly sensitive financial data, insurers typically also collect a large amount of protected personal sensitive information.

What are the consequences?

The main consequences suffered by insurers following these cyber incidents are business interruption and material costs for the undertaking, for policyholders and for third parties.

Data obtained can be used for different criminal purposes such as identity theft to obtain financial gains.

Besides the direct financial consequences, cyber incidents can also result in severe and long-lasting operational issues for the targeted insurance groups. The reputational damage may also be substantial or even irreversible.

If malicious cyber incidents cause business interruptions, this has a direct impact on all policyholders.

At the same time, as a direct consequence of the increase of ICT incidents as described above the cyber-underwriting market is expanding. According to Statista, the European cyber insurance market is expected to grow exponentially between 2020 and 2030, doubling in size between 2020 and 2025. Insurers have their role to play in this area. A sound cyber insurance market is an important measure. The challenge is how to insure and help prevent cyber risk.

In conclusion, insurers and pension funds need not only to manage cyber and IT risk within the company and the value chain, but they also need to keep pace with new threats and developments. Here operational resilience testing and cooperation can help and as such EIOPA welcomes the Digital Operational Resilience Act, or DORA and other initiatives in this field and stands ready to contribute. EIOPA will continue to monitor and motivate innovation, while keeping a close eye on new risks that are emerging, as well as on how consumers are served.