Cyber Security: insurance sector’s greatest risk?
John Lyons analyses the findings of a new report from the International Association of Insurance Supervisors (IAIS) on cyber security and the insurance sector.

The International Association of Insurance Supervisors (IAIS) has issued a new report* on cyber risk that states that the levels of awareness of cyber threats and supervisory approaches to combat the risks vary across jurisdictions. However, it also notes a previous PwC survey that identified cyber risk as the fourth largest risk among insurers globally and the top risk for US and UK insurers.
John Lyons

It quotes an Allianz report that identified the following top trends:
- Increasing interconnectivity and ‘commercialisation’ of cyber-crime driving greater frequency and severity of incidents, including data breaches;
- Data protection legislation toughening globally. More notifications and significant fines for data breaches can be expected in the future;
- Intellectual property theft and cyber-extortion risks are increasing. Business interruption costs could equal or exceed breach losses; and
- Vulnerability of industrial control systems is posing a significant threat.

It gives a number of examples of recent cybersecurity incidents in the sector, such as:
- In 2015 two American health insurers had breaches involving credit card data and personally identifiable information, including health data, potentially exposing the data of up to 91 million people;
- A group of cyber extortionists known as DD4BC has been targeting a range of firms, including financial institutions in Europe, Canada, Australia and the US, with threats of distributed denial-of-services (DDoS) attacks in order to extort money from them. Two German groups were threatened with attacks in 2015 unless they paid a ransom of 40 bitcoins. In those cases the insurers refused because they assessed that the cyber attackers could only do minor damage on the systems threatened;
- In the Netherlands an insurer was subject to a so called ‘CEO hack’. Criminals, who had researched operational details of the insurer, posed as the CEO of a major customer and sought the transfer of money into a certain account.
It can be seen from even these few examples just how diverse the attacks may be and how great the challenge they pose. The report identifies some of the generally recognised best practices for cyber resilience, including:
- Governance: the engagement and commitment of the board and senior management and a proper cyber resilience framework. Senior management should include a person with access to the board who is responsible for developing and implementing the cyber resilience framework;
- Identification of business functions that need to be protected. This needs to be regularly reviewed. Connected entities are part of the risk; sharing data with an outsourcer is a particular source of risk;
- Protection: Control of both internal and external access in line with leading technical standards. Training on cyber risk is an essential part of the safety net;
- Detection: Performing continuous monitoring and security analytics is required to detect and mitigate cyber incidents;
- Incidence response planning, contingency planning and regular testing.

Not surprisingly, the report looks in particular at the role of supervisors and summarises the results of a 2015 survey of its members. Most respondents indicated that they either have already or intend to establish corporate governance requirements for cybersecurity. Many also expect that insurers will cope with cyber risk under broader regulatory and supervisory requirements (e.g. ERM and IT risk assessments). However, cyber resilience did not seem to be a regulatory priority for most respondents, not least because they have limitations on staff with responsibility for and expertise in cybersecurity monitoring and supervision. The proposed EU directive on Network Security may give more impetus – among other things it is designed to improve Member States’ cooperation on cybersecurity. International cooperation, and not just within the EU, is essential for dealing with globally operational cyber criminals. Furthermore, the cooperation needs to be at an all-industry level. Many of the criminals’ methods work in widely different sectors.

The US and the UK seem to be among the most advanced states in terms of recognising cyber threats and have put a wide number of measures in place in recent years. Some of the initiatives in the UK include:
- Cyber Essentials - a basic cybersecurity hygiene standard launched in 2014 to help organisations protect themselves against common cyber attacks;
- A National Cyber Crime Unit within the National Crime Agency;
- A Cyber Information sharing partnership to allow Government and industry to exchange information on cyber threats;
- A single reporting system for cyber-crime and a national emergency response team to improve coordination of cyber incidents. A new Cyber Incident Response scheme in Government Communication HQ to help organisations recover from a cyber attack;
- A network of Centres of Excellence for Cyber Security Research within UK universities to provide research and academic prowess.

The IAIS intends to follow up its paper with one or more application papers further exploring the topics covered. It has identified that guidance for supervisors would be useful on: 1) examination practices for insurers; and 2) risk management practices for insurers.

*Issues Paper on Cyber Risk to the Insurance Sector. August 2016. Available at