Cyber security plays a critical role in shaping the global risk landscape for businesses.
According to the World Economic Forum Global Risks Report 2020, cyber attacks are the second biggest concern for businesses over the next 10 years. This is especially true for insurance undertakings. They are attractive targets for cyber criminals as they hold substantial amounts of confidential policyholder information (eg name, birthdate, address, driving licence details, and social security and health information) and are undergoing rapid digital transformation, which may leave them more vulnerable. So how can insurers protect themselves?
This question was discussed at this year’s Digital Insurance Innovation Day. Under the motto ‘Magic of Innovation’ (#MOI2020), more than 1,000 guests and 50 speakers from 47 countries got together virtually to discuss the latest trends and future developments in the insurance space. Attendees included a cross-practice team, covering tech, data and regulatory, from Freshfields, which shared insights from a legal perspective on how insurers should approach cyber risk management.
What is cyber risk?
According to its Cyber Lexicon, the Financial Stability Board (FSB) defines:
- cyber risk as the combination of the probability of cyber incidents occurring and their impact; and
- a cyber incident as any event (whether resulting from malicious activity or not) that jeopardises the cyber security of an information system or the information processed, stored or transmitted by that system, or that violates security policies and procedures. So a cyber incident may be anything from a hacker attack to an infrastructure failure.
The European Insurance and Occupational Pensions Authority (EIOPA) used the FSB’s definition of cyber risk in its 2019 consultation paper on guidelines on information and communication technology (ICT) security and governance.
Why should insurers care?
First, addressing cyber risk is a fundamental business need. The consequences of a cyber incident may range from stolen funds, damaged systems and the material costs of business interruption to regulatory fines and compensatory payments to affected persons, not to mention the reputational damage. According to a 2019 EIOPA report, the most frequent cyber incidents affecting insurers are phishing mail, malware infections (ransomware), data exfiltration and denial-of-service attacks. (Read more about these threats in our blog.)
Second, insurance undertakings must comply with the legal requirements and meet supervisory expectations with respect to their cyber resilience, both in the areas of data protection and insurance regulation. Various national insurance authorities – such as Austria’s Financial Market Authority in its 2018 guidelines on IT security – have published guidance on how they expect cyber risk to be addressed.
How can insurers protect their business and be compliant?
We recommend that insurance undertakings tackle cyber issues proactively – adopting a ‘wait and see’ approach is simply not appropriate. Here are some basic steps to take:
- Conduct a cyber risk assessment. Know how and where your business may be vulnerable, what impact a cyber incident would have and how well prepared your business already is. A thorough understanding should form the basis of any decision-making.
- Take it to the board. Cyber risk should be a top priority for the board (as already argued in this blog) so management should set up and approve a cyber-risk strategy as part of the overall business strategy.
- Integrate cyber issues in governance and risk management. Cyber issues should form part of an insurance undertaking’s overall governance and risk management systems. This includes – both regularly and on an ad hoc basis – identifying, measuring and classifying cyber risks, with the focus not only on ICT risks but also legal risks, people-related risks, etc. Specific measures should be implemented on that basis, in accordance with the required protection level.
- Write a cyber policy. Establish written rules on anything related to cyber, covering processes, technology and people. These should specify, among other things, how information, data and systems are protected, including logical security (eg access rights), physical security (eg protection against power failure) and ICT operational security (eg up-to-date operating systems, applications, etc), as well as general communication rules.
- Establish an incident management plan. Think about what would have to be done if a cyber incident occurs and how to minimise its impact. This thinking should form the basis of your incident management and disaster recovery plans. You should also evaluate your resilience and assess how it could be improved. Read more about how to prepare for a cyber attack in our blog.
- Create a cyber culture. Cyber policies and procedures must not only exist on paper but also be communicated to – and followed by – staff. This will probably involve some staff training. Creating a culture of cyber awareness and confidence is vital.
For further insight, check out our set of resources on cyber risk.
Ensuring that your information systems meet all the legal requirements and supervisory expectations will take time, effort and cost. But with regulators increasingly scrutinising insurers, this is still worth the pain – and may help prevent cyber incidents arising along with their resulting negative operational, legal and reputational impacts.
Outlook
The EIOPA has identified cyber resilience as a priority of its supervisory strategy, as set out in its Supervisory Convergence Plan for 2020. It has also issued a note on cyber underwriting, which means an additional consideration for cyber insurers beyond what’s expected of insurers in general.
Further, at the end of 2019, the European Commission launched a three-month consultation on a digital operational resilience framework for the entire financial services sector, with the aim of publishing legislative proposals in the third quarter of 2020.
In the area of data protection, requirements and expectations have also become tougher in recent years and will continue to intensify. It will be interesting to see how this space further develops.
If you would like to discuss any of the issues raised in this blog, don’t hesitate to get in touch.