As business turns web-first, we have a new bogeyman...

Back to Contents
Read it as a PDF

As web-first rapidly becomes the norm for today’s businesses, a new bogeyman is lurking: cybersecurity. With IT systems no longer an adjunct but the central pillar of most organisations, cyberattacks have come to represent an existential threat. No less serious is the risk to the vast repositories of customer data that today’s businesses sit on top of, which have grown far faster than security architectures can keep pace with.

According to PwC’s 19th annual CEO survey, 61% of CEOs are concerned about cybersecurity, with everything from phishing to DenialOfService attacks on the rise ...

For the insurance industry, cybersecurity represents both an opportunity and a threat: an opportunity in that enterprises are crying out for coverage against the cyber risks they face, a threat because carriers of course hold large amounts of customer data and are hence targets for cyber-attacks and hacks themselves.

A theme across this content series, and one we explored specifically in our feature on Marketing and Customer-Centricity, has been the imperative for insurers to better engage with customers’ needs – before customers start taking those needs elsewhere. On the commercial side, cyber risk is therefore an enticing opportunity for insurers, as their clients’ businesses are only going to get more online, not less, and security risks abound (especially with anything IoT-related).

However, cyber events are particularly challenging to insure against due firstly to their manifold knock-on effects, which range from barely quantifiable reputational damage to share-price collapse, and secondly to the lack of historical data. Substantial focus will therefore be required for insurers to fully realise the cyber-coverage opportunity.

"Insurers just don’t have the capability or the skillset to produce things that customers want to buy, particularly with so-called cyber products that mostly don’t cover the specific risks that the clients are concerned about. There’s a total disconnect there between the reality of business for all the Fortune 500 companies in the world and what insurers think they’re going to provide them by way of services and products."

Steve Tunstall, CEO & Co-Founder at

Cybersecurity is a sprawling area, so this part of our series is primarily aimed at cybersecurity as threat, as opposed to cybersecurity as opportunity: what are carriers doing to protect their customers’ data and to mitigate against the threat of data breaches?

We start with a look at carriers' attitudes to cyber threats like data breach, followed by a look at how – and how confidently – they are addressing these. To finish off, we cast an eye over the longer-term evolution of cybersecurity as carriers pressing forwards with digital transformation seek, at the same time, to future-proof their systems ...

The following stats and perspectives are drawn from our Global Trend Map; a breakdown of all respondents, and details of our methodology, are included in the full report, which you can download for free at any time.


1) Assessing the Scale of the Cyber Threat

69% of carriers are 'very concerned' about information security breaches ...

While (re)insurers are open to the same sorts of attack as other large enterprises, the event we choose to focus on here is data breach. There is nothing that strikes so much at the core of the insurance business, which has been a data business since the very beginning; at the same time, (re)insurers – as professional data stewards – ought to be relatively well placed to defend themselves.

The harm that could come from a cyber breach at a carrier is multifaceted: stolen data could cause customers direct commercial damage, whereas tampered-with data could render carriers’ risk models worthless, affecting both them and their customers further down the line. It is no surprise then to see the overwhelming majority of (re)insurers registering concern with information security breaches (94%).

Cyber-attacks affect other players in the insurance ecosystem too, and there are plenty of weak points in the ‘water cycle’ of customer and company data; so we also encounter a majority concern among the other ecosystem players that contributed to our survey.

Our broader research suggests that data breaches are particularly high up the agenda in Asia-Pacific... We reached out to David Piesse, Chairman of IIS Ambassadors and Ambassador Asia Pacific at the International Insurance Society (IIS), based in Hong Kong, to understand more about what is happening in the region:

'Digitisation is leapfrogging in Asia and so are industrial parks with smart devices and machine learning running the processing. Because of global supply-chain issues, this makes the need to mitigate and protect data integrity an urgency even without regulation where best practice risk management must be implemented.'

Piesse continues: ‘Asia Pacific is only starting to look at regulations for data breach as opposed to data privacy laws, which have been around for some time. This leads us into the debate of the difference between privacy (encryption) and data integrity, which are two different arms of the cybersecurity triangle that must be embedded in all cyber risk management approaches.

The time from compromise to discovery in Asia is now on average 580 days according to statistics. Therefore, we must assume compromise of data across time, as there have been no notification laws and hence no catalyst to mitigate. This is why there is concern in Asia Pacific. The take up of cyber insurance in Asia is fairly low as compared with USA and UK for this reason.’

Find out more in our dedicated profile on Asia-Pacific here ...


2) Filling the Breach

Our respondents’ data-breach concerns are matched by high confidence that data security is adequate, and this probably has a lot to do with mitigation planning across their organisations.

As we see from our graphic, three quarters of carriers are confident in their security, and we find a similar level of confidence among respondents from the broader ecosystem. While these figures are encouraging, a quarter of respondents lacking confidence on this important measure is still cause for concern when we consider the number of customers that any one company can have. Even just a few percentage points of the ecosystem still represents rich pickings for online criminals and massive disruption for thousands, and potentially millions, of customers.

"Insurers have been very early adapters of computer technology. Given this maturity one might think they should be able to control technology security on all layers, but the opposite is usually the case."

Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich

When we turn to look at concrete mitigation plans, we observe that these are relatively commonplace ...

However, 11% of carriers having no plan is concerning as per our sentiment above, given the absolute amount of business interruption this potentially represents (6% answered ‘don’t know’).

Another factor to bear in mind is the potential fallibility of mitigation plans, so the proportion of carriers who are actually safe from security breaches will certainly be less than the 83% quoted above. We should also remember that data breach is just one type of cyber-attack and consequently just one aspect of (re)insurers’ overall cybersecurity strategy, which needs to be comprehensive.

"Insurers are very late in the game of opening their systems for the digital age and most of their software systems are 25 years old and older, and are 'secure by nature' due to their legacy walled garden architectures. And now they are modernising their systems at the speed of light and their security architectures and capabilities can hardly follow."

Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich

We expect carriers – and all businesses for that matter – to continue ramping up their cyber defenses over the coming months and years, especially given recent high-profile incidents like the Wanna Decryptor attack in May 2017, which hit nearly 100 countries around the world.

For all the facts and stats, access your full copy of the Trend Map here, free of charge ...

When assessing the full spectrum of cybersecurity risks, it can be difficult to know where to start and what to prioritise, so we asked financial-services influencer Michael Quindazzi, Business Development Leader and Management Consultant at PwC, for five key questions every insurer should be asking themselves, from the board down:

— Who are our adversaries, what are their targets, and what would be the impact of an attack? —

— What are the most important assets we need to protect? —

— How effective are our processes, assignment of responsibilities, and systems safeguards? —

— Are we integrating threat intelligence and assessments into proactive cyber-defence programmes? —

— Are we assessing vulnerabilities against emerging threat vectors? —

As with building on unstable foundations, the risks from getting one’s approach to security wrong at the outset only get bigger the further down the road you go. We spoke to Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich, who frames the security conundrum in the following terms:

‘Insurers are implementing digital cores with full connectivity to everything, Omni- and Multi-Channel and Open API Architectures, and usually they have no real idea what these new implementations mean for their security systems – they are still handling security like they did in the past with their ‘closed shop’ approaches.

This will lead – in my eyes – to very dangerous threats in the future. And even if they have recognised these risks and have the money to invest, it’s very difficult to hire the necessary resources. Everybody is looking for security experts at the moment …’

What is clear is that today’s digital platforms introduce a fundamentally new security dynamic requiring a different way of thinking from security professionals at carriers.

For more pointers from the industry experts, download your complimentary copy of the full Trend Map here ...


3) Longer-Term Evolution

58% of carriers have updated their security strategies to reflect the rise of new digital platforms...

As we can see from the chart below, the majority of Insurers & Reinsurers have made adjustments to their security strategy to reflect the rise of digital platforms, and we get a similar figure when we consider our other ecosystem players.

For now though, this is a small majority (58%), less than the 83% who had mitigation plans for data breaches. As the industry gets more savvy about cybersecurity as a whole, we expect this figure to rise sharply.

"With customer data-protection and privacy rules becoming more scrutinised across Europe and the globe, it is not a surprise that the Chief Information Security Officer is taking such a prevalent position within enterprises. The role will need to ensure appropriate usage of customer data and overcome digital privacy and security issues."

Sabine VanderLinden, Managing Director at Startupbootcamp

And that's it for 2017! The #InsuranceMap Content Series continues in 2018, where we will kick things back off again with a look at the Investment Management side of the insurance business.

In the meantime, we would like to wish you a Merry Christmas and a Happy New Year from everyone at Insurance Nexus. And, if you're short of a few Christmas presents, why not download a full copy of the Trend Map for some festive reading? ;)

For any inquiries relating to the Insurance Nexus Global Trend Map, this on-going content series or next year's edition, please contact:

Alexander Cherry, Head of Research & Content at Insurance Nexus (

Forward to #13 Investment Management >>> 
<<< Back to #11 Fraud