Cyber Insurance, Insurance Companies & Solvency II by Nikos Georgopoulos, MBA, CyRM
Data breaches and cyber security have struck new fear into the hearts of every insurance company because of the nature of the information they handle. As we have seen in the recent data breaches, the way a company handles a crisis plays an important role in whether the CEO and senior management (CIO, COO, CΜΟ, CRO, CFO etc.) will keep their position.
Access to Cyberspace has created new business opportunities for insurance companies because it offers the opportunity to communicate effectively with the insurance brokers, the final customer, it simplifies operating procedures and gives access to new market segments with lower cost products and services.
This in fact is the most important advantage of using cyberspace. However, cybercriminals who are also active in this space, aim to steal data and confidential information held by insurance companies such as: financial reports, staff payroll, customer data bases, passwords, trade secrets (e.g. cooperation contracts with health providers), marketing plans, plans to create new products and services, cooperation agreements with insurance brokers, health data of the insured clients, pension plans data, credit card numbers and bank accounts, customer property data and customer personal finance data.
They can also be created problems in the smooth functioning and availability of systems of the insurance company through cyber-attacks which are leading to distributed denial-of-service (DDoS) of the customer service systems and regulators, as well as, deterioration in the quality of the data systems of the insurance company.
The usage of cyberspace creates significant operational risk to insurance companies which could be expressed as a percentage of gross written premiums. Cyber Risks need additional reserves according to Solvency II.
With the implementation of the new European legislation on the protection of personal data, companies that will not manage to maintain the security of their data will be at risk of fines, for violation of the rules, of up to 2% of the company's annual global revenue.
A Ponemon Institute Research project in 2014 found that the violation of systems and leakage of confidential information are two of the top major incidents affecting the reputation of the company in combination with bad customer service and the environmental protection policy that follows.
Factors affecting corporate reputation
Source: The Aftermath of a data breach Consumer Sentiment. Ponemon Institute Report
Cyber Insurance constitutes an effective tool to address the financial impacts of data breaches. Cyber Insurance provides financial compensations, access to groups of specialists (lawyers, communicators, forensic investigators, etc.) which have addressed numerous similar cases and can, in cooperation with the Incident Response & Systems Violation Management Team of the company to effectively manage incidents of violation to limit the financial impacts and protect the reputation of the company.
Cases of violation of systems and data loss are recorded daily on Insurance Companies. Indicatively, we had incidents in companies such as:
“The reality is that if CEOs don’t take cyber security threats seriously, their organizations won’t either… They must marshal their entire leadership team – technical and line management, and human resources – to make people, principles, and IT systems work together.” said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford.
The two key differentiators between cybersecurity and other enterprise risks are diversity and interdependence. In any case, cybersecurity is a C-suite and senior leader issue, and must be incorporated into strategic planning with risk mitigation explicitly addressed as well as routinely reviewed and updated.
It is necessary the CEO to have the full picture about the information collected and compiled by his company, his responsibilities to incidents of system violations for its systems and infrastructure, as well as, an educated Incident Response & Systems Violation Management Team in disposal, which will cooperate with the insurance company, that provides cyber insurance, to effectively manage the violation incidents, limit the financial impact and protect the reputation of the company.
Nikos Georgopoulos
Cyber Risks Advisor