Deloitte advises insurance on how to tackle cyber risks

As our world becomes increasingly digital, cyber attacks are the next big threat and challenge globally.

According to a statistical survey by Purplesec, cybercrime is up 600% in the US as a direct reaction to the COVID-19 pandemic. To put that in perspective, in 2018, there were 80,000 cyber-attacks per day, or over 30 million attacks per year in the US alone. 

This phenomenon not only poses a huge threat to businesses, it also causes a quandary for insurance companies too, which are responsible for underwriting the damage caused by an unexpected cybercrime.

While traditional insurance companies have resisted the move to digital servicing compared to other industries, their transition period has been accelerated because of the pandemic. A new report by Deloitte looks at how senior insurance executives are managing the numbers of claims relating to cyber-attacks, and solutions for dealing with them both in-house and through new claims.

Taking a holistic view of the industry threats, identifying and managing online security is the first challenge. Deloitte pinpoints areas of vulnerability companies face, ranging from consumer protection, absent exclusions (where cyber risks trigger claims on policies) and silent cyber risks. 

Firms must also look within their own structures to determine whether they are cyber secure, or whether their own procedures are leaving them open to online attacks. 

One of the challenges of preventing cyber-attacks is that there is not a one-size-fits-all solution. Every firm has different structures and operational methods and, therefore, different areas of vulnerability. The report suggests forming a team of experts to manage and troubleshoot digital platforms. 

Claiming for a cyber attack

Identifying and managing silent cyber risk through claims in the insurance industry requires expertise. Many firms requesting claims will not even be aware of some of their breaches, the report points out. Indeed, managers and supervisors must “identify, quantify and manage their cyber exposures in line with regulatory expectations.”

The report also looks at performing analytical tests to track data risks and manage tail risks. Firms are advised they will have to demonstrate effective handling of sensitive data and security systems. 

However, because the frequency and development of new cyber-attacks are so regular, insurance firms may have to insist on bottom-up assessments of a company’s firewalls and digital platforms, to assess how responsible they themselves might be for an attack and what potential payouts would be under-written in the event of a damaging breach.

Demand for new products

Furthermore, the tradition of reinsuring is cheaper than buying into a new policy. But, as the goalposts of cyber warfare are constantly changing, digital security is an area that requires regular assessments. 

Deloitte advises that firms carefully examine the types of damage that cyber-risks pose to insurance customers and how best to tackle those pay-outs in the event of a breach. 

Because of the vast number of cyber attacks that happen, the different levels of damage they cause, and their complexity, it’s essential that insurance firms form a strong criterion within which compensation will be paid or rejected. 

The solution

Deloitte refers to a management strategy, devised by its experts, that insurance companies can adopt. Called the Deloitte Cyber Incident Response and Breach Management System, it comprises a team of experts ready to be deployed in the case of a security breach that requires repair.  

The study also points to companies carrying out regular ‘stress tests’ to monitor the strength of their existing security features and expose new vulnerabilities.