Study Says Insurers at Risk for Losses from Cyber-Security Breaches
Sloppy cyber-security practices in the online distribution of policies and services may leave insurers, their business partners and their customers vulnerable to massive losses. In addition, insurers are potentially attractive targets for online assaults, according to a new study by Conning & Company.
The study, “Cyber-Security for Insurers: The Virtual Fortress?” explores a number of reasons why insurers may be at risk. Insurers manage substantial liquid financial assets for themselves and their customers and they may be convenient targets for aggrieved hackers who perceive ill treatment. The industry’s heavy reliance “legacy” computer systems, combined with relatively recent ventures into Internet-based processes, and growing the interconnectivity with a large number of business partners may also leave insurers exposed. Finally, the study says changes associated with mergers and acquisitions and recent “downsizing” also increase vulnerability to security breaches.
The author of the study, Clint Harris, a Conning vice president, said insurers must address online security risks because of the enormous costs associated not only with cyber breaches but also the resulting damage to a company’s reputation. “The trends are ominous for all industries,” Harris said. “Losses associated with cyber-security breaches, as we defined in the study, are projected to increase to $46.3 billion by 2005, more than twice the amount as in 2000.”
The Conning study asserts that the huge cost projection likely underestimates potential losses because “soft costs,” such as degradation of brand image, are not included. Among other things, insurers control highly sensitive personal information, such as medical records. If such information were stolen and publicized the potential devastation to a person’s life would be difficult to assess and amend monetarily. Plus, Harris said, the trust lost between an insurer and its customers and business partners could not be replaced by a financial settlement.
The proliferation of rules, regulations and standards regarding cyber-security is more likely to escalate than abate in the near future, according to the study. It observed that too great a focus on the security-related privacy provisions of the Gramm-Leach-Bliley Act of 1999 (GLBA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may actually result in reduced security. Such external standards can be ambiguous and subject to change, the study found, and they may actually distract the company from its true internal cyber-security objectives.
“In conducting this study, we discovered that some insurers may be in denial about their cyber-security risks,” said Harris. “Their argument is “We haven’t had a major incident so there’s no reason to panic. We spent millions on Y2K, perhaps unnecessarily, and we have no intention of repeating that.’ Insurers need to recognize that systems vulnerability is a very different exposure than the Y2K bug. First, there are large losses resulting from breaches already. Second, unlike Y2K, there is no end date for the exposure. Finally, cyber-security exposures are projected to escalate due to insurers’ increased reliance on more open technologies, growth and maturity of cyber-security attackers, and structural changes that continue to change the industry.”
The Conning Study, “Cyber-Security for Insurers: The Virtual Fortress?” is available from Conning & Company for $575 by calling toll free (888) 707-1177 or (860) 520-1245. A complete listing of all Conning Strategic Studies can also be found by visiting the company’s Web site at www.conning.com.
- Florida Citizens’ Brass Tired of ‘Clickbait’ News on its Hurricane Claims Denials
- Zurich Insurance Group Sets New Targets After Meeting Existing Ones a Year Early
- Gunmaker Sig Sauer Must Pay $11 Million Over Pistol That Fired Accidentally
- New York Insurance Broker Caught in $38 Million Nursing Home Tax Fraud Scheme