Are insurers protected?
Lately, I have been engaging in discussions with my colleagues and insurance clients around Cyber Insurance. Our conversations typically revolve around various aspects, such as how can insurers safeguard themselves, how we may assist small & medium-sized businesses (SMBs) and public organizations in managing their cyber risks through insurance, and how to address the major challenges faced by those seeking insurance and those involved in brokering or underwriting it.
The cyber insurance market has been turbulent for the past two years no doubt, but for me, the most exciting conversation is the optimistic one; how can we work with and enable insurance organizations to capture a part of an expanding market opportunity? How can insurance organizations provide a more holistic package to their current clients and onboard new clients?
In this multi-part blog series, I will delve into the following areas:
??????The cyber insurance market is primed, yet is your insurance company protected?
??????Capitalizing on opportunities in Canada's evolving cyber insurance market
There are abundant opportunities for cyber insurance providers. However, before venturing into this realm, it is essential for insurers to ensure their own cyber defenses are prepared for what awaits.
To shed light on the risk landscape impacting insurance providers and its potential, I have interviewed my colleague Jonathan Weir who is a Partner at KPMG's insurance sector for a comprehensive blog. It is crucial to begin by discussing why managing cyber risks is equally important for insurance providers as it is for their customers.
It is probable you may have heard of the golden rule for air travel safety: before helping anyone else, you need to secure your own oxygen mask. This also applies to insurance providers who are ideal targets for ransomware, data theft, fraud, and other cyber risks and must therefore focus on their own cyber posture to serve their customers with confidence.
There are numerous factors contributing to why insurers are considered “big fish” among cyber attackers. The industry is home to large-scale companies with cash-heavy assets and a wealth of sensitive client information that can fetch a high price among bad actors. Failure to protect those assets or keep personally identifiable information out of the wrong hands can lead to financial repercussions, regulatory penalties, and reputational damages.
It is not just insurance companies themselves in the crosshairs, either. Every provider operates within a network of stakeholders, service providers, and insurance partners who can also become targets for cybercriminals who may find their way into that ecosystem via the insurance company's doors.?
It does not help that the cyber threat landscape surrounding the insurance community is evolving. Today, "bad actors" can comprise of anyone from nation-state-sponsored attackers, well-funded criminal enterprises, or even lone wolves using increasingly sophisticated tools from the dark web. There is no "one face" of cybercrime but rather a fast-growing community of individuals arming themselves with innovative tools and looking for the right targets.
Of course, cyber risk is not a new concept for insurers. One thing we know for certain from our conversations with clients in the insurance sector is that the risks mentioned above are regular topics within their boardrooms.
The regulatory angle
Operating in Canada means aligning with several cyber security rules and regulations. Whether it is the Office of the Superintendent of Financial Institution’s (OSFI) most recent Guideline B-13 – Technology and Cyber Risk Management, the country’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), or the Intelligence-led Cyber Resilience Testing (I-CRT), these regulations are evolving to become more prescriptive and punitive as the scale and scope of cyber incidents increase. Keeping cyber risk management, a priority is not only key to preventing financial and reputational ruin but avoiding the pitfalls of falling on the wrong side of regulators.
领英推荐
It is a more complex situation for international companies, especially those seeking growth in emerging markets. These global markets have their own cyber risk management rules and regulations to consider, some of which may be less prescriptive than domestic requirements. Navigating this multi-regulatory environment means knowing what is expected, recognizing where you stand, and deciding how far to go from its cyber risk management perspective.
Remember, cyber is no different than any other type of risk so doing the bare minimum (or less) will put the organization on regulators’ radars and make them low-hanging fruit for threat actors.
The Artificial Intelligence (AI) factor
Talk of AI is inescapable in any industry. As insurance companies look to incorporate generative AI tools to enhance their client experience and fine-tune their operations, they must consider the heightened cybersecurity risks this technology holds.?
As generative AI enters the insurance space, insurers need to consider:
●How are they managing that risk from a cyber perspective and ensuring that confidential information is being protected?
●Are they considering privacy regulation as it relates to how they use confidential information?
●Are they validating the accuracy and integrity of the data and information our AI tools will leverage?
?
As with all data security objectives, the goal is to balance confidentiality, integrity, and availability (aka “CIA’), and dealing with AI is no different.
Ready to act
We are not here to make insurers lose sleep. Rather, this blog is a preamble for our larger discussion that Canadian insurance companies can look forward to plenty of opportunities within the cyber insurance market, provided they also manage their internal cyber risks. That begins with taking a step back and looking at cyber risk management that addresses the threat landscape, regulatory landscape, and evolving business landscape. If your program is driven to meet your risk appetite across those three areas, the business may be in a good position to seize those opportunities ahead.
In the blogs ahead, we will look beyond the cyber risk landscape to discuss why now is the time for Canadian insurers to seize the cyber insurance market and what that looks like moving forward. Stay tuned!