Total disconnect between Fortune 500 companies and what insurers think they need to provide

As web-first rapidly becomes the norm for today’s businesses, a new bogeyman is lurking: cybersecurity. With IT systems no longer an adjunct but the central pillar of most organisations, cyberattacks have come to represent an existential threat. Also in this article, we'll see how carriers make their profits and the multiple factors it depends on. 

Cybersecurity

No less serious is the risk to the vast repositories of customer data that today’s businesses sit on top of, which have grown far faster than security architectures can keep pace with.

According to PwC’s 19th annual CEO survey, 61% of CEOs are concerned about cybersecurity, with everything from phishing to DenialOfService attacks on the rise ...

For the insurance industry, cybersecurity represents both an opportunity and a threat: an opportunity in that enterprises are crying out for coverage against the cyber risks they face, a threat because carriers of course hold large amounts of customer data and are hence targets for cyber-attacks and hacks themselves.

A theme across this content series, and one we explored specifically in our feature on Marketing and Customer-Centricity, has been the imperative for insurers to better engage with customers’ needs – before customers start taking those needs elsewhere. On the commercial side, cyber risk is therefore an enticing opportunity for insurers, as their clients’ businesses are only going to get more online, not less, and security risks abound (especially with anything IoT-related).

However, cyber events are particularly challenging to insure against due firstly to their manifold knock-on effects, which range from barely quantifiable reputational damage to share-price collapse, and secondly to the lack of historical data. Substantial focus will therefore be required for insurers to fully realise the cyber-coverage opportunity.

"Insurers just don’t have the capability or the skillset to produce things that customers want to buy, particularly with so-called cyber products that mostly don’t cover the specific risks that the clients are concerned about. There’s a total disconnect there between the reality of business for all the Fortune 500 companies in the world and what insurers think they’re going to provide them by way of services and products."

Steve Tunstall, CEO & Co-Founder at Inzsure.com

Cybersecurity is a sprawling area, so this part of our series is primarily aimed at cybersecurity as threat, as opposed to cybersecurity as opportunity: what are carriers doing to protect their customers’ data and to mitigate against the threat of data breaches?

We start with a look at carriers' attitudes to cyber threats like data breach, followed by a look at how – and how confidently – they are addressing these. To finish off, we cast an eye over the longer-term evolution of cybersecurity as carriers pressing forwards with digital transformation seek, at the same time, to future-proof their systems ...

The following stats and perspectives are drawn from our Global Trend Map; a breakdown of all respondents, and details of our methodology, are included in the full report, which you can download for free at any time.

 

1) Assessing the Scale of the Cyber Threat

69% of carriers are 'very concerned' about information security breaches ...

While (re)insurers are open to the same sorts of attack as other large enterprises, the event we choose to focus on here is data breach. There is nothing that strikes so much at the core of the insurance business, which has been a data business since the very beginning; at the same time, (re)insurers – as professional data stewards – ought to be relatively well placed to defend themselves.

The harm that could come from a cyber breach at a carrier is multifaceted: stolen data could cause customers direct commercial damage, whereas tampered-with data could render carriers’ risk models worthless, affecting both them and their customers further down the line. It is no surprise then to see the overwhelming majority of (re)insurers registering concern with information security breaches (94%).

Cyber-attacks affect other players in the insurance ecosystem too, and there are plenty of weak points in the ‘water cycle’ of customer and company data; so we also encounter a majority concern among the other ecosystem players that contributed to our survey.

Our broader research suggests that data breaches are particularly high up the agenda in Asia-Pacific... We reached out to David Piesse, Chairman of IIS Ambassadors and Ambassador Asia Pacific at the International Insurance Society (IIS), based in Hong Kong, to understand more about what is happening in the region:

'Digitisation is leapfrogging in Asia and so are industrial parks with smart devices and machine learning running the processing. Because of global supply-chain issues, this makes the need to mitigate and protect data integrity an urgency even without regulation where best practice risk management must be implemented.'

Piesse continues: ‘Asia Pacific is only starting to look at regulations for data breach as opposed to data privacy laws, which have been around for some time. This leads us into the debate of the difference between privacy (encryption) and data integrity, which are two different arms of the cybersecurity triangle that must be embedded in all cyber risk management approaches.

The time from compromise to discovery in Asia is now on average 580 days according to statistics. Therefore, we must assume compromise of data across time, as there have been no notification laws and hence no catalyst to mitigate. This is why there is concern in Asia Pacific. The take up of cyber insurance in Asia is fairly low as compared with USA and UK for this reason.’

Read the dedicated profile on Asia-Pacific by downloading the full Trend Map here ...

 

2) Filling the Breach

Our respondents’ data-breach concerns are matched by high confidence that data security is adequate, and this probably has a lot to do with mitigation planning across their organisations.

As we see from our graphic, three quarters of carriers are confident in their security, and we find a similar level of confidence among respondents from the broader ecosystem. While these figures are encouraging, a quarter of respondents lacking confidence on this important measure is still cause for concern when we consider the number of customers that any one company can have. Even just a few percentage points of the ecosystem still represents rich pickings for online criminals and massive disruption for thousands, and potentially millions, of customers.

"Insurers have been very early adapters of computer technology. Given this maturity one might think they should be able to control technology security on all layers, but the opposite is usually the case."

Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich

When we turn to look at concrete mitigation plans, we observe that these are relatively commonplace ...

However, 11% of carriers having no plan is concerning as per our sentiment above, given the absolute amount of business interruption this potentially represents (6% answered ‘don’t know’).

Another factor to bear in mind is the potential fallibility of mitigation plans, so the proportion of carriers who are actually safe from security breaches will certainly be less than the 83% quoted above. We should also remember that data breach is just one type of cyber-attack and consequently just one aspect of (re)insurers’ overall cybersecurity strategy, which needs to be comprehensive.

"Insurers are very late in the game of opening their systems for the digital age and most of their software systems are 25 years old and older, and are 'secure by nature' due to their legacy walled garden architectures. And now they are modernising their systems at the speed of light and their security architectures and capabilities can hardly follow."

Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich

We expect carriers – and all businesses for that matter – to continue ramping up their cyber defenses over the coming months and years, especially given recent high-profile incidents like the Wanna Decryptor attack in May 2017, which hit nearly 100 countries around the world.

When assessing the full spectrum of cybersecurity risks, it can be difficult to know where to start and what to prioritise, so we asked financial-services influencer Michael Quindazzi, Business Development Leader and Management Consultant at PwC, for five key questions every insurer should be asking themselves, from the board down:

— Who are our adversaries, what are their targets, and what would be the impact of an attack? —

— What are the most important assets we need to protect? —

— How effective are our processes, assignment of responsibilities, and systems safeguards? —

— Are we integrating threat intelligence and assessments into proactive cyber-defence programmes? —

— Are we assessing vulnerabilities against emerging threat vectors? —

As with building on unstable foundations, the risks from getting one’s approach to security wrong at the outset only get bigger the further down the road you go. We spoke to Oliver Lauer, Head of Architecture / Head of IT Innovation at Zurich, who frames the security conundrum in the following terms:

‘Insurers are implementing digital cores with full connectivity to everything, Omni- and Multi-Channel and Open API Architectures, and usually they have no real idea what these new implementations mean for their security systems – they are still handling security like they did in the past with their ‘closed shop’ approaches.

This will lead – in my eyes – to very dangerous threats in the future. And even if they have recognised these risks and have the money to invest, it’s very difficult to hire the necessary resources. Everybody is looking for security experts at the moment …’

What is clear is that today’s digital platforms introduce a fundamentally new security dynamic requiring a different way of thinking from security professionals at carriers.

3) Longer-Term Evolution

58% of carriers have updated their security strategies to reflect the rise of new digital platforms...

As we can see from the chart below, the majority of Insurers & Reinsurers have made adjustments to their security strategy to reflect the rise of digital platforms, and we get a similar figure when we consider our other ecosystem players.

For now though, this is a small majority (58%), less than the 83% who had mitigation plans for data breaches. As the industry gets more savvy about cybersecurity as a whole, we expect this figure to rise sharply.

"With customer data-protection and privacy rules becoming more scrutinised across Europe and the globe, it is not a surprise that the Chief Information Security Officer is taking such a prevalent position within enterprises. The role will need to ensure appropriate usage of customer data and overcome digital privacy and security issues."

Sabine VanderLinden, Managing Director at Startupbootcamp

Investment Management

We will be looking at Investment Management to continue with and next week we'll publish the post on Regulation and Product Development.

How carriers make their profits depends on multiple factors, and there is any number of sweet spots to be found for different market conditions (hard and soft, for instance) and interest rates. It is possible (though not automatically desirable) for carriers to operate without positive combined ratios, deriving their profits exclusively from the interest accrued on their investment pools. So, despite being an 'invisible' function little beloved of industry pundits and would-be disruptors, investment management remains every bit as much the lifeblood of insurance as underwriting.

Two of the principle challenges facing investment managers within carriers are low interest rates and regulation. Low interest rates have persisted on a global scale since the financial crash of 2007/8 and show no immediate signs of abating. This naturally diminishes the yields carriers can make on their investments, which have historically been a palliative or even an incentive for marginal underwriting.

As though low yields weren’t bad enough, carriers’ scope to invest is also constrained by regulation, which may subject them to strict capital requirements (as is the case with the EU’s Solvency II, effective since the start of 2016) or otherwise limit the range of products they can invest in.

"Solvency II regulation is good, but in the kind of environment where we have low interest rates, it makes it much harder for insurers to find opportunities to make money."

Spiros Margaris, VC (InsureScan.net, moneymeets & kapilendo)

This investments downturn is largely confirmed by our statistics: we asked carriers whether their organisations’ investment returns had risen or fallen year on year, and 78% globally indicated that these had indeed fallen.

Investment returns have fallen year on year at 78% of carriers ...

With the money under their management throwing off less profit, carriers worldwide are being forced to shore up their primary business – underwriting – and to generate their profit there instead, through the good old combined ratio and in spite of generally soft market conditions.

This is not to say that investment management ever stops being an important part of the insurance life-cycle; it is just that it is subject to periodic shifts. The pivot we are currently witnessing, away from investments and back towards the core business, is reflected in the universally low priority we saw allocated to Investment Management in our post on Insurer Priorities, with carriers around the world ranking it lowest out of our shortlist of 15 priorities.

Similarly, we saw in our earlier post on Services, Investments and Job Roles that Investment Management was the only service area in which carriers were on balance reducing their investment.

Today’s low interest rates certainly make life harder for investment managers, but the show must go on – and there is no reason why carriers can’t make the best of a bad situation by pursuing investment strategies tailored to the present adverse environment. One approach is portfolio diversification, which, as we see in the doughnut above, is being pursued by around three quarters of carriers worldwide.

Regulation cropped up as a key challenge for investment managers, and we further explore this topic, the scope of which certainly extends far beyond investments alone, in our next post. And, of course, if you'd like to read ahead straight away, you can access the entirety of the Trend Map, then simply download it here free of charge.

 

 

Alexander Cherry

Alexander Cherry, Head of Research & Content at Insurance Nexus.

alexander.cherry@insurancenexus.com