PwC’s 2017 Global CEO survey reveals that the top three business threats to growth identified by the respondents in the insurance industry were: speed of technological change (mentioned by 83% of CEOs), cyber threats (81%) and availability of key skills (81%).
It is not a surprise cyber threat scores so high: insurance companies collect significantly more consumer data than ever as their business models move to connecting more digitally with customers - information like medical, credit card, and other underwriting details.
Costs of data breach
The reality that cyber criminals can leverage this data to continually perform identity-related fraudulent activities can lead to a loss of trust that would be extremely difficult to restore.
In its 2016 paper on cyber security, the International Association of Insurance Supervisors (IAIS) listed some recent examples in the insurance industry. Credit card and personally identifiable information (PII) of potentially 91 million policyholders, including health data, were compromised at a health insurer; a US state’s data server was compromised, exposing information to workers compensation claim (including 43,000 incident reports) and a French insurer discovered unauthorised access to accounting tools from routine penetration testing.
The Ponemon Institute reported in 2016 that costs of a data breach have reached US$4 million on average (across all industries), with a global average of $154 for each lost or stolen record. A perfect storm of factors, including increased data capacity and usage, digital transformation initiatives, and advancement of Big Data analytics for innovative consumer products increases the value of insurance records on the black market.
Stolen health records fetch even higher prices than credit card numbers – up to $251 each compared to 33 cents, according to a PwC Health Research Institute (HRI) report. On the flip side, HRI estimates that preventive cybe security measures cost about $8 per patient healthcare record.
Need to improve collaboration between public and private sectors
Industry-agnostic data privacy regulators with intent to protect consumer data have been in place for years. Industry-specific regulations around how to prepare for cyber threats are maturing, and insurance regulators are taking a fresh look at how to combat cyber threats and improve collaboration between private and public sectors.
An overview of what some of the regional regulators are doing is in Table 1.
The industry does not have to wait for the regulators to put requirements in place before they implement and enforce security measures. The costs (both in terms of potential loss of trust and monetary) of cyberattacks can be beyond recovery.
With insurance regulation for cyber security in its infancy and regulators looking to collaborate, the time is ripe for the insurance sector to proactively shape policy and influence regulations. Singapore and Japan, for example, have developed cross-information sharing programmes between private and public sectors through non-competing industry groups.
In regions where there is little guidance, insurers should push regulators to provide clarity of upcoming cyber regulation. In the meantime, it is worth taking a page out of other financial services and insurance regulation already in place on how they have taken strides to mitigate risk of cyberattacks.
Cyber security a key pillar for business enablement
Ultimately, as trusted stewards of the consumers’ most sensitive data amidst fast-growing cyber threats, emphasis on cyber security is essential to preserving consumer trust and deserves a place alongside digital transformation and innovation priorities as a key pillar for business enablement.
Ms Saskia Bosch van Rosenthal and Mr Harry Wang are from PwC Hong Kong’s Insurance Risk & Regulation, and Cyber Security & Privacy teams respectively.