Read the latest edition of AIR and MEIR as an Interactive e-book


May 2020

Beyond Compliance: Being proactive on cyber security to build consumer trust

Source: Asia Insurance Review | Apr 2017

Ms Saskia Bosch van Rosenthal and Mr Harry Wang of PwC Hong Kong discuss the increasing costs of cyber breaches, why preventive cyber security measures is smart for business and the need for insurers to refresh their approach to cyber security policy and regulations.    
  • The costs of a data breach in 2016 have reached US$4 million on average (across all industries), with a global average of $154 for each lost or stolen record – as per the Ponemon Institute; and
  • Now is the right time for the insurance sector to proactively work with regulators to shape cyber security policy and regulations.
PwC’s 2017 Global CEO survey reveals that the top three business threats to growth identified by the respondents in the insurance industry were: speed of technological change (mentioned by 83% of CEOs), cyber threats (81%) and availability of key skills (81%). 
   It is not a surprise cyber threat scores so high: insurance companies collect significantly more consumer data than ever as their business models move to connecting more digitally with customers - information like medical, credit card, and other underwriting details. 
Costs of data breach
The reality that cyber criminals can leverage this data to continually perform identity-related fraudulent activities can lead to a loss of trust that would be extremely difficult to restore.
   In its 2016 paper on cyber security, the International Association of Insurance Supervisors (IAIS) listed some recent examples in the insurance industry. Credit card and personally identifiable information (PII) of potentially 91 million policyholders, including health data, were compromised at a health insurer; a US state’s data server was compromised, exposing information to workers compensation claim (including 43,000 incident reports) and a French insurer discovered unauthorised access to accounting tools from routine penetration testing.  
   The Ponemon Institute reported in 2016 that costs of a data breach have reached US$4 million on average (across all industries), with a global average of $154 for each lost or stolen record. A perfect storm of factors, including increased data capacity and usage, digital transformation initiatives, and advancement of Big Data analytics for innovative consumer products increases the value of insurance records on the black market. 
   Stolen health records fetch even higher prices than credit card numbers – up to $251 each compared to 33 cents, according to a PwC Health Research Institute (HRI) report. On the flip side, HRI estimates that preventive cybe security measures cost about $8 per patient healthcare record.
Need to improve collaboration between public and private sectors
Industry-agnostic data privacy regulators with intent to protect consumer data have been in place for years. Industry-specific regulations around how to prepare for cyber threats are maturing, and insurance regulators are taking a fresh look at how to combat cyber threats and improve collaboration between private and public sectors. 
   An overview of what some of the regional regulators are doing is in Table 1.
Regulatory Highlights in the various region
   The industry does not have to wait for the regulators to put requirements in place before they implement and enforce security measures. The costs (both in terms of potential loss of trust and monetary) of cyberattacks can be beyond recovery. 
   With insurance regulation for cyber security in its infancy and regulators looking to collaborate, the time is ripe for the insurance sector to proactively shape policy and influence regulations. Singapore and Japan, for example, have developed cross-information sharing programmes between private and public sectors through non-competing industry groups. 
   In regions where there is little guidance, insurers should push regulators to provide clarity of upcoming cyber regulation. In the meantime, it is worth taking a page out of other financial services and insurance regulation already in place on how they have taken strides to mitigate risk of cyberattacks. 
Cyber security a key pillar for business enablement
Ultimately, as trusted stewards of the consumers’ most sensitive data amidst fast-growing cyber threats, emphasis on cyber security is essential to preserving consumer trust and deserves a place alongside digital transformation and innovation priorities as a key pillar for business enablement.
Ms Saskia Bosch van Rosenthal and Mr Harry Wang are from PwC Hong Kong’s Insurance Risk & Regulation, and Cyber Security & Privacy teams respectively.
| Print | Share

Note that your comment may be edited or removed in the future, and that your comment may appear alongside the original article on websites other than this one.


Recent Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.