Insurers contend with cyberthreats, growing cyber insurance demand

In an era when digital threats grow more sophisticated by the day, understanding the landscape of cyberthreats and regulatory compliance has never been more critical for the insurance industry. With the scope and number of cybersecurity attacks increasing in recent years, insurers find themselves navigating how best to safeguard their own businesses while managing the growing demand for cyber insurance.

Insurers face increasing threats, underscored by a recent significant cyberattack that locked up systems and compromised sensitive data at a major U.S. insurer. The company reportedly paid a $40 million ransom to regain control of its systems in one of the largest known ransomware payouts to date.

Across economic sectors, 28% of middle market executives who responded to the RSM US Middle Market Business Index survey in the first quarter of 2024 said their company experienced a data breach in the last year, up from 20% in the 2023 survey. This highlights the critical importance of managing regulatory compliance and protecting data effectively.

The demand for cyber insurance is also on the rise, with the market expected to reach $25 billion in premiums by 2025, based on an expected average annual increase of 25% to 30%, according to S&P Global Ratings. 

RSM’s 2024 MMBI cybersecurity survey found that 76% of respondents currently carry a cyber insurance policy to protect against internet-based risks, increasing from 68% in last year’s report. Eighty-three percent of larger middle market companies reported having an active policy, up from 70% last year, while use in smaller middle market companies lagged slightly, rising to 72% from 67% in 2023.

Insurance companies have tightened qualifications and coverage restrictions in response to the rising costs associated with increasingly severe breaches. For instance, some cyber insurance policies may exclude coverage for incidents that result from unpatched systems if the patches were available for a certain period before the breach. Additionally, the insurer could impose stricter requirements for security practices, such as mandatory regular security audits, as a condition for maintaining coverage. As cyberattacks become more sophisticated, insurers are not only revising their policies but also facing the dual challenge of enhancing their own cyber defenses and navigating complex regulatory landscapes to stay ahead of evolving cyber risks.

Bolstering protection

Essential regulations such as the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the United States and the General Data Protection Regulation in Europe both set strict standards for data protection and breach response protocols. These laws underscore the necessity of rigorous compliance measures to avoid hefty fines by government regulators. States such as South Carolina, Ohio, Michigan and Mississippi have enacted legislation based on the NAIC’s law. Other states such as New York and California have established regulations specific to financial services companies. 

Central to navigating cybersecurity challenges is having a multifaceted strategy that prioritizes technological solutions and a cultural focus on heightened security awareness. A successful cybersecurity strategy includes risk assessments, clear data policies, staff training and the adoption of advanced protective technologies, such as encryption and multifactor authentication. A cybersecurity risk assessment, for example, is key to understanding where an organization’s security stands compared to others’, identifying vulnerabilities and determining issues that may stem from people, processes or technology. By understanding security standings and pinpointing vulnerabilities, companies can prioritize their responses to the most critical issues and allocate resources effectively.

Facing the task of managing extensive data while adhering to state, federal and international regulations, the insurance industry must foster a culture of security awareness and continuous learning. Investing in robust infrastructure—such as advanced cybersecurity systems, including secure cloud storage, comprehensive data encryption and robust network security measures—and championing ongoing improvements are key to navigating the digital landscape's complexities.

Continuous improvements involve regular updates to these systems, adoption of the latest security technologies and ongoing staff training to ensure all employees are equipped to recognize and respond to cybersecurity threats effectively. This proactive approach helps insurance companies manage large volumes of sensitive data securely and comply with complex regulatory requirements.

As the future of cyber regulatory compliance and its impact on data governance unfolds, the industry's capacity to adapt to emerging threats and regulatory requirements will be crucial. Insurers that prioritize cybersecurity and data management will not only comply with legal requirements but also differentiate themselves in a competitive market by building trust with policyholders. Such proactive and comprehensive strategies are not merely optional—they are essential for securing a trustworthy and stable future in the insurance industry.