Even before cyber threats on the release of the film “The Interview” and a cyber attack on Sony’s PlayStation Network, consultants were cautioning insurance companies about cyber thieves – especially those that operate “on the dirty side of the Internet.”“You have to treat cyber security as a whole business issue,” Kevvie Fowler, a partner with KPMG advisory services, told a KPMG conference in December.
Fowler said ensuring security is entrenched throughout various levels of a company will help deter the four basic kinds of cyber criminals:
Petty criminals, whose motive is financial gain and who are successful by finding vulnerabilities in the cyber system that lets them gain access to information and then sell that data. This criminal could be a company insider and is usually operating alone.
Hacktivists/terrorists, who don’t care about financial gain, but hack in support of political causes and whose goal is to shut down a website. There are more than 100 hacktivist groups, many of which contract out hacking.
Organized crime, whose motive is purely financial. The latest is “ransom ware” in which a sum of money is paid in bitcoin or other online currency in exchange for allowing a website to continue normally. Some people, said Fowler, have paid a ransom and then been charged with funding criminal activity.
State-sponsored hackers, who are an elite group of cyber criminals, hired out by countries to carry out whatever is on the country’s agenda. The biggest name in state-sponsored hackers is the Elderwood Group. Companies pay these criminals for zero vulnerability.
Most importantly, said Fowler, is the need for companies to protect themselves against vulnerabilities they don’t even know exist. Many companies have acknowledged they can no longer prevent some hacking, but are putting more resources into trying to detect hacking more quickly.
He said public websites make up only about four per cent of what is actually on the web. The remainder are made up of underground websites that are easily accessible for those with special tools and knowhow and constitute what he called “the dirty side of the Internet.” Over there, people freely advertise information that they have stolen from companies and contract out their services – whether it’s debit and credit card numbers, usernames and passwords or social insurance numbers.
Fowler suggested that life insurance companies, whose clients typically use this information in their dealings, embed cyber security in six key areas, including legal and compliance where privacy regulations dictate the kinds of information being stored, the time mandated to keep the information and stipulate that data be removed properly. Other areas in a company that need to be vigilant are leadership and governance, training and culture, information management risk, business continuity and operations and technology.
Fowler said some companies are selling cyber insurance to help mitigate some threats. In the event of a cyber breach, he said, companies need to have the right people responding and ensure their policies cover high-cost items like lawsuits and forensics.
The public also expects to be notified immediately of a breach and companies must be nimble in setting up hotlines, ensuring proper due diligence both before and after a breach is detected and take notes every step of the way in case of legal action, he said.
“Breaches are a cost of doing business, but you need to have a whole business plan [to deal with it],” he said.
Jeremy Rudin, the Superintendent of Financial Institutions, also commented on cyber risk as just one of a number of dangers lurking in the insurance world these days, along with technological and economic risks.
When it comes to cyber security, Rudin said companies not only have to self-assess risk, they need to manage the risk and make sure they are well capitalized so that “if their predictions go awry and they experience losses they can survive through plausible but severe losses and still serve their customers.” Rudin’s office has developed a self-assessment guide that can measure the scope of the risks they face.
While life insurance companies are less vulnerable to cyber risk than banks, for example, they no less can suffer losses. “The inability to use a company website to reach customers or the loss of data integrity can very much damage the brand,” said Rudin.
But like Fowler, Rudin noted that the worst risk may not yet be known. “The thing that keeps me up at night is the idea that the possibility exists that we are missing something.”
Meanwhile, a panel of insurance experts told the conference that the industry is facing a number of other trends and challenges.
Sean Gilday, a vice president at Reinsurance Group of America Inc., said some key life insurance markets around the world have been facing flat premiums, noting his company has created a team specifically devoted to finding out how to increase life insurance purchases.
Gilday said U.S. life insurance premiums stood at $13 billion in 2013, a number that has remained constant over the last nine or 10 years, and is similar to a trend seen in the United Kingdom.
Part of the problem stems from the fact that the average age of the life insurance broker in the U.S. is 57 and not a lot of new people are getting into the business. Current brokers are not trying to attract young people, preferring to stay with high net worth clients in their own age bracket.
“This creates an underserved middle market,” said Gilday. He estimates 58 million households in the U.S. need life insurance. The latent demand in the U.S. for life insurance premiums is about $13 billion, and the same can be said for Japan. “There is a lot of potential out there – these are big markets with insurance needs – yet the solutions aren’t there yet.”
Another issue in the industry is that it relies heavily on biometric data like blood tests and doctors’ reports, said Gilday. He suggested the industry come up with a more efficient way of writing up applicants, possibly through technology.
More up-to-date technology may also hold the key to attracting younger people in Generation X and Y, said Louis Régimbal, partner, in KPMG’s advisory services and Quebec insurance lead at KPMG.
Régimbal said the economic clout of these two cohorts is increasing, but the way in which they approach problem-solving and financial planning, as well as the way they want to interact with different companies is a major switch from the past.
On top of that, the insurance industry isn’t coming up with any new life insurance products, said Gilday. He said right now his company is testing to see how it can get more people excited about buying life insurance. If that can be accomplished, the next step is determining whether they will actually buy using digital means.
“In the mobile market for life insurance, people are researching it, but there’s really no vehicle for them to buy once they’re interested.”