Life and health insurers need to consider how cyber risk could potentially impact them, say Visesh Gosrani, Mikhail Norshteyn and Karl Oliver
The cyber-risk environment has evolved rapidly, from the mid-20th century’s small-scale computer worms to the widespread, sophisticated and costly malware attacks of today. The most recent World Economic Forum Executive Opinion Survey identified cybersecurity failure as the number one concern for UK industry leaders this year.
A sizeable cyber insurance market has emerged in recent years. When considering insurance risk, the IFoA Cyber Risk Investigation Working Party has, up to this point, focused on the risks to general insurance firms as cyber insurance providers. However, while they do not write such policies, life and health insurers are not immune from cyber-risk, and the working party has recently started a new workstream to explore cyber risks in these areas. The recent data loss events impacting PanLife American and Medibank provide recent examples of how cyber risks can impact life insurers.
What are the risks to a life and health company?
To identify scenarios in the cyber-risk environment that may impact a life company, it’s helpful to consider three overarching groups of scenarios that may be expected to share similar characteristics:
- External scenarios – Cyber-risk events affecting national infrastructure that may impact customers’ living standards and could also disrupt insurers’ operations and ability to serve policyholders
- Industry-wide scenarios – Events occurring to other companies in the industry that could indirectly impact a firm
- Company scenarios – Events that directly impact insurers’ operations through disruption to systems and processes.
These scenarios include cyber-risk events in the external environment and are likely to include disruption to national infrastructure such as communications, payment, power or healthcare systems. Such events are likely to be caused by nation states looking to destabilise other countries, and may be harmful to both insurance companies and customers.
Temporary losses of power systems are likely to have the most widespread impact for the risk environment, although scenarios involving hard infrastructure that can physically override any shutdown, such as power systems, can be brought back online within a relatively short period of time. Scenarios that impact payment or communications could take more time to resolve, but in these scenarios, national resources are likely to be made available to contain and mitigate the event within a few days.
For the insurance company, scenarios involving power or payment systems may result in operational events such as difficulty in paying policyholders benefits on time or allocating regular premiums to unit funds. Although they may result in several economic, demographic and operational risks being realised together in a short period of time, they are unlikely to cause severe loss to a life company.
Another group of scenarios are those that happen to other companies within the industry. These could impact an insurer if the affected firm provides an activity such as fund management or policy administration.
The main risk through a third-party administrator would be the risk of policyholder data loss, which could cause reputational damage. The immediate cost to the firm will depend on whether new suppliers need to be found at short notice and how others in the industry are impacted. Longer-tailed indirect costs will be seen in lower new business volumes than would have been expected before the event.
The potential for claims from medical and healthcare providers should not be excluded from assessment; at least one death, in Dusseldorf, was caused by a ransomware attack at a hospital.
There may also be impacts from cyber events that happen to other life insurers if supervisory interest results in changes to regulation, as there could be an expense risk in maintaining existing business if complying with regulation requires investment in systems and teams to perform monitoring and controls.
Other scenarios could occur internally, and may involve a data loss event or a systems outage that impacts customer service.
Data loss is unlikely to have much immediate impact on operations and service, but would have great potential for reputational damage and customer harm. Alongside these risks, policyholder data loss would likely result in a fine, plus the cost of supporting policyholders.
In contrast, systems outage scenarios are unlikely to last for more than a short period of time, so may not result in the same reputational damage – but they are likely to cause severe disruption to a firm’s ability to serve customers in terms of both timely unit allocations and benefit payouts.
If such events take place repeatedly, or regulators find the company to have had insufficient controls in place, thereby generating reputational damage, customers may well be encouraged to take their business to another provider.
Drivers of cyber scenarios and the risk environment
Systems outages are likely to be triggered by a distributed denial of service or ransomware attack, but may also be the result of a nation state targeting a country’s financial system. Such an attack is likely to last for a brief period, as firms will bring in expertise to contain and mitigate the impact. Financial loss is likely to be limited, but customer confidence may be impacted if the event lasts more than a few hours
Ransomware attacks are likely to take more time to resolve; these are likely to see a live policyholder administration system, including policyholder data, being encrypted and rendered inaccessible, with the firm having to pay to regain access. Switching operations to alternative servers and restoring data from backups will take time, and bringing systems back online is likely to require some external support
Ransomware is most likely to be deployed through either an email containing an attachment or weblink targeting employees, or through known vulnerabilities in unpatched systems.
Where a spam email is used to target a firm, it is unlikely that this will happen to multiple firms simultaneously. In such scenarios, external resources could be brought in to restore systems from backups within a relatively short period. However, in a scenario where a ransomware attack has taken advantage of an unpatched exploit, multiple firms are likely to be impacted at the same time. WannaCry is one example where organisations’ failure to patch their systems in a timely way gave attackers time to develop the ransomware and successfully deploy it on a large scale, affecting multiple companies over a short period of time.
If multiple firms are impacted at the same time, external specialist resources may be hard to obtain in the short term – and will come at a higher cost for those that can secure support. This may be particularly necessary if backup systems have been encrypted, as seen in other industries.
A firm’s risk environment can be shaped by its exposure to different triggers for a successful attack. If other firms are also impacted, reputational impacts may be small – but costs could be high to firms looking for quick systems restoration. Those with in-house expertise are most likely to restart operations with in a short period and therefore suffer only a small loss of new business in the longer term.
Our workstream is looking to explore these topics further, with areas of focus including:
- Identification of potential cyber scenarios that could impact insurers
- Researching these scenarios and potential developments
- Quantitative assessment of the scenarios’ outcomes and frequency
- Considerations for risk management and capital setting.
We are looking for further volunteers to help with our research – if you would be interested in joining our forum, please get in touch at bit.ly/IFoA_CRI
The views expressed are those of the authors and not those of their employers or of the IFoA.
Visesh Gosrani is head of actuarial at the Medical Protection Society and chair of the IFoA Cyber Risk Working Party
Mikhail Norshteyn is an actuary at Gallagher Re dealing with emerging and cyber risks
Karl Oliver is a member of the IFoA Cyber Risk Investigation Working Party and an actuary for Lloyds Banking Group