Cyber Security: The challenge for insurers and practices alike

Finding perspective

The ease with which we transfer data on behalf of our clients can be quite astounding. Whether you are entering data into client relationship management (CRM) software, financial planning and forecasting systems, sending out an email promotion, or constructing something relatively old fashioned like a mail merge, we either take responsibility or outsource the responsibility for keeping client data secret. The big platforms that get used as a one-stop CRM and financial planning application are possibly some of the most remarkable in scale. When you consider that everything from file notes through to complete details of financial holdings and personal aspirations are held in one place – minutiae doesn’t even really cut it – this is everything a scammer would need to know. This isn’t a criticism of these platforms either. For the most part it is probably better for there to be only one source of information to keep under control but the expectation and normalisation of the way in which data is transferred is quite extraordinary. The issue for advisers isn’t even one of legal liability since even if a data breach at one of these platforms isn’t your responsibility – it will still reflect poorly. In addition to which, the more common fear should quite possibly lie with poor password protection than it should with devious offshore hackers – the responsibility is held squarely in your office.

As recently as 2020, one estimate for the global cost of cyber-crime was placed at USD 1 trillion (Awiszus, et al., 2023) which is clearly a vast amount of money. Possibly more troubling was the fact that the estimates had grown from USD 600 billion as recently as 2018. This extraordinary increase cannot be absorbed by insurance companies alone – at least not without premiums growing to a rate that becomes simply unaffordable.

The biggest issue to deal with is how non-conventional this challenge is from that insurance provider’s perspective. When it comes to most insurable events there is a huge amount of data available to deal with and to be applied to determining the appropriate premiums in line with the risk. Given the relative recency of cyber-crime and its highly dynamic and enigmatic nature, it is an unusual challenge for actuaries to deal with. It is for this reason that it seems highly likely that a large burden will be placed on the insured to maintain a certain, self-administered, standard of cyber protection before insurance will even be offered. When you combine all the factors that impact insurance premiums as well as the regulatory cost and potential for brand damage and legal action it is clearly an instance where investment in prevention is so valuable. On brand damage and trust alone, avoiding the issue of a data breach altogether is clearly the aim for everyone.