Airmic members say the “gold mine” of sensitive data they share with underwriters could present a security risk

Some risk managers and insurance buyers have noted concerns over the potential security risk of cyber insurers losing their sensitive data in a data breach – which could result if a cyber insurer suffered a cyber attack. 

According to insurance buyer body Airmic’s latest Pulse Survey report, published in January 2023, some of its members are concerned that the “gold mine” of sensitive data they share with insurers when purchasing cyber insurance could present a security risk to their businesses.

The concern is that, in the event of a data breach at a cyber insurer, its policyholders’ data could be compromised. 

Respondents to the survey reported that this form of security breach would be “ironic”, given that these businesses would have “shared such data to purchase cyber cover” in the first place.

Airmic surveyed its members for the report across December 2022.  

Encrypted insurance policies

Nelson further highlighted that less than 5% of UK businesses buy cyber insurance policies, “so whether they’re applying for that insurance or not, it’s not the leading factor of the majority of cyber attack that are happening to businesses today”.

Recent acts by cybercriminals infiltrating insurance firms include broker Aon being hit by a cyber attack in February 2022, commercial insurance provider CNA Hardy suffering a “sophisticated” ransomware attack in March 2021 and The Ardonagh Group being struck by a data breach in September 2020.

Axa’s Asia division experienced a ransomware attack in May 2021 and the CII apologised over a cyber breach in October 2022.

“Cyber insurers are regulated entities and in addition to treating customers fairly and GDPR regulations that we are subject to, we are very keenly aware of the risk and adopt our own measures to protect both prospective and current policyholders,” she added.

One of CFC’s next moves will be to provide policy documents in an encrypted format for clients, as well as providing advice on how to secure them in firm’s own systems – this will be announced imminently.

Graeme Trudgill, executive director of Biba, said that hoped CFC’s encryption initiative would bolster clients’ “confidence” in the insurance industry and the efforts it goes to protect data.

“It’s an Airmic member’s job to make sure that they’re looking at all the bases, but I’d like to think the insurance industry is one of the safer harbours where a client’s data would be kept,” he said. 

CFC offers reassurance

Speaking exclusively to Insurance Times, however, CFC’s cyber development leader Lindsey Nelson took a positive outlook on the findings.

“It’s encouraging whenever you see a prospective client be concerned about their security to the degree that they’re sceptical of providing key control information to their insurance provider,” she said.

Nelson noted that CFC tends to receive questions regarding cyber security from larger corporate risk managed clients, which “constitutes less than 5% of the UK economy”.

She continued: “[These clients] do often tend to require nondisclosure agreements around information provided fairly regularly and we happily oblige to sign those to give them that extra layer of confidence.

“It’s likely born out of the belief that cyber insurers are the targets of crime as a means to an end to get a hold of extortion limits and policy documentation and there’s a natural fear, of course, that if we’re storing proposal forms on file that outline all the security controls they do not have, it’s quite valuable for a threat actor to get access to.

“The most important point around that though, is as a cyber insurer there is nobody more motivated to protect their clients’ limits and data and improve their clients’ cyber hygiene – it’s in our mutual best interest to do so.”