Cyber risk in insurance: making disclosures proportional and informative

Unlike other risks, such as climate change, which will materialise in the medium to long term, cyber incidents are already having a significant adverse impact on some insurers. Despite this, cyber risk is less frequently mentioned in annual reports compared to climate change. We explore the importance of cyber risk disclosures and offer you practical tips on maintaining proportional and specific disclosures without increasing volume.

Cyber risk is now a key risk to insurers

Insurers today face the dual challenge of paying out for cyber-related claims while also being targets of cyber-attacks.

The financial industry, including insurance, ranked second in spending on the tackling of data breaches in 2024 [1]. Increased online sales and AI usage have heightened insurers' exposure to cyber risk. Even large insurers with robust digital security can be vulnerable. For instance, Prudential's 2023 annual report revealed that the widely reported MOVEit data breach affected over two million customers and employees. Cyber-attacks can lead to various adverse events for insurers, including business interruption, loss of sensitive data, potential loss of funds aimed to cover insurance liabilities, reputational damage, and potential regulatory fines.

Meanwhile, cyber risk more broadly also presents underwriting opportunities, but exploiting these opportunities is not without its challenges. Despite mitigation efforts, claim frequency keeps rising. In the first half of 2023, cyber claims notifications increased, with third-party data breaches and ransomware being the main culprits [2].

Managing routine claims is part of insurers' core capabilities, but certain types of cyber claims pose new challenges. One such challenge is forecasting catastrophe cyber risk and assessing loss exposure, which involves significant uncertainty. Beazley's 2023 annual report mentioned the issuance of the first publicly traded cyber risk catastrophe bond, providing indemnity against all perils exceeding a $300 million catastrophe event. They forecast that supply chain attacks along with phishing followed by malware attacks, can cause cyber catastrophe events with loss ratios around 250% and 200%, respectively [3].

Insurers are underreporting their cyber risk strategy  

The mismatch between the high level of cyber risk and how it is disclosed in annual reports might cause concerns around insurers’ resilience. In 2023, UK LSE-listed insurers mentioned cyber risk an average of 31 times in their reports, compared to 258 mentions for climate risk. This is despite many insurers considering climate risk as either immaterial or a medium to long-term issue, while cyber risk could result in adverse events today and, like climate, requires a long-term strategic impact assessment, too.

A greater focus on climate change is understandable and directly linked to evolving climate regulation. The chart above shows a significant increase in mentions of climate change in 2023 compared to 2019, reflecting the introduction of FCA requirements for climate-related disclosures. While UK-listed entities must disclose climate risks in their annual reports, there is no formal requirement for cyber risk disclosures.

Providing more proportionate disclosures that reflect the level of cyber risk will increase the confidence about insurers’ resilience and will ease the transition to new regulation in case cyber disclosures become mandatory following other countries’ examples.

Seven tips for successful cyber risk reporting

The FRC’s lab Digital Security Risk Disclosure report highlights good practices in cyber risk disclosures under four pillars: strategy, governance, cyber risk management, and cyber incident reporting. Whilst all the annual reports of UK LSE-listed insurers confirm the importance of cyber risk throughout their annual reports, the level of details provided varies significantly when assessing across these four pillars. The chart below shows that while many listed insurers provide details on cyber risk management and governance, the majority lack detailed disclosures on cyber risk strategy. 

This analysis demonstrates that to provide more useful information about cyber risk and give sufficient confidence to the users of the annual reports, the majority of insurers will need to explain their cyber risk strategy better. In their annual reports, insurers should explain how their cyber risk strategy is customised to their unique risk profile, which includes their IT systems, data, and processes. Some examples of what aspects insurers could consider when disclosing cyber risk strategy include:

1. Underwriting significant cyber risk
   If cyber risk is a major part of an insurer's portfolio, it could be useful to provide information about cyber risk pricing strategy and any preventive measures to mitigate the risk (from educating policyholders and providing advice on improving cybersecurity to actual technical services such as penetration testing). Disclosing the potential impact on their Solvency II position in the event of a 1-in-200 years could provide a better understanding of insurer’s capital resilience to cyber risk catastrophe scenario.
2. Risk from third-party services
   For insurers with significant third-party operations, especially in high-risk industries like healthcare, it's crucial to explain their risk mitigation strategies due to the higher exposure to data breach.
3. Insurance contracts sales channels 
   Insurers that rely heavily on online platforms for sales should address the potential impact of cyber attacks on their business underwriting capabilities and data security.
4. Increased use of AI automation
   Insurers should consider the dual impact of the use of AI and automation. On one hand, it makes it easier to create and launch a cyber attack for cyber criminals. On the other hand, it can help to identify threats faster and automate the responses to cyber attacks.
5. Streamlining risk reporting
   Insurers face the challenge of enhancing cyber risk disclosures amidst already extensive reports on other principal risks. Often, annual reports are lengthy due to unnecessary boilerplate text, and cyber risk disclosures frequently lack specific details. Tailoring these disclosures to the company's unique circumstances can streamline reports and reduce clutter.
6. Integrate cyber risk with other principal risks 
   Insurers should consider integrating cyber risk with other emerging risks, such as climate change and geopolitical uncertainties. This can help boards develop a comprehensive yet proportional approach to risk management. This also prevents overwhelming readers with excessive information.
7. Balance detail with security
   Another concern is the risk of over-disclosure, which could increase vulnerability to cyber-attacks. Insurers should balance the need for detailed disclosures with security considerations. Aligning with best practices and focusing on proactive strategies and informative risk management can bridge gaps and enhance cyber risk awareness

Conclusion

The escalating cyber risk landscape demands that insurers adopt more comprehensive and proportional disclosure practices. By aligning cyber risk reporting with the actual level of threat, insurers can enhance transparency and build confidence among stakeholders. Effective cyber risk disclosures should be tailored to each insurer's unique risk profile, integrating strategies for underwriting, third-party services, sales channels, AI automation, and risk reporting. Balancing detail with security considerations is crucial to avoid over-disclosure that could inadvertently increase vulnerability. As cyber threats continue to evolve, insurers must remain vigilant and proactive in their risk management and reporting practices, ensuring they are well-prepared to navigate the complexities of the digital age.

Get in touch with our insurance experts

To speak to our experts about cyber risk disclosures, get in touch using the form below.

Contact us 

Sources 

[1] IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs

[2] GB Cyber Insurance Market Update H1 2023 - WTW

[3]Cyber Realistic Disaster Scenario Development and Modelling