Research

Insurers have significantly expanded their governance, oversight and investments in cybersecurity, a new Moody’s report finds

By James Langton |

Cybersecurity is becoming an increasingly significant credit risk for North American insurers, according to a new report from Moody's Investors Service Inc.

The credit-rating agency has surveyed a range of North American insurers — including life and health and property and casualty insurers along with reinsurers — and found that cybersecurity now ranks among the top board level priorities at these firms.

Moody's reports that insurers have significantly expanded their governance, oversight and investments in cybersecurity, with more frequent and formalized reporting to executive management and their boards.

"Among survey respondents, essentially all maintain incident response plans for multiple cyber intrusion scenarios, and most insurers test their vulnerability to these annually," says Alan Murray, senior vice president with Moody's, in a statement.

These incident plans set down the insurer's responses to minimize the impact of a successful attack, the report finds, noting that insurers utilize various approaches to testing their preparedness, with most using exercises that aim to identify possible weaknesses by attempting to breach systems.

"Cyberattacks can have serious tangible consequences for insurers, exposing them to legal actions, regulatory scrutiny, fines and other expenses," Murray says. "In addition, an insurer's reputation is at stake."

Moody's has also found that cyber-focused staffing is up by almost 30% over the past three years and that insurers have also increased their use of outsourcing. Approximately two-thirds of survey participants report an increase in outsourcing; and that, on average, they employ 10 cybersecurity vendors across a variety of services and tools.

The credit-rating agency cautions that relying on outside vendors has potential risks: "For instance, a vendor may not provide flexibility and responsiveness in all scenarios, and/or products and services of vendors may not align with an insurer's particular business models."