Cyber Insurance Landscape - Trends by Industry

This is an English translation of the article "Cyber Insurance Landscape – Trends nach Branchen" published by Handelsblatt. You can read the original version in German here.

Cyber-attacks can and do affect all types of organisations, regardless of industry, jurisdiction, size, etc. and have held top positions in all risk rankings for enterprises for years. This is in line with the tremendous increase in the frequency and severity of attacks in recent years. The types of attacks and their consequences differ, of course, as do the vulnerabilities and exposures that each organisation has.

So, when assessing cyber-maturity and specific risks along industry lines, significant conclusions can be drawn, and this is exactly what the Tokio Marine HCC Cyber team did in their Cyber Insurance Landscape report (written by TMHCC’s Cyber Security Leader, Isaac Guasch), released last year.

The 2022 report focused its analysis on three of the top 10 industries in terms of attack frequency and severity: manufacturing, financial institutions (FIs), and transport and logistics companies. These industries accounted for 72% of Tokio Marine HCC's cyber business volume at the end of 2021. The report looked at exposures and "readiness" in these industries, our underwriting approach, and addressed concrete and relevant damage scenarios.

As Cyber risk is also noteworthy for its quickly changing nature over time, we have revisited TMHCC’s report a year later to see how it has stood the test of time, and have observed the following 2023 vs 2022 comparisons:

For companies in the manufacturing industry, business interruption was identified as the greatest exposure. This was due to the increasing digitalisation and connectivity as a result of Industry 4.0 being sometimes too much for frequently outdated systems in the production area, and so, these cannot keep up with the constantly changing cyber-attack surfaces. At the same time, they were facing the complexity involved when managing updates and patches.

The maturity level of the industry was generally rated as low. The biggest weakness being governance of information security, due to many different production sites and limited early-detection ability across the various IT, OT and IoT environments.

Looking at today’s maturity level, we can conclude that even though the sector is still less mature than some others (e.g. FIs), there has been a notable evolution, especially in multinational enterprises or niche sectors (e.g. aircraft manufacturers or some F&B producers). We can even say that the security standards and best practices of some manufacturers are level with those of FIs. However, for many, there is still a long way to go.

Specific underwriting questions within this industry should centre around whether there is a global governance structure in place and implemented at a local level, segmentation across IT, OT and IoT networks, capabilities in place to detect anomalies in OT environments (EDR, SIEM, SCADA, etc.), vulnerability and patch management, and business continuity plans and how they are tested.

Moving on to the next industry on the list: financial institutions. Typically, FIs process large amounts of sensitive data and have high levels of M&A activity, involving extensive migrations of complex information systems and databases. Both contribute to a high potential risk. Both business interruptions and data breaches are considered equally critical in the banking sector. For other companies in the financial sector, however, the greatest exposure lies particularly in data protection breaches. The ever-increasing digitalisation of supply chains and ecosystems, new services and technologies from FinTech companies such as open banking, blockchain and cryptocurrencies are constantly creating additional new cyber risks for this data-intensive sector.

The financial industry has a relatively high level of maturity in terms of cyber security, as the industry is highly regulated. The high monitoring and response capabilities of the banking sector in particular set it apart from other segments of the financial industry. Of course, these capabilities are also present in insurance companies, but often with lower percentages of IT security staff. The discrepancy within the financial sector is even higher at private equity firms, FinTechs and other smaller firms.

2023 has brought with it a wave of new regulations to be applied to the financial sector, such as DORA (Digital Operational Resilience Act of the EU), NIS2 (Network and Information Security directive of the EU) as well as European generative AI regulation. Therefore, FIs may face new challenges when adapting their security measures to meet these new requirements.

Topics that should be highlighted in the underwriting of FIs, therefore, are data segmentation, third-party management, M&A procedures, monitoring and response capabilities and PCI (Payment Card Industry) compliance.

The third and final industry outlined in the report is transport and logistics. This industry is divided into aviation, rail and transit, and shipping and roads. The sector is highly regulated, especially in areas where people are involved. The main risk in this sector is business interruption. However, as large amounts of data are processed, data breaches are also an issue. Like the manufacturing industry, this sector has a high proportion of outdated systems and faces difficulties when updating them. In addition, many semi-manual processes add dependence on the "human factor" as a further risk. Also, since the safety of people is paramount, training and the security of information systems also need to be adapted accordingly.

In the 2022 report, the maturity level of this sector was in general assessed as medium to high.

Today, looking at the latest trends outlined in the recently published ENISA Threat Landscape report on the transport sector[1], the threat actors with the biggest impact are state-sponsored actors, cybercriminals and hacktivists. The report notes that cybercriminals are responsible for most attacks on the transport sector (54%), and they target all subsectors. It also mentions that ransomware, a prominent threat in this sector in 2022, has steadily been rising across the board in 2023, with an increasing number of attacks motivated by non-monetary gains.

In underwriting then, attention should still be paid to segmentation between IT/OT networks, data segmentation, vulnerability and patch management, staff training and business continuity scenarios.

To conclude, when looking at 2022’s report we can see that most of the findings still stand, but there have been significant developments in each of the three sectors. Nevertheless, with the ever-evolving cyber landscape, enterprises, their risk managers and IT security teams must stay vigilant and up to date with the latest trends so as to avoid attacks and mitigate their cyber risks effectively.

The Tokio Marine HCC whitepaper is available below and the original version of this article in German