Outsourcing insurance in the time of COVID-19: The cyber risk dilemma

Abstract

With the shift towards teleworking/working from home in recent years and accelerated by the COVID-19 pandemic, insurers are finding themselves relying on outsourcing as a way to cope with changes in business models and requirements. This has augmented the risk of cyberattacks and is ultimately considered a high risk for insurers of any size, not only because it subjects insurers to litigation concerning data breaches, but also because of the harm to the insurer’s reputation when an attack happens, which is further magnified by resultant loss of system use. Clients already have the perception that insurers are too invasive when it comes to personal data (especially in the medical and life insurance fields), so they are blamed for not handling cyber risk meticulously regardless of whether it is the outsourcing provider’s fault. Risk managers in insurance companies need to apply enterprise risk management (ERM) principles and identify cyber risks across the entire process to manage these risks. The paper proposes some potential policy solutions that would help insurers mitigate outsourcing cyber risks. Further research is required in this field, specifically into what strategies insurers are implementing to deal with the risks posed by the outsourcing provider’s cyber risk and which of those strategies have fared better than others thus far.