2021 Outlook: What Insurance CFOs Need to Know About Cybersecurity

Insurance companies are resilient entities—some have been around for more than a century. Oftentimes, insurance companies are the first to assist the public in times of recovery, such as after a devastating natural disaster. These expectations did not change when COVID-19 began to spread throughout the world—the public expected insurance companies to operate as normal.

However, the additional pressure to maintain operations in this environment may have created cybersecurity vulnerabilities and additional risks to insurance companies. That’s because insurance companies—like most of their professional peers—had to establish a remote working policy for employees within days of local COVID-19 cases being revealed. While insurance companies and others focused on minimizing the risks of business interruption, there was an uptick in cybersecurity breaches as attackers took advantage of the increase in network entry points from individuals accessing their work from home, often in an environment that did not have the same security safeguards as that of the office. More than six months into the pandemic, it’s clear that remote working is likely here to stay for a significant portion of insurers’ workforces. As a result, cybersecurity experts expect the number of cyberattacks to continue to rise in 2021 and beyond.

For insurance companies, cybersecurity must be a top priority. Here are three considerations to minimize risks and maximize opportunities as you plan your cybersecurity strategy in 2021:



Given the enhanced cybersecurity vulnerabilities associated with remote working, it’s prudent for insurance companies to reassess their potential risks using a comprehensive and systematic approach. Taking proactive steps now will not only support the integrity of internal operating systems, it may be a stipulation for continuing to work with external partners. For example, insurers that offer cyber policies are scrutinizing gaps in customers’ cybersecurity practices—potentially leading to premium increases or denial of coverage if the practices are found to be unsatisfactory.

Where to get started? BDO Digital can perform a cybersecurity assessment to help you evaluate and remediate your cybersecurity risks. By addressing evolving cybersecurity risks head on, the assessment helps your company adapt to the ever-changing environment and remain as resilient as it has always been.



Due to changing consumer preferences, and even more so due to recent social distancing requirements, more insurance companies are underwriting their policies over the internet and collecting sensitive personal information during the process. This increases the risk of cybersecurity attacks. The collection and storage of this personal information is subject to recently-passed data privacy laws, where hefty fines and other penalties can be levied for noncompliance. While various states and countries are implementing their own data privacy laws, the European Union’s General Data Protection Regulation (GDPR), enacted in 2018, and the California Consumer Privacy Act (CCPA), launched in 2020, are considered to be the most pervasive pieces of data privacy legislation due to the sheer number of companies they impact.

While insurance companies undoubtedly made efforts to comply with GDPR and CCPA prior to their respective enactments, it’s prudent to confirm that the personal data derived from new policies since the start of the COVID-19 pandemic has been collected and stored in a manner compliant with local, state, federal and global regulations.

Access insights from BDO Digital’s Governance, Risk & Compliance group for help with navigating the evolving data privacy regulatory landscape.



Above, we’ve looked at the steps to preempt cyberattacks in your organization, a critical initiative that is especially important as more employees than ever before are working from home. As the insurance industry has specialized skills in pricing risk, we should also look at this trend from another angle—how the increased awareness and incidence of cybersecurity attacks mean there is renewed interest in policies that will help organizations reduce their monetary burden if an attack occurs.

For companies that are considering providing cybersecurity insurance protection, or that offered policies even before the pandemic made remote working the norm in many industries, there are pros and cons to consider. On the positive side, there has been strong demand for these policies since the start of the pandemic, offering insurance companies a potentially lucrative new revenue source as their business customers reassess their insurance needs in light of adverse economic conditions. On the other hand, the rising number of cybersecurity attacks and the increased sophistication of these attacks mean that claims from these incidents have been more frequent and severe. In fact, even before the effects of the pandemic were well known, U.S. insurers were hiking cyber insurance rates by 25% in response to a surge in claims, according to a Reuters article from January 2020. One would have to consider whether it is profitable to underwrite these products.

Given the potential demand for cyber insurance, it’s worth exploring options to offer this product in the marketplace. There are likely more effective methods of managing the risk than simply raising premiums and reducing coverage limits. Should you require or incentivize your customers to perform an annual cybersecurity assessment? Should you require or incentivize your customers to have proper controls in place as recommended by a cybersecurity assessment? These are just a couple of questions you should be considering before starting or continuing to provide cybersecurity insurance coverage to your customers.

Overall, 2020 has been an unprecedented year in a number of ways. One thing that stands out thus far is the extent to which technology has helped companies adapt in order to avoid business interruption. For insurance companies, the pandemic has spurred increased adoption of technology solutions among both employees and customers. Many employees were required to telecommute to comply with social distancing guidelines, while customers gravitated towards online policy purchases to avoid unnecessary human contact. These adaptations are likely just the beginning of an evolution in the way we work and purchase products and services in the future. With technology playing an ever-increasing role in our daily lives, it is clear that minimizing cybersecurity risks by developing a comprehensive cybersecurity strategy should be a top organizational priority.