Tag Archives: cyber insurance

Insurance News

Digital Payment Growth Faces Rising Cybersecurity Threats: Chubb

Leave a comment

The global digital payments landscape, projected to hit $16.6 trillion by 2028, is grappling with a surge in security breaches and scams, with U.S. consumers reporting losses of $1.8 billion due to bank transfer and payment scams in 2023 alone, according to a new report from Chubb.

Despite widespread adoption, only one in three users fully trust digital payment technologies, underscoring the need for enhanced security measures and consumer education, the report found.

Concerns about security of digital payments creates an opportunity for insurers to provide personal cyber coverage that offers consumers greater peace of mind, the report noted.

“In this dynamic environment, insurance plays a pivotal role in fostering trust and enabling the continued growth of the digital payments ecosystem. By providing protection against financial losses resulting from cyber scams, technology malfunctions and data breaches, insurance empowers individuals and businesses to embrace digital payments with confidence,” said Sean Ringsted, chief digital business officer of Chubb.

The Growth and Risks of Digital Payments

The total transaction value of digital payments is projected to be $11.6 trillion in 2024, with continued growth expected at a 9.5% annual rate through 2028, according to Chubb. This underscores the magnitude of the shift toward digital payments globally.

In the U.S. alone, the number of noncash payments, excluding checks, has increased more than 500% between 2000 and 2021, according to the Federal Reserve System. Digital wallets are projected to account for more than $25 trillion in global transaction value, or 49% of all online and point-of-sale sales combined, by 2027.

As reliance on digital payment technologies grows, so does the prevalence of security breaches and scams, Chubb warned.

Data compromise incidents involving financial institutions increased by more than 330% from 2019 to 2023. In 2023, U.S. consumers reported losing $1.8 billion due to scams involving bank transfers and payments. The three largest banks that offer the Zelle payment network rejected scam disputes worth approximately $560 million from 2021 to 2023, according to a U.S. Senate Subcommittee analysis.

Businesses are also feeling the financial pain, with merchant losses due to online payment fraud predicted to surpass $362 billion globally between 2023 and 2028. Juniper Research anticipates $91 billion in losses in 2028 alone.

“From the U.S. perspective, the survey results suggest that some consumers have been lulled into a false sense of security around digital payments,” said Robert Poliseno, president of North America Digital Insurance at Chubb. “To protect all consumers, key ecosystem participants — including financial institutions, merchants and insurers — should educate users about potential risks, including the diverse range of cyber scams, and emphasize protective measures, such as adopting secure digital practices, raising awareness of common pitfalls and utilizing various forms of available risk transfer products-like insurance.”

The Trust Gap in Digital Payments

Despite widespread adoption, trust in digital payment technologies is relatively low, according to the survey. Nearly one-third of respondents globally lack confidence in digital payment providers’ security measures. Concerns about the adequacy of customer support (36%) and confidentiality (29%) are also among the main impediments to full trust, the survey found.

The possibility of being scammed is a leading barrier to fully trusting digital payments. Globally, 64% of respondents are very or quite concerned about cyber scams when using digital technology to transfer money, the survey found. In the U.S., 49% of respondents are very or quite concerned.

Most respondents concerned about cyber scams indicate that they have altered their behavior or reduced their usage of certain platforms: 61% globally, 60% in the U.S., 56% in Latin America and 65% in Asia.

The Role of Insurance in Promoting Trust and Adoption

A significant portion of digital payment users mistakenly believe they are protected against losses in various scenarios, such as technology malfunctions or data breaches. Younger respondents, frequent users, and those engaging in risky behaviors could be especially at risk of incorrectly assuming they have automatic protection.

However, the Chubb survey found that actual usage of insurance is relatively low — only 16% globally have personal cyber scam or fraud insurance, while 23% have payment protection insurance.

The presence of transaction insurance plays a critical role in increasing users’ trust in digital payment technologies, Chubb reported. Holding such insurance significantly boosts confidence for three-quarters of consumers.

Consumers are willing to pay for this peace of mind, Chubb found, with the highest proportion willing to spend 6% or more of the transaction amount on insurance.

View the full report here.

Cyber Risk, Insurance Industry

FBI: Elder Fraud Up; Bolsters Case for Personal Cyber Insurance

Leave a comment

By Neil Rekhi, Personal Cyber Product Lead, HSB

Targeting of the demographic with the most to lose increases.

In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.

The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:

  • Call Center/Tech Support Scam
  • Confidence/Romance Scams
  • Cryptocurrency Scams
  • Investment Scams

The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.

A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively. 

Increasing digital lives and advancing technology create new threats.

The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.

However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.

Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.

New tools and methods increase cyber security threats.

A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.

This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.

Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.

The options for managing personal cyber risk can differ in crucial ways.

Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.

Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.

In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.

“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).

HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.

“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.

Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.

The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.

A new conversation about personal cyber insurance begins.

Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.

Cyber Risk

Cyber Claims Get Paid; Why Do Many Businesses Believe They Don’t?

1 Comment

There’s a road in my town that’s widely regarded as a speed trap. We all know drivers who say they were unfairly stopped and ticketed on it. I’ve never been and, come to think of it, neither has anyone I talk to about it.  Maybe it’s because we live in town and “everyone knows” about the trap.

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

Sure, people get ticketed. The road is straight and wide, and I guess some feel they should be able to drive faster than the clearly posted speed limit. Or maybe they think the “real” limit is somewhat north of the number posted.

Is that really a “speed trap”?

I think of this road when I hear people say they don’t buy cyber insurance because “everyone knows” cyber claims don’t get paid.

Poster child for “cyber” denial

The example on everyone’s lips when this topic comes up is Mondelez International, the food and beverage giant hit by the NotPetya ransomware attack in 2017. Mondelez incurred losses exceeding $100 million, and its insurer denied coverage based on a war exclusion.

The irony? The policy in question covered property, not cyber. One can argue – as Mondelez does in a lawsuit –  that the war exclusion is being unfairly applied, but businesses aren’t ceasing to buy property insurance on account of it!

Cyber claims data are hard to come by, but for nine years NetDiligence has published a Cyber Claims Study analyzing paid claims. The 2019 study looks at more than 2,000 such claims aggregated in over 20 ways, including types and amounts of losses, incident causes, data types exposed, business sectors affected, revenue size of claimants, and financial impact.

Verisk, whose cyber products help insurers write coverage based on their policyholders’ risk characteristics, doesn’t publish claims data but aggregates and incorporates them into its analytics.

NetDiligence publishes an annual Cyber Claims Study. Verisk aggregates and incorporates claims data into its analytics. Why do so many believe cyber claims don’t get paid?

Why the perception/reality gap?

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure. Indeed, in a recent survey by J.D. Power and the Insurance Information Institute, small-business owners named “too many exclusions” among the top reasons they don’t buy cyber coverage.

Claims are often denied because of exclusions policyholders might not have known about or understood. Some insurers, for example, include “failure to follow” exclusions for claims arising from inadequate security standards.

Everyone’s responsibility

If insurers want businesses to buy cyber policies and not be hit with unpleasant surprises at claims time, they need to be aggressively transparent about what’s included and excluded. Relegating this to fine print is not a good strategy.

Brokers and agents need to educate themselves about their clients’ needs and be fastidious in aligning coverage recommendations with those needs.

And insurance buyers – those with most at stake – need to understand cyber perils and insurance. For example, insurers require a cyber hygiene self-assessment from applicants. If, after an incident, that assessment proves inaccurate – say, if encryption practices were misrepresented – coverage can be denied.

Insurance isn’t a replacement for cyber diligence. But it can complement it as part of a well-planned risk management program.