Cybercrime mobilizes insurance market

The concern for cybercrime felt by the insurance market, the regulatory agency and other financial sector agents was the subject of the second day of the “FIDES Brazilian Workshop on Innovation in Insurance: Sharing Opportunities and Experiences in ESG and Cyber Risks,” held in Brasília on Friday, April 14. The technical director of the National Confederation of Insurers (CNseg), Alexandre Leal, reported that Brazil now ranks second in Latin America in terms of the number of cyberattacks. In 2022, 100 billion attempts were detected in Brazil, behind only Mexico, where there were 187 billion.

“This explains why the issue of cyber security is on the agenda of all agents in the sector and needs to be tackled urgently. The cyber risk situation has evolved rapidly due to the digitalization of processes and it was aggravated by the pandemic,” said Leal, adding that last year there were around 360 billion assaults of this type on the systems of companies and organizations in Latin America and the Caribbean. In terms of coverage for this type of risk, Leal said that in 2022, premium revenues in Brazil were R$170 million and total payouts were R$64 million. This demonstrates that this is still an emerging segment in Brazil, but it has growth potential.

During the two-day FIDES Brazilian Workshop, aspects of the insurance sector’s evolution in cybersecurity and the adoption of ESG best practices were discussed, focusing on the environment, climate change, diversity and inclusion policies at companies in Brazil and in other “Southern Cone” countries (Argentina, Paraguay and Uruguay).

Cybersecurity laboratory

In his speech, the IT coordinator of the Brazilian Federation of Banks (Febraban), Bento Filho, presented an initiative to create a cybersecurity laboratory to help prevent and combat cybercrime. It is the first center created by the Brazilian financial system focused on cybersecurity training and capacity building, cyberattack simulations to develop responses to incidents, the application of intelligence, standardization of initiatives and the continuous pursuit of innovation. “Banks invest around R$30 billion per year in technology and 10% of that is allocated to physical and digital security,” he said.

Brazilian insurers are also mobilizing around this issue. According to João Passos, an executive at Brasilseg, the pandemic sped up digital transformation in all sectors and this also increased risks. “For this reason, we are dedicating ourselves to making our security actions more mature,” he said. Robson do Amaral of Liberty Seguros added that companies should carry out self-assessments about the risks they are most exposed to and this type of “looking inward” needs to be exercised. “It isn’t only enough to have an IT department. This department needs to support you and you need to have people dedicated to assessing the risks within your strategies, while fostering a culture of cybersecurity among employees. We are all responsible,” Amaral argued.

Standards are fundamental to point the way forward

Insurance executives and CNseg representatives were unanimous in stating that the involvement of the insurance regulatory body is very important, given that its rules standardize activities and elevate debates and exchanges of information on the subject. Representatives of the Brazilian Private Insurance Regulatory Agency (SUSEP), who are responsible for supervising the application of the rules, highlighted SUSEP’s monitoring of compliance with Circular 638 of 2021, which deals with the cybersecurity policy of insurance companies.

“Within this context of digital transformation, it is possible to see opportunities, but we cannot forget the risks involved,” said Saulo Valle. “We see a lot of value in working in partnership with the market, not from the top down, but by exchanging information and experiences so that we can evolve together,” added Fernando Abreu. Both are part of SUSEP’s Risk Management and Governance Supervision Area.

Sharing cyber incidents

The key to expanding protection against cyberattacks is the exchange and sharing of data, argued CNseg’s director of services, André Vasco, when presenting the main characteristics of the cyber incident database coordinated by his organization. This database, available to CNseg’s members, compiles information on incidents around the world. When capturing something, the system sends an alert to members and offers a corrective proposal to increase protection against threats. “By quickly sharing information, we help reduce risk and increase protection,” Vasco said.

Representatives of insurance industry associations in Argentina, Paraguay and Uruguay congratulated Brazil on its initiatives to invest in cybersecurity, admitting that their countries still have a long way to go in this area. “We still have a very small market in this field, with few policies covering cyber risk. We are a few steps behind,” said Gustavo Trias, the executive director of the Argentine Association of Insurance Companies. He commented on some attacks and attempts recorded in Argentina and added that companies are not yet aware of the importance of reporting these incidents, which would promote faster evolution.

The president of the Paraguayan Association of Insurance Companies, Antonio Vaccaro, said there is also a lack of a cybersecurity culture in his country, which means that there are no insurance products in this area. In the field of management, he revealed that there are some fledging initiatives by the local regulatory body to regulate insurance companies’ information technology systems. The executive director of the Uruguayan Association of Insurance Companies, Alejandro Veiroj, reported a situation similar to that of the two neighbors, stating that Uruguay is still far behind when it comes to cybersecurity.