As “the next digital pandemic,” cyber risks are increasingly becoming a problem for insurers themselves, according to an industry expert.

With “a lack of controls at [an] insurer, [you] could have catastrophic damages to an entire portfolio,” said Jack Kudale, founder and CEO of Cowbell Cyber, an InsurTech and MGA that provides cyber insurance and related services to small and medium-sized businesses.

Kudale, speaking during a CEO panel discussion at the 2021 Global Insurance Symposium in Des Moines on June 29, referred to cyber risks as “the next digital pandemic,” and said insurers must protect both their customers and themselves with equal measure.

In other words, insurers themselves are now targets.

“It is imperative that not only we protect with modern technology and innovation needed in this market, but you also protect your own infrastructure, because cyber criminals are looking for crown jewels, and where else would you go if not an insurer itself that is insuring cyber risks,” Kudale added.

Panelist Jessica Snyder, president and CEO of GuideOne Insurance, agreed.

“We just went through our own internal cyber risk internal assessment,” Snyder said. “[Ransomware criminals] can take over data centers and encrypt how to get to backups … This is a real issue our industry needs to be concerned about.”

Snyder said that GuideOne, a specialty insurer whose core clients are churches, spends about 6 percent of its total budget on cyber issues, focused on areas such as general protection, dual authentication and other related employee training. But these efforts, she said, are “just table stakes.” Insurers don’t understand at this point the true costs behind cyber risk, she added.

“We are insuring parts where we truly don’t understand what the cost is,” Snyder said. “This is a huge issue we CEOs need to be on top of, to be aware of what is out there and what the threats are.”

Both executives’ comments come in the wake of a massive ransomware attack against Chicago-based insurer CNA earlier this year. The company reportedly paid a $40 million ransom to end the incident.

The Colonial pipeline also was slammed with a massive ransomware attack in May, impairing oil deliveries on much of the U.S. East Coast. The company paid a $4.4 million ransom to get the pipeline operating again, according to reports.

Supply Line Ransomware Targets

Kudale said that ransomware threats will stay with the insurance industry for a long time, though he admitted that frequency and severity “will be very different as we make progress.”

He agrees that third-party or supply chain risks for businesses are the next big cyber risk. The critical issue, he said, is how to proactively patrol to ensure cyber security but also understand the nature of those risks.

“Prevention detection remains the most important action,” he said.