Operational Cyber Risk in the differing business model of Insurance Companies: the example of Poland

Aleksandra Hęćka-Sadowska
Krzysztof Łyskawa

DOI: https://doi.org/10.33995/wu2023.2.3


Cybersecurity has become one of the greatest challenges in today’s post pandemic, digital and interconnected world, and also a subject of strategic importance for the insurance industry. There is no doubt that the advance of technology and the increased use of big data and cloud computing have set up an opportunity for insurance business, but they also expanded insurance companies’ vulnerabilities towards cyber risk. As insurers collect a large amount of confidential data, including protected personal sensitive information, they are a natural target for cyber-attacks. On the one hand, the aim of the article is to indicate how the risks associated with digitalisation affect the day-to-day operations in selected business areas of an insurance company, and which methods may be used to manage them, on the other. After a general review of cyber risk based on recent branch reports and survey results, the authors identified its global economic impact with particular regard to financial institutions, and also insurers’ exposure and perception of cyber risk and cybersecurity spending. Moreover, administrative decisions issued by the President of the Personal Data Protection Office in Poland, selected jurisdictions and loss scenarios for insurance companies were examined with a deeper dive into underwriting, selling, administration and claims handling processes. The results of the literature study show that cyber risk is recognized to be one of the most significant non-financial risks (in terms of the source, not result of the risk) for insurers and that many proactive security measures can be implemented. However, due to the high vulnerability to leaks of confidential personal and financial data or unauthorized system access, which may cause not only financial loss, but also business interruptions and reputational damage, in the authors’ opinion, loss prevention and reduction are insufficient. Thus, both insurance and non-insurance methods of external financing cyber risk results were indicated. On this basis, the cyber insurance is considered by the authors to be the best tool providing both prevention and financial compensation in case of cyber incidents, also in insurance companies.



cyber risk, operational risk, insurance company, risk management, cyber insurance


Full article



2022 Global Risk Survey Report. Embracing risk in the face of disruption, PwC 2022, https://www. pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-risk-survey. html (06.07.2022),

Allianz Risk Barometer 2022, Allianz Global Corporate & Specialty 2022, https://www.agcs.allianz. com/news-and-insights/reports/allianz-risk-barometer.html (30.08.2022),

Allianz Risk Barometer Results appendix 2022, Allianz Global Corporate & Specialty 2022, https:// www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html (30.08.2022),

Banks E., Alternative Risk Transfer: Integrated Risk Management through Insurance, Reinsurance and the Capital Markets. John Wiley & Sons Ltd., Chichester 2004,

Bouveret A., Estimations of losses due to cyber risk for financial institution, “Journal of Operational Risk”, 2019, vol. 14, No. 2, DOI: 10.21314/JOP.2019.224,

Cebula J. J. & Young J. J., A taxonomy of Operational Cyber Security Risks. Technical Note CMU/ SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University, Pittsburgh 2010, https://www.semanticscholar.org/paper/A-Taxonomy-of-Operational-Cyber-Security-Risks-Cebula-Young/1e752a86215430f4dc59468ebf96df40fcb83b10 (07.07.2022),

Chojan A., Lisowski J. & Manikowski P., Digitalization trends in insurance and their impact on the functioning of the insurance markets entities, “Wiadomości Ubezpieczeniowe”, 2022 1, https:// piu.org.pl/wp-content/uploads/2022/05/WU_2022–01_Chojan_Lisowski_en.pdf,

Cost of Data Breach Report 2019, IBM, IBM Corporation, New York 2019, https://www.ibm.com/ downloads/cas/RDEQK07R (31.08.2022),

Cost of Data Breach Report 2021, IBM, IBM Corporation, New York 2021, https://www.ibm.com/pl- -pl/security/data-breach (27.04.2022),

Cost of Data Breach Report 2022, IBM, IBM Corporation, New York 2022, https://www.key4biz.it/ wp-content/uploads/2022/07/Cost-of-a-Data-Breach-Full-Report-2022.pdf (30.08.2022),

Curti F., Gerlach J., Kazinnik S., Lee M. & Mihov A., Cyber risk definition and classification for financial risk management, “Journal of Operational Risk”, 2023, vol. 18, No. 2, DOI: 10.21314/JOP.2022.036,

Cyber claims analysis report Turning data into insight, Willis Towers Watson 2020, https://www. wtwco.com/en-GB/Insights/2020/07/cyber-claims-analysis-report (15.09.2022),

Cyber Insurance in the World of Cyber Criminals, AON 2019, https://www.slideshare.net/info_csnp/ aon-cyber-insurance-in-the-world-of-cyber-criminals (15.10.2022),

Cyber insurance: Risks and trends 2022, Munich Re 2022, https://www.munichre.com/topics- -online/en/digitalisation/cyber/cyber-insurance-risks-and-trends-2022.html (15.10.2022),

Cyber risk for insurers – challenges and opportunities, EIOPA, Publications Office of the European Union, Luxembourg 2019,

Cyfryzacja sektora ubezpieczeń w Polsce, Accenture 2018, https://piu.org.pl/raporty/cyfryzacja- -sektora-ubezpieczen-w-polsce/ (01.07.2022),

Data Breach Investigations Report. Verizon 2022, https://www.verizon.com/business/resources/ reports/dbir/ (26.07.2022),

Decisions of the President of Polish PDPO, https://uodo.gov.pl/pl/p/decyzje (22.04.2023),

EIOPA Guidelines on Information and Communication Technology Security and Governance. Key insights and self-assessment checklist, Deloitte 2021, https://www2.deloitte.com/lu/en/pages/insurance/articles/eiopa-guidelines-information-communication-technology-security- -governance.html (16.09.2022),

Eling M. & Lehmann M., The Impact of Digitalization on the Insurance Value Chain and the Insurability of Risks, “The Geneva Papers on Risk and Insurance – Issues and Practice”, 2018 3(43), DOI: 10.1057/s41288–017–0073–0,

Eling, M. & Wirfs, J. H., Cyber risk: Too big to insure? Risk Transfer Options for a mercurial risk class, “I.VW HSG Schriftenreihe”, 2016, No. 59, Verlag Institut für Versicherungswirtschaft der Universität St. Gallen,

FERMA European Risk Manager Survey Report, FERMA 2022, https://www.ferma.eu/publication/ european-risk-manager-report-2022/ (29.08.2022),

Financial Cyber Survey, Deloitte 2021, https://www2.deloitte.com/content/dam/Deloitte/dk/ Documents/finance/FSI_cyber_finish_V5.pdf (02.09.2022),

Frey C.B. & Osborne M.A., The future of employment: How susceptible are jobs to computerisation? “Technological forecasting and social change”, 2017, vol. 114, https://doi.org/10.1016/j. techfore.2016.08.019,

Global Risk Management Survey. AON 2021, https://grms.aon.com/2021-global-risk-management- -survey/cover/ (29.08.2022),

Grzywaczewska K., Ubezpieczyciel zmienia się dla klienta, „Miesięcznik Ubezpieczeniowy”, 2015 3,

Guidelines on theManagement of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings, Polish Financial Supervision Authority 2016, https://www.knf. gov.pl/dla_rynku/regulacje_i_praktyka/rekomendacje_i_wytyczne/wytyczne_dotyczace_zarzadzania_obszarami_IT (13.04.2022),

Insurers aim to become masters of risk management, PwC 2022, https://www.pwc.com/us/en/ services/consulting/cybersecurity-risk-regulatory/library/global-risk-survey/insurance-risk. html (01.09.2022),

International Organization for Standardization 2022, https://www.iso.org/home.html (01.10.2022),

Jobst A., Back to Basics-What Is Securitization?, “Finance and Development”, vol. 45, No. 3, 2008,

Judgment of the District Court in Warsaw of August 6, 2020, XXV C 2596/19, LEX No. 3093515,

Kamiński S., Analiza. w: Encyklopedia katolicka t. 1, red. F. Gryglewicz, R. Łukaszyk, Z. Sułowski, TN KUL, Lublin 1989,

Kamiński S., Jak filozofować. Studia z metodologii filozofii klasycznej. TN KUL, Lublin 1989,

Klapkiv L. & Klapkiv J., Technological innovations in the insurance industry, “Journal of Insurance, Financial Markets & Consumer Protection”, 2017 4(26), https://depot.ceon.pl/bitstream/handle/123456789/14333/RU26–5.pdf?sequence=1&isAllowed=y,

Krajobraz bezpieczeństwa polskiego Internetu w 2022. Raport roczny z działalności CERT Polska 2022, https://cert.pl/publikacje/ (04.07.2023),

Morgan S., 2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics, 2022, https://cybersecurityventures.com/cybersecurity-almanac-2022/ (01.09.2022),

Morgan S., Cybercrime To Cost The World $10.5 Trillion Annually By 2025, 2020, https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/ (01.09.2022),

PwC’s Global Economic Crime and Fraud Survey 2022, PwC 2022, https://www.pwc.com/gx/en/ services/forensics/economic-crime-survey.html (30.08.2022),

Raport Cyberbezpieczny portfel, Związek Banków Polskich 2022, https://zbp.pl/aktualnosci/wydarzenia/Raport-Cyberbezpieczny-Portfel-2022 (15.09.2022),

Reshaping the cybersecurity landscape. How digitalization and the COVID-19 pandemic are accelerating cybersecurity needs at many large financial institutions, Deloitte 2020, https://www2. deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial- -institutions-cyber-risk.html (17.08.2022),

Securitization – new opportunities for insurers and investors, Swiss Re, Sigma No. 7/2006, Swiss Reinsurance Company, Economic Research & Consulting, Zurich,

Security of Polish Cyberspace. Annual report 2019 on the activity of CERT Polska, https://cert.pl/ en/annual-reports/ (13.09.2022),

Strupczewski G., Defining Cyber Risk, “Safety Science”, 2021, vol. 135, DOI: 10.1016/j.ssci.2020.105143

Tsakalidis G., Nousias N. & Vergidis K., Towards a Fitting Representation Method for Redesign Evaluation and Cost-Based Optimization, Operational Research in the Era of Digital Transformation and Business Analytics. BALCOR 2020. Springer Proceedings in Business and Economics, Cham 2020, DOI: 10.1007/978-3-031-24294-6_4,

The COVID Crime Index 2021, BAE Systems, Surrey 2022, https://www.baesystems.com/en-financialservices/insights/the-covid-crime-index (22.08.2022),

The Global Risks Report 2022. 17th Edition. Insight Report, World Economic Forum, Cologny/Geneva 2022, https://www.weforum.org/reports/global-risks-report-2022/ (29.08.2022),

The Polish Internet security landscape. Annual report from the actions of CERT Polska 2021, https:// cert.pl/en/annual-reports/ (28.07.2022),

Top 10 Writers of Cybersecurity Insurance By Direct Premiums Written 2021, Insurance Information Institute 2022, https://www.iii.org/table-archive/218710 (15.10.2022),

Wang Y., Li B., Li G., Zhu X. & Li J., Risk factors identification and evolution analysis from textual risk disclosures for insurance industry, “Procedia Computer Science”, vol. 162, 2019, https:// doi.org/10.1016/j.procs.2019.11.253,

World Economic Outlook Database, International Monetary Fund, 2022, https://www.imf.org/en/ Publications/WEO/weo-database/2022/April (28.08.2022),

X-Force Threat Intelligence Index 2022 Full report, IBM, IBM Corporation, New York 2022, https:// www.ibm.com/security/data-breach/threat-intelligence/ (17.08.2022).