Kyanite Blue
Sector Guides

Cybersecurity for Insurance Firms: Claims Fraud, Policyholder Data, and Lloyd's Market Cyber Exposure

Insurance firms occupy a dual position in the cyber risk landscape: they are targets of cyber attacks — holding sensitive policyholder data, medical records, and financial information — and they are underwriters of cyber risk for others, creating unique exposure at Lloyd's and in the London market. Claims fraud enabled by cyber attack is a growing threat: attackers compromise broker or insurer email systems to intercept and manipulate claims payments, submit fraudulent claims using stolen policyholder data, or socially engineer claims handlers into fraudulent settlements. The FCA expects insurance firms — from Lloyd's syndicates to niche personal lines insurers — to have controls proportionate to both their regulatory obligations and the value of data they hold.

Insurance fraud costs the UK £1.1B annually — a growing proportion enabled by cyber attacks on insurers, brokers, and policyholders' own systems.

The Cyber Threat Profile for Insurance Firms

Insurance firms face a distinct combination of threats:

  • Claims payment diversion: Attackers compromise broker or insurer email to intercept claims payment instructions — redirecting settlements to fraudulent accounts
  • Policyholder data theft: Insurance applications contain among the most sensitive personal data held by any financial firm: medical records, property details, criminal history, financial circumstances
  • Fraudulent claims using stolen data: Stolen policyholder data enables fraudulent claims — attackers use real policy details to submit fabricated claims for losses that did not occur
  • Ransomware targeting claims systems: Claims management systems are high-value targets — their unavailability prevents settlement of legitimate claims and creates regulatory and reputational risk
  • Lloyd's market supply chain: Lloyd's syndicates depend on a network of brokers, cover holders, and managing agents — each presenting a potential entry point into the wider market

Lloyd's Market Cyber Exposure: The Systemic Risk

Lloyd's of London operates through a network of syndicates, managing agents, brokers, and cover holders that share data and conduct business through common platforms including ACORD and the London Market Target Operating Model (TOM). This interconnection creates systemic cyber risk:

  • Shared platforms: A successful attack on a common platform or infrastructure provider could affect multiple syndicates and brokers simultaneously
  • Cover holder data flows: Lloyd's cover holders hold policyholder data on behalf of syndicates — their security controls directly affect syndicate data protection obligations
  • ACORD messaging: Electronic message exchange between brokers and insurers creates data in transit that requires protection
  • Lloyd's Cyber Security and Data Strategy: Lloyd's has published explicit cyber security requirements for managing agents and cover holders — non-compliance creates market access risk
  • Concentration risk: Many smaller syndicates rely on shared managed service providers — a single provider failure could affect multiple Lloyd's participants

Regulatory Obligations for UK Insurance Firms

Insurance firms face multiple overlapping regulatory obligations:

  • FCA SYSC 13: Systems and controls requirements — identical to other FCA-regulated firms, including cybersecurity controls proportionate to scale and risk
  • PS21/3 Operational Resilience: Claims processing and policy administration are important business services for most insurers — impact tolerances must be set and tested
  • UK GDPR: Sensitive personal data (health, financial circumstances) requires enhanced protection under GDPR Article 9 — a higher standard than standard personal data
  • PRA requirements: PRA-regulated insurers (large general and life insurers) face additional prudential resilience requirements from the PRA's operational risk framework
  • Lloyd's requirements: Syndicates and managing agents face Lloyd's-specific cyber security requirements that overlay FCA/PRA obligations

Practical Security Controls for Insurance Firms

The control priorities for an insurance firm, based on the threat profile and regulatory requirements:

  • Email security and payment verification: Claims payment diversion is prevented by DMARC/DKIM/SPF, MFA on email, and out-of-band verification for payment changes — Coro handles the technical controls
  • Endpoint protection with DLP: Policyholder data must not leave authorised systems — BlackFog's data exfiltration prevention prevents data movement regardless of the mechanism
  • Claims system availability: Ransomware targeting claims systems requires tested backup and recovery for core claims management platforms — with impact tolerance defined under PS21/3
  • Third-party risk for cover holders: Lloyd's syndicates and managing agents must monitor the security posture of cover holders who hold policyholder data — Panorays provides continuous external monitoring
  • Staff training on social engineering: Claims handlers are targeted by sophisticated social engineering — phishing simulation and training tailored to insurance scenarios

Frequently Asked Questions

Do Lloyd's syndicates have specific cybersecurity requirements beyond FCA rules?

Yes. Lloyd's has published Minimum Standards for Managing Agents (MS9 — Cyber Security) that require managing agents to maintain a cyber security programme, conduct annual risk assessments, implement specific technical controls, and manage cyber risk in their supply chain including cover holders. Lloyd's Cyber Security and Data Strategy sets a roadmap for increasing standards across the market. Managing agents that cannot demonstrate compliance with Lloyd's minimum standards face market access restrictions.

We underwrite cyber insurance — does that mean we have a higher cyber risk obligation?

In practice, yes — though not as a formal regulatory requirement. An insurer that underwrites cyber risk and suffers a significant cyber incident faces particular reputational damage and potential questions from the FCA about whether its own controls were consistent with the risk standards it applies to policyholders. Internally, cyber underwriters are often best-placed to understand and advocate for adequate internal controls — their expertise should inform the firm's own risk management.

What personal data categories do insurance firms hold that require enhanced protection?

Insurance applications frequently include special category data under GDPR Article 9: health and medical data (life, health, and income protection policies), criminal convictions and offences data (travel and motor policies), and data revealing racial or ethnic origin. These categories require explicit legal basis, enhanced security measures, and specific policies governing access. A breach affecting special category data triggers enhanced ICO notification obligations and potentially higher fines.

Build controls proportionate to your insurance data risk

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides