Why insurers must take charge on cybersecurity

The Insurance Regulatory Authority’s new directive requiring insurers to report cyber breaches within 24 hours brings trust into sharper focus. In today’s digital economy, cybersecurity goes beyond defence, it’s also the new benchmark of trust and a decisive factor in whether an insurer is truly fit to operate.

As more insurers digitise core operations, their exposure increases. As the sector handles personal and financial data at scale, a breach exposes operations to significant risk and invites swift regulatory action.

This guidance defines new expectations for cyber readiness across the industry. Breaches that disrupt operations or result in financial loss must be reported within 24 hours of detection. Insurers must also submit quarterly incident reports and regularly update internal policies.

For instance, should a ransomware incident disrupt a claims platform or result in the exposure of sensitive customer data, insurers are obligated to respond without undue delay.

The response must extend beyond remediation of the technical issue to include prompt notification of the regulator and transparent containment of the breach. These requirements are now enforceable.

The urgency is justified. Between July and September 2023, the Communications Authority of Kenya recorded over 860 million cyber threat events.

Globally, according to IBM 2024 Cost of a Data Breach Report, the average cost of a data breach in financial services reached $5.9 million in 2024. Cyber threats have become operational risks affecting institutions and individuals alike.

The responsibility of protecting systems and data can no longer be confined to IT departments. Boards are expected to lead. They must review cybersecurity strategy, track emerging risks, and understand where their exposure lies. IRA recommends having at least one director with specific cybersecurity expertise.

According to the PwC Africa Insurance Outlook 2023, cybersecurity is one of the top five risks facing insurers across the region. Insurers are building internal capacity to detect and respond to incidents, but response is only part of the solution.

Policyholders today expect digital convenience, but they also expect that their data will be handled securely. When that trust is broken, it takes more than a PR statement to rebuild it. Fast, transparent communication following a breach is now a core part of any insurer’s responsibility to its clients.

Globally, leading insurers are embedding cybersecurity into customer experience. In the Asia‐Pacific region, cyber insurance premiums have grown nearly 50 percent annually, with markets in Malaysia, Singapore, Australia, and New Zealand launching secure customer portals and real-time fraud alerts to bolster retention.

The risk landscape is shifting rapidly. Advances in AI now enable the creation of deep fakes, fabricated documents, synthetic identities, and convincing impersonations that can evade traditional verification processes.

These tools are fast, accessible, and already in the hands of cybercriminals. For insurers, the imperative is clear: strengthen fraud detection systems capable of identifying deep fakes, implement tighter controls on digital document submissions, and equip teams with the skills to recognise and counter manipulation.

Third-party vulnerabilities are an escalating concern for insurers. Partnerships with cloud providers, external claims processors, and digital onboarding vendors inevitably expand the attack surface.

A single compromise in one system can cascade across multiple insurers downstream. Gaining visibility into data flows, clarifying who handles sensitive information, and ensuring robust encryption are no longer optional safeguards but baseline requirements.

Firms must stress-test their defences, and keep policies updated as threats evolve. Point solutions won’t hold. Cyber risk is continuous and so must be the response.

Kenya’s Vision 2030 positions financial services, including insurance as key drivers of economic transformation, aiming to deepen reach and mobilise savings to support national investment Without secure systems and digitally resilient insurers, these goals risk falling short.

In today’s environment, leadership will be defined not by the absence of incidents, but by the quality of the response. Swift recovery and the ability to turn setbacks into lessons will distinguish resilient organizations. Regulatory compliance may set the baseline, but true resilience is revealed in how institutions navigate what comes after.

This isn’t just a challenge for individual insurers.

A single high-profile breach can erode public confidence across the entire industry. That’s why collective action is essential. By sharing incident data, running joint simulations, and adopting transparent reporting frameworks, the sector can raise standards across the board. True resilience depends on coordinated effort.

The regulation has set the floor. The ceiling will be shaped by those who choose to lead. The insurers that embed cybersecurity into strategic planning will define what strong governance looks like in this era.

Cyber risk is business risk. The insurance industry’s digital future will be won by leaders who act early, lead decisively, and uphold accountability. There are no shortcuts, only stronger leadership, smarter systems, and greater transparency.

The writer is the Chief Information Officer, Liberty Kenya