What insurance leaders need to know about data breaches and consumer behaviour

The current threat landscape demands ‘fundamental shift’ in how insurers tackle cyber risks, says TransUnion’s cyber head.

As cyber threats become more sophisticated, insurance professionals must adjust to a landscape where the frequency of attacks may decline but their impact on individuals and businesses intensifies, says Matt Cullina (pictured), head of global cyber insurance business at TransUnion.

Reflecting on 2024 trends, Cullina noted that “despite a significant decline in reported data breach incidents in the US, the impact of these breaches — a key indicator of downstream fraud — reached record highs.” For threat actors, sectors such as healthcare, financial services, and insurance, remain prime targets due to the wealth of sensitive identity information they handle.

What’s changing, however, is how consumers respond. “When these breaches occur, prime consumer segments refuse to be passive victims: Those with the most to lose are actively seeking protection solutions,” Cullina said.

This evolving risk environment, Cullina argues, demands a “fundamental shift in how insurance professionals address cyber risks,” urging the industry to embrace more “proactive engagement and comprehensive personal cyber protection.”

Post-breach engagement rising

Though the severity of data breaches continues to increase, Cullina highlights an encouraging trend: “Top-tier credit individuals, particularly Gen X and Baby Boomers, are becoming active participants in their identity protection.”

Drawing on TransUnion breach response data, he explains that these consumers are “taking proactive steps like enrolling in monitoring services, adding fraud alerts and tracking credit inquiries.”

“These consumers receive an average of 1.5 fraud alerts per month across various digital risk vectors, and they’re taking constructive action in response,” Cullina said. “Their behaviour challenges the pervasive misconception that most consumers are apathetic and refuse to act.”

Instead, he sees an opportunity. “These prime and super-prime consumer segments are ideal prospects for expanded personal cyber coverage. They are financially secure and risk-aware, and already engage with risk-mitigating tools.

“Carriers can position themselves to capture and retain premium customers by thinking more expansively about cyber protection.”

Identity theft insurance vs. personal cyber coverage

Cullina stresses a key point of confusion: “There’s a significant point of confusion in the marketplace that insurance professionals must clarify for clients — and perhaps themselves — about the difference between identity theft insurance and personal cyber coverage.

“While often discussed interchangeably, they offer distinct levels of protection. Understanding the difference is key in today’s environment.”

“Identity theft insurance is narrower in scope,” he said. “It primarily focuses on the direct financial losses and expenses incurred when a person's identity is stolen and misused to commit fraud.” This might include reimbursement for fraudulent charges on credit cards, costs associated with restoring one's identity, or assistance with placing fraud alerts and freezes on credit reports.

However, Cullina warns: “It does not address the bigger landscape of cyber threats.” Threats like social engineering have grown in sophistication, causing significant financial damage. During social engineering scams, an individual is tricked into giving cybercriminals money or valuable information, he explained.

Identity theft insurance covers the unauthorised theft of identity, not necessarily the manipulation of an individual, which may be technically viewed as “authorised”.

“Personal cyber coverage, on the other hand, is more comprehensive and addresses the broader spectrum of cyber risks people increasingly face in their digital lives,” he explained. It typically includes the core benefits of identity theft insurance but offer additional coverage, such as:

• Social engineering losses from phishing, imposter scams or other deceptive tactics that convince individuals to reveal confidential information, send money or incur another financial loss.

• Fund transfer fraud for funds transferred from a client's bank account or investment accounts due to a cyber incident, even if a direct identity theft event (like a stolen Social Security number) didn't explicitly occur.

• Cyberbullying expenses related to the psychological and reputational damage caused by online harassment, including mental health counselling, legal fees and removal of fraudulent content.

• Ransomware and cyber extortion coverage for costs associated with attacks on personal devices, including negotiation guidance and forensic investigation support from the insurer.

• Data recovery and system restoration to help reestablish lost data and system operations due to a virus, malware or hacking.

• Privacy breach liability coverage for liabilities if the breach of a customer’s systems results in the release of someone else’s personally identifiable information.

“The increasing severity of data breaches is occurring in tandem with the growing sophistication of online threats. Moving forward, most individuals will need greater protection,” Cullina stated.

A differentiator for home insurance

Actively promoting personal cyber coverage, Cullina believes, “does more than mitigate risks for current customers. It’s also an opportunity to differentiate your offering and sell home insurance products to prime, risk-aware prospects.”

While many clients may not ask for this coverage, they’re aware of the risks. “They’ve seen the headlines about data breaches, phishing attacks and online scams,” he said. “Insurance professionals who can explain and offer these coverages can tap into a real need, even if it may be initially invisible.”

“In a competitive market,” he added, “adding personal cyber protection transforms a standard home insurance policy into a robust risk management solution — and a compelling reason to choose one carrier over another.”

Digital protection transforms insurance value

“Given the shifting digital landscape,” Cullina concluded, “personal cyber protection is emerging as both a new standard of coverage and impactful differentiator.”

“Consumers increasingly want to prevent loss, not simply react after it happens,” he said. “Offering proactive personal cyber coverage can be a lead generator, drawing in high-value prospects who prioritize online safety.

“They’re ready to act and will remember the insurers with offerings designed to protect their personal, financial and digital well-being.”

Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.