Skip to main content


Building societies: Cyber threats and solutions

With a rapidly evolving cyber risk landscape, building societies are particularly vulnerable. This article explores the key threats and mitigation strategies.
Aerial drone view of the Circus street in Bath Somerset UK

The cyber risk landscape is evolving rapidly, with organised criminal groups using sophisticated ransomware and access tools to target businesses.  The financial services sector is one of the most vulnerable to cyber threats, with organisations utilising a wide range of online tools and services, while capturing and holding large amounts of sensitive customer data.

Marsh’s data showed an increase in the severity of data breaches and number of overall claims in Australia for the second half of 2021.[i] Overall there was a 10% increase in the number of claims notified to insurers between 1 July 2021 and 31 December 2021 compared to the previous six months. Fraud (email or accounts manipulated), data breach and ransomware attacks continued to make up majority of the matters. Financial institutions were also the most targeted with 20% of the total incidents, followed by legal organisations with 15%. 

There has also been an increase in societal risk factors combined with a general uptick in cyber criminality, which further exacerbates the risk to policyholders of a cyber loss. Post-pandemic, large numbers of employees now work from home and this, coupled with the current economic crisis, is likely to lead to an increase in crime insurance notifications, including cyber and computer crime.

At the start of the year, the World Economic Forum’s Global Risk Report highlighted that cybersecurity failures were listed among the top 10 heightened risks following the pandemic in 2022. The growing “work from home” environment and current economic climate could possibly also lead to an increase in social engineering claims, fake executive fraud (or whaling)[ii]  and general employee dishonesty.

Adding to these risks is an increasing cost of professional indemnity and regulator-driven directors’ and officers’ insurance claims. Consequently, these factors lead to social inflation[ii], which is inclusive of anti-corporate sentiment, an increase of both frequency and cost of litigation, and wider access to funding for litigation. 

In this environment, all organisations need to focus on their cyber security controls. This includes specialist technology, protocols for responding to a cyber incident, and training for staff and customers alike.  For building societies, much of the risk is likely to centre on privileged access accounts and the risk of their details being exploited by criminal entities.  Any data breach involving the loss of third-party data could lead to claims from customers in addition to potential regulatory involvement. Effective privileged access account management is crucial in preventing ransomware incidents; attacks that can result in major fallout for both system availability and accessibility. Marsh believes that online security and protection is vital for customers in today’s digital banking world.

What is important from an insurance perspective?

According to The state of cyber resilience report co-published by Marsh and Microsoft,[iv] insurance is very much a key component of the cyber risk strategy. In the report, which surveyed 650 senior company executives, 61% said their company purchases some form of cyber insurance cover. However, insurance should be one component of an enterprise-wide approach to building cyber resilience, which can include a range of measures to understand risk exposure using data and analytics, and as well as measure and response plans to mitigate risk.  

While cyber risk management is still a key priority for many companies, senior leaders are still not confident in their ability to manage risk without defined approach that encourages broad communication, and fosters communication and collaboration between stakeholders during key decision-making moments of the journey. For example, all departments that touch cyber risk should be involved in cyber incident management, and cyber insights should be shared across the enterprise to appropriately address organizational cybersecurity weak spots.

Greater discussion of cyber issues should be considered a senior board level where the ability to provide quantifiable loss scenarios can be examined to create a clear understanding of the financial, legal, and reputational fallout from a cyber-event. Tools such as cyber risk quantification, impact assessment, and an understanding of security strategy are now regularly applied during client renewal conversations as standard.

Risk managers are looking for economic solutions from their financial lines insurance broker in order to deliver bespoke risk reports for their respective building societies. This will aid them in managing and mitigating their cyber exposure. Other key strategies that are important to consider from a cyber perspective are reviewing insurer relationships across product portfolios, applying risk finance optimisation to assess cyber-loss impact, and combining financial lines with cyber coverage gap analysis.

[i]  Marsh 2021, Cyber Claims Snippets, Second Half of 2021 in Review,
[ii] Whaling is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to the criminal’s account
[iii] Social inflation refers to the improved awareness and understanding of insurance cover and claims in society as a whole, which leads to an increase in claims costs.
[iv] Marsh and Microsoft, 2022, The state of cyber resilience,

Meet the authors

Will Davis

Will Davis

Vice President, Financial Institutions, FINPRO

Sarah Lightfoot

Sarah Lightfoot

Vice President, FINPRO

Related insights

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 23/010

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”