"Cyber insurance" grows more than 500%, but does not usually cover cases like the R$1 billion theft linked to Pix

The São Paulo Civil Police and the Federal Police continue to investigate the largest hacker attack in Brazil's history , which used valid access credentials and invaded the systems of C&M — a technology company that mediates access for banks and small fintechs to the Central Bank (BC) systems, including Pix — to steal money from six financial institutions that are clients of the company.

With new reports of financial losses, police estimate the damage could exceed R$1 billion . In Brazil, it's becoming increasingly common to purchase "cyber insurance" to help companies with various aspects of losses in the event of a hacker attack.

According to a survey by the National Confederation of Insurers (CNSeg) with data from last year, the search for insurance against hacker attacks grew 12.7% between January and June 2024, with a collection of R$ 110.6 million paid by client companies to insurers - an amount known as premium, which is what customers pay to insurance companies to have the policy.

In the historical series beginning in 2020, the increase in cyber insurance contracts in Brazil reached 512.4%—but the national market is still small: in 2024, it closed with approximately R$240 million in premiums in this segment. In the United States, for example, premiums reached US$10 billion in the same period.

In cases like the attack on C&M, however, by default, insurance company contracts do not cover financial amounts stolen in cyberattacks or exclude payment of coverage in various situations, such as if the theft was carried out with the help of someone inside the victim company itself (as was the case) or through social engineering: this is when hackers manage to break into a system by capturing valid access data from someone with authorization on the system — in the case of phishing , for example, when scammers capture sensitive information from victims through malicious links .

Only BMP, a digital bank that is one of six affected C&M clients, reported the R$541 million theft to the São Paulo police. Initially, the money didn't affect customers and was withdrawn from the financial institutions' reserve accounts at the Central Bank. The São Paulo Civil Police arrested a C&M employee accused of providing the company's system login and password to the hackers responsible for the scam in exchange for R$15,000.

To date, the Central Bank has suspended six small financial institutions from the Pix system, suspected of having moved funds and otherwise participated in the billion-dollar embezzlement scheme. The suspension has a maximum duration of 60 days. Article 95-A of Resolution 30/2020, the "Pix law," establishes that the Central Bank may "provisionally suspend, at any time, the participation in Pix of any participant whose conduct is jeopardizing the regular functioning of the payment system."

"Cyber insurance" coverage is not usually complete

According to the final report of the Working Group on Cybersecurity and New Insurance for the Digital Economy, dated December 2024, from the Superintendence of Private Insurance (Susep), a federal agency linked to the Ministry of Finance, "despite the scope of coverage, it is important to highlight the exclusions, which are contractual clauses that limit the insurer's liability. The main exclusions include intentional acts, wars, natural disasters, physical and moral damages, losses on financial instruments, and previous events."

The document states that "offering these coverages in Brazil would be important for better alignment with international best practices, more complete protection for companies, particularly micro, small and medium-sized companies, including individuals, in addition to boosting the growth of the cyber insurance market in Brazil, attracting new customers and increasing competitiveness among insurers."

On its website, where it offers digital security solutions, the giant IBM recommends purchasing "cyber insurance" along with its products, but warns about the typical exclusions of this type:

• third-party breaches (when the attack that hits the customer is actually carried out by a third-party partner company, as was the case with C&M);
• social engineering;
• internal threats (in the event that someone in the company participates in the attack “from the inside”, as was also the case at C&M);
• attacks sponsored by a National State or government;
• attacks that exploit a previously known vulnerability in the system;
• network failures not caused by hacker attack.

According to Marta Schuh, director of Cyber and Technology Insurance at Howden, there are some options on the market that insure at least part of the money lost in an attack itself , but due to the history of fraud in Brazil and the low maturity of national companies in relation to the subject, there is a local restriction on supply and the costs of the most complete products are very expensive.

"The product is available, but it needs to be well-established, and the cost of including monetary deviation significantly increases the premium," he states. Schuh explains that in this case, the insurer checks the client company's security procedures and helps recommend reinforcements if deemed necessary; otherwise, the policy will not be issued.

"I believe this incident helps highlight the urgency for our institutions to recognize that the world has changed, the way we do business has transformed, and with that, new risks have emerged ," says Marta Schuh. "Many companies still view cybersecurity solely as a risk related to data protection, but it goes far beyond that. It impacts business continuity, brand reputation, customer trust, and even operational stability."