Technology
Remaining Viable: How, Insurers' Cybersecurity Is A Major Problem
Insurance companies offer cybersecurity risk protection to other firms – including banks and wealth managers – but their own vulnerabilities are important, and need to be tackled.
Cybersecurity threats have spawned an insurance market to
handle these risks. One report pegs the size of the cybersecurity
insurance market at $1.6.4 billion (Global Market Insights,
August 2023). And yet it is worth considering that insurance is
not just important for the risk mitigation approach of clients
such as wealth managers. Insurers can be targeted by hackers
themselves.
To consider how and why the insurance sector is on the receiving
end of attacks, we carry this article from Sean Tilley, senior
director of sales, Europe, Middle East and Africa, at 11:11 Systems,
an IT service management business. The editors are pleased
to share these insights; the usual editorial disclaimers apply.
To respond, email tom.burroughes@wealthbriefing.com
The insurance industry is a prime target for cybercrime. Cybercriminals, who know that it is a treasure trove of sensitive data, are searching for ways to access it. This is evident in the growing number of insurance companies that have been hit with ransomware, phishing, and other types of cybercrime in the past year. This is supported by the IBM Cost of a Data Breach Report 2023, which states that the financial industry was the second hardest-hit sector overall in terms of cost per breach.
According to research findings from Cybereason, the financial
services industry is besieged by ransomware, data theft, and
phishing attempts, ranking among the top three sectors most
likely to be attacked. Notably, cybercrime has maintained its
position as the most prominent global risk in this industry since
2020.
In a crowded market, a strong cybersecurity posture can be a
significant competitive advantage for any business. With
insurance companies collecting large amounts of customer data and
customers growing increasingly aware of the importance of
cybersecurity and conscious of whom they want to give their data
to, cybersecurity must be a top priority for these companies and
their providers if they are to meet their various stakeholders’
requirements.
Protecting sensitive data
Insurance companies collect, manage and store massive amounts of
Personal Identifiable Information (PII) which is sensitive and
confidential data ranging from personal information to financial
records and medical data. Keeping this information secure is
paramount for not only maintaining customer trust but also
for meeting regulatory requirements which stipulate how to
handle customer data – placing additional pressure on
insurance companies to keep it safe.
As such, insurance companies must adapt their cybersecurity
strategies to stay one step ahead of the evolving threat
landscape where cybercriminals, who are becoming more
sophisticated, are employing new tactics and technologies to
breach security systems and access data.
Eroding trust and soaring costs
Trust is the foundation of any business, and the insurance
industry is no exception. Customers entrust insurance providers
with their personal data and in return expect these companies to
have measures in place to protect this data. A data breach or
cyber incident not only erodes trust, damaging the company’s
reputation, but can also have severe financial ramifications for
the organisation.
While it can be costly to investigate, mitigate and recover from
a cyber incident, in some instances, insurance companies may be
held liable for the losses incurred by their policyholders due to
cybercrimes. Further cyber attacks can disrupt an insurance
company’s operations, affecting its ability to serve its
customers, process claims and conduct business efficiently,
potentially leading to further financial losses and customer
dissatisfaction.
Third-party risks
While insurance companies need to maintain stringent security
standards within their organisations, it is equally important
that they are aware of possible external risk factors too.
Insurance providers often collaborate with a network of
third-party partners such as suppliers and outsourced partners,
among others. These connections create additional vulnerabilities
to the security posture of a company, while at the same time, the
insurance companies retain regulatory responsibility for their
third-party contracts. As such, insurance companies will be held
accountable for weaknesses in their third-party partner contracts
and need assurances that the same level of cybersecurity
practices are in place across their third-party network. This
must include ensuring that any potential risks are appropriately
identified, managed, and mitigated to avoid a wider breach across
the company which could affect customers.
Cyber resilience
Building a culture of cyber resilience is key to establishing
operational resilience which is a business’s ability to continue
its critical functions and deliver services in the face of
various disruptions. This is particularly important for insurance
companies; to achieve this they will need to move beyond focusing
on digital defences and foster a culture that anticipates and
mitigates threats as they evolve. A robust cybersecurity
infrastructure is the cornerstone of this resilience, serving as
the foundation for all other measures.
At the same time, these organisations need to run regular system
updates which are part of the foundation to ensure that its
defences are equipped to handle the latest threats. Employee
training also plays a crucial role in improving an insurance
company’s cyber resilience and thereby operational resilience as
a workforce that can identify and respond to potential threats is
a powerful deterrent against ransomware attacks.
Get ready for the recovery
However, as prepared as a company’s defences are, it needs to be
equally prepared for recovery after an attack because, in
today’s environment, it is not a case of if but when an attack
will occur. Beyond prevention, cyber resilience encompasses
readiness for recovery. Having a comprehensive cyber incident
recovery plan in place is critical for every insurance company.
This plan serves as a roadmap for navigating the aftermath of an
attack, detailing the steps that it must take to recover
compromised data, restore operations and mitigate damage,
including periodic cyber recovery simulations to improve its
overall cyber resiliency posture.
Regular immutable or tamper-proof data backups are a key part of
this recovery process, particularly for insurance companies that
manage vast amounts of customer data. Ensuring that a recent and
clean copy of vital data is always available can significantly
improve the chances of a successful cyber recovery. Similarly,
having clear protocols and procedures for responding to an attack
and continuously monitoring and improving these measures as the
threat landscape evolves can help an insurance company not only
manage the situation efficiently but also minimise downtime.
Cybersecurity brings long-term viability
Cybersecurity is not just a short-term concern but a fundamental
component of an insurance company’s long-term viability. Those
who invest in robust cybersecurity measures are better positioned
to survive and thrive in a digital age, improving their cyber and
operational resilience and their ability to recover quickly.
Those who neglect to address cybersecurity adequately are likely
to experience devastating consequences, affecting their finances,
reputation, customer trust and legal standing.
Insurance companies can enhance their operational security and
demonstrate a strong commitment to customer and societal
wellbeing by acknowledging the significance of cybersecurity and
implementing robust protective measures. After all, cybersecurity
is a crucial investment for the long-term sustainability and
success of the insurance sector.
About the author
Sean Tilley, who has worked at NormCyber and Sungard, is senior
director, sales, EMEA, at 11:11 Systems. 11:11 Systems is a
managed infrastructure solutions provider which operates in
Europe, North America and Asia-Pacific. It is headquartered in
the US.