Cybersecurity threats faced by insurance companies are growing and evolving at an alarming rate. This has been spurred by many factors, including the internet of things (IoT). While the IoT presents opportunities for insurers, it also exposes security gaps. The severity and frequency of cyber-attacks are likely to increase.
Insurers must commit to protecting sensitive customer information in a compliant and reliable way. The cybersecurity threat is huge. It is time for insurance companies to reboot their approaches to cybersecurity.
Common cybersecurity threats facing the insurance industry
Cyber-extortion
Cyber extortion is increasingly becoming a common problem. Some types of ransomware attacks are so effective that victims may be forced to meet the attacker's demands and pay a hefty bribe to get their systems running again.
Automated threats
Credential cracking, vulnerability scanning, bad bots, credential stuffing and denial of service can potentially shut down a company’s systems quickly.
Identity theft and loss of confidential data
Identity theft may result from system vulnerabilities to data breaches. For instance, files stored on a firm's local servers may not be protected adequately. Insurers collect and store sensitive personal client information. This information can be particularly valuable for attackers to sell in black markets. They can use it as a tool for fraud, extortion, unauthorized borrowing and many other financial crimes.
Business disruption and reputation damage
Cyber-attacks can seriously disrupt business. For instance, a cyber-attack on Sony Pictures erased its computer infrastructure, including telephone directories, emails, voicemails and business records like contract templates. A malicious attack like this on an insurer could disrupt operations for months.
See also: Cybersecurity for the Insurance Industry
The foundation of any insurance business is policyholder trust. If an insurance company were to suffer a data breach exposing policyholder information or a cyber-attack that renders it unable to conduct normal operations, that trust would be shaken. This, in turn, can lead to reputation damage that may hurt the confidence of investors, consumers, policyholders and rating agencies.
Four tips for boosting security
1. Assess your defense capabilities realistically
Pressure-testing the company's defenses can determine whether they can repel targeted, high-impact attacks, whether external or internal. The testing includes vulnerability assessment, testing programs, penetration tests and scenario-based testing. Consider hiring a cyber-security firm to test your defenses.
2. Invest in early detection
Insurers need to continually invest and innovate to thwart potential attackers. Early detection is crucial. Otherwise, a cyber-attack can sit undetected for weeks.
Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent and cause. Then, the threat can be neutralized before damage is done. Insurers need to invest in technology. There is a wide range of software solutions that provide near-real-time threat detection.
3. Making cybersecurity everyone's job
While implementing sophisticated systems will reduce external threats, insurers tend to neglect internal threats such as human error, which could include revealing customer data in response to a convincing phishing email. Cybersecurity awareness among employees can significantly decrease the risk of cyber-attacks resulting from human error.
Alert employees can provide early detection. An Accenture survey found that up to 98% of security breaches that are not detected by a firm's security team are discovered by employees.
4. Learn from the past and evolve
Effective cybersecurity requires insurers to learn from previous cyber incidents and use the learning to improve planning and technology investments. Solutions include:
- Upgrading systems: Using last-generation or unpatched security software provides easy fodder for cyber attackers. Speak to your IT consultant about upgrading your systems.
- Migrating systems to the cloud: The cloud provides users a wide range of compliant and secure storage solutions. Choose a cloud provider that offers the highest possible security.
- Implementing appropriate security software, protocols, and appliances: This will effectively shield data and systems from automated threats.
- Establishing a disaster recovery plan: Despite all efforts, systems can be breached. Have a detailed up-to-date plan so that you can respond effectively to any problem, major or minor.
