The insurance industry has a full plate these days – dealing with everything from economic and political instability, climate change, a hardening market and increased claims expenses, to finding skilled workers and operating in a fiercely competitive environment where digital transformation is a must. However, according to a recent survey we conducted with global IT decision-makers, C-suite executives across the industry think cybersecurity is the largest challenge of all. 65% of insurance technologists cited cyber-attacks/threats as a greater concern than inflation (45%) and retaining and hiring talent (40%), and cloud evolution/migration is a big part of the story.
The consequences of cyberattacks can be devastating to insurers that are unprepared. 63% cited operational downtime as a leading concern, while 51% percent reported concerns over intellectual property loft and theft, and smaller percentages say they are concerned about damage to brand reputation (47%) or revenue loss (33%).
See also: Cyber Trends That Will Change 2023
Good News
There is some good news in the survey. Insurers have increased their investment in cybersecurity, and that shows no sign of changing. Despite the economic challenges brought about by the pandemic, 81% of insurers report that their cybersecurity budgets have increased over the past three years. Respondents also note that the issue receives an increasing share of board visibility. They also cite increased collaboration between the security team and the C-suite to address cyber risks. More than ever, security teams, boards and C-suite executives at insurance companies are working together to ensure risks are appropriately controlled:
- 72% note an increase in board visibility for cybersecurity over the past five years
- 73% cite increased investment in cybersecurity due to better collaboration between the security team and members of the C-suite.
…and Some Bad News
At the same time, carriers are moving their infrastructure away from proprietary data centers through multi-year cloud transformation initiatives. Maintaining a security posture that meets compliance challenges and addresses top risks while these structural IT changes are taking place is emerging as a challenge. With IT infrastructure spread across public and private clouds, and a significant installed base of legacy IT infrastructure still not on the cloud, holistically managing cybersecurity becomes more challenging, especially in a world where IT talent and cyber talent are at a premium.
It is not surprising that the leading targets for new cybersecurity investment among insurers are cloud native security (69%), data security (51%), consultative security services (51%) and application security (42%). According to the survey, cloud native security is the area where organizations are most likely to rely on an outside partner for expertise.
These investments align with the top areas insurers perceive as their greatest concentration risk, led by network security (55%), closely followed by web application attacks (54%) and cloud architecture attacks (64%).
The consequence of these converging dynamics is that fewer than half (42%) of insurance IT professionals said they are “fully prepared” to respond to cybersecurity attacks and threats. In addition, a majority report being either “unprepared” or only “somewhat prepared” to respond to major threats like identifying and mitigating threats and areas of concern (50%), recovering from cyberattacks (53%) or preventing lapses and breaches (66%).
For all the industry’s efforts to put cybersecurity at the top of the agenda and the increased spending on new technologies, there are still too few insurers adding cloud-native security functionality or third-party SaaS security tools that are built specifically for cloud-based workloads. As threat actors continue to target cloud workloads and access points, and as IT architectures grow in complexity, there will clearly be a need for carriers to use outside security assistance to identify and mitigate their threats.
