Cyber-Attacks in Insurance Industry: The Threat Continues
An ounce of prevention is worth a pound of cure. The age-old idiom has become even more prevalent in today’s world where everything can be done over the internet: shopping online, buying movie tickets, ordering food of your choice, checking your bank balance, paying your insurance premium etc. The “Internet of Things” revolution has brought its share of security threats, which cannot be overlooked and which need to be handled fast and now. More so, in the insurance industry where the data is extremely sensitive and confidential in nature and one level of breach can cost very dearly to both insurers and insured alike.
Why insurance industry does attract so many cyber-attacks?
Cyber security is ranked as the number one concern in the US, UK, and Africa and number two in the Far East Pacific Region. It also ranks number one amongst non-life insurers and second amongst reinsurers.
Insurance companies hold significantly more consumer data than ever—credit card information, medical information, and other underwriting information making them an attractive target for cyberattacks. That data can be used for identity theft, or as it obtained in case of North Korea, to commit insurance fraud that generates revenue for the government.
The chief concern is the security of the evergrowing volumes of data that insurers hold in cloud-based storage systems. For many, major breaches are inevitable; the question is how much damage they will cause?
Insurers need to boost their security knowledge amidst the growing risk of cyberattacks
Defending against cyber-attack is becoming increasingly difficult because of the sheer volume of attempts. Even if you detect and defend against 99.9% of attacks, the few that get through can cause serious disruption to the business.
The most recent major cyberattack against ‘Anthem Healthcare’ shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, ‘Anthem’ jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate their systems. The report highlighted various cybersecurity weaknesses, mentioning insurers should keep track of the data flow in all IT systems, applications, and components. They must also be mindful of the user access privileges they grant their employees, placing sufficient controls on which employees have access to “super user” accounts. Cybersecurity must be addressed at all levels of the organization.
Targets of other such attacks include well-known corporations and establishments such as eBay, Target, the University of Maryland, NATO, JPMorgan Chase, Adobe, Aramco and RasGas, amongst many others. Approximately 145 million users were affected when eBay was targeted in early 2014. Although earnings were not as low as expected, the site did see a decline in user activity.
The best protection from cyber breaches is effective IT security and risk management technologies and protocols that are updated, enforced, and stress-tested regularly.
Regulatory guidance comes to the rescue
Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks.
What the insurance sector should expect to see in the coming year?
- Increase in cybersecurity regulations
- Focus on consumer privacy
- Increase in cybersecurity spending
- Growing importance of cybersecurity information-sharing and analysis groups
- Involvement of Board and Management in cybersecurity
- Increased need to manage third-party risks
- Linkages between cybersecurity and risk management
So, what next?
Many insurance companies have developed insurance products and policies that help protect clients from damages incurred from cyber-attacks. These products are generally known as cyber insurance.
Cyber insurance coverage typically falls into two broad categories: first-party and third-party. First- party coverage focuses on the internal costs incurred by the company, such as hiring an attorney to deal with legal ramifications, and hiring a PR firm to minimize reputational damage. Third-party coverage handles the consequences caused by cyber security events that affect other companies and individuals. Typical coverage includes network maturity liability. It also covers financial harm to other individuals from a company’s privacy breach, as well as the cost of post-breach regulatory investigations and fines.
Though, it looks like that cyber breaches cannot be completely avoided, yet an effective IT security and risk management system and creating awareness among staff and customers alike can help in controlling the damage to a large extent. With the growing influence of IoT, the spectrum of threat is only going to rise exponentially. Is your organization adequately pepped up to respond, handle, and survive the onslaught?