Cyber-Attacks in Insurance Industry: The Threat Continues
As we increasingly embrace online as a medium of transactions we are vulnerable to newer risks. While we shop online, check our bank balance or pay our insurance premium, we tend to leave a trail of sensitive data that can be breached and accessed by cyber criminals. The insurance sector, which collects sensitive and confidential data, is particularly vulnerable to cyber threats. Data breaches in the insurance industry have the potential to inflict huge costs on the insurer as well as the insured.
Why the insurance industry is the pet target of cyber criminals
Cyber security is ranked as the number one concern in the US, UK, and Africa and number two in the Far East Pacific Region. It also ranks number one amongst non-life insurers and second amongst reinsurers.
Insurance companies hold significantly more consumer data than ever—credit card information, medical information, and other underwriting information making them an attractive target for cyberattacks. That data can be used for identity theft, or as it obtained in case of North Korea, to commit insurance fraud that generates revenue for the government.
According to a recent survey of 100 Insurance company CEOs by KPMG, less than 1 in 5 believes that their organization is fully prepared for a cyber event. 42 per cent think that cyber security is their most pressing risk, far outweighing their concerns about other key risk areas such as regulatory risk.
The chief concern is the security of the ever growing volumes of data that insurers hold in cloud-based storage systems. For many, major breaches are inevitable; the question is how much damage can they sustain?
Insurers need to enhance security preparedness amidst the growing risk of cyber-attacks
Defending against cyber-attack is becoming increasingly difficult because of the sheer volume of attempts. Even if you detect and defend against 99.9% of attacks, the few that get through can cause serious disruption to the business.
Over the last year the insurance industry has been shaken by ransomware attacks like the `Wannacry’ attack. Unlike natural disasters where the insurers have a geographically restricted footprint, organizations hit by such ransomware are hard to track. And these attacks have resulted in new implications for the insurance industry. Increasingly the industry is forced to use data analytics to map and model such attacks and take proactive security measures to brace against possible future attacks.
A recent study by Accenture reveals that insurers are suffering from an astounding number of breaches. In addition to millions of random attacks each week, a typical insurance company will face an average of 113 breach attempts a year which is more than three effective breach attempts per month. The study predicts that a third of these attacks will be successful.
Consequently, there is an urgent need for insurance companies to protect themselves against cyber breaches with effective IT security and risk management technologies and protocols that are updated, enforced, and stress-tested regularly.
Follow the regulatory guidance
Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance Commissioners (NAIC) published “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks. However, given the changing threat landscape and sophistication of attacks insurance companies will have to do a lot more.
What the insurance sector should expect to be doing moving forward
- Increase in cybersecurity regulations
- Focus on consumer privacy
- Increase in cybersecurity spending
- Growing importance of cybersecurity information-sharing and analysis groups
- Involvement of Board and Management in cybersecurity
- Increased need to manage third-party risks
- Linkages between cybersecurity and risk management
So, what next?
Cyber Insurance: The way forward
Many insurance companies have developed insurance products and policies that help protect clients from damages incurred from cyber-attacks. These products are generally known as cyber insurance.
Cyber insurance coverage typically falls into two broad categories: first-party and third-party. First- party coverage focuses on the internal costs incurred by the company, such as hiring an attorney to deal with legal ramifications, and hiring a PR firm to minimize reputational damage. Third-party coverage handles the consequences caused by cyber security events that affect other companies and individuals. Typical coverage includes network maturity liability. It also covers financial harm to other individuals from a company’s privacy breach, as well as the cost of post-breach regulatory investigations and fines.
Though, it looks like that cyber breaches cannot be completely avoided, yet an effective IT security and risk management system and creating awareness among staff and customers alike can help control the damage to a large extent. Technologies like cloud and mobility come with far more risks than on-premise technologies. With the growing influence of IoT, the spectrum of threat is only going to spread exponentially. All these have the potential to alter the way insurance companies tailor their products to cover and minimize their own risks. Is your organization adequately pepped up to respond, handle, and survive the onslaught?
(As Updated on October 13, 2017)