AJ Thompson is CCO at Northdoor plc
Cyber attacks in the insurance sector have grown significantly during remote working as insurance companies migrate toward digital channels in an effort to preserve their businesses, create tighter customer relationships and offer new products to customers. This investment in technology does create new, strategic capabilities, but it also introduces a whole range of new cyber-risks for companies who are relatively inexperienced at dealing with these new challenges.
As insurers embrace data and advanced analytics during this new way of working, this process requires collecting and handling vast amounts of consumer information. As insurers find new and innovative ways to analyse this data, they must also find ways to secure this data from cyber-attacks.
Outdated legacy software allows cyber criminals to target insurers. Legacy programming language is not being taught to today’s engineers, with middle and back office systems only able to report transaction failures and risk triggers after the fact.
The lack of transparency within organisations is also an issue and this has meant that the insurers cannot see the build-up of risky positions or business practices, simply because they are either not aware or do not understand it.
This, coupled with the fact that Business Email Compromise (BEC) targets specific individuals within insurance companies impersonating C-level exec emails, rather than a mass phishing approach, means that it’s far harder to differentiate between the real messages and the fake ones, meaning that scams are more likely to be successful and are far harder to prevent.
However, arguably the biggest problem levelled at insurers is the ‘internal threat’ or rather the internal infrastructure and the employees, both before and during remote working. With many people working from home, security controls off the corporate network often are not sophisticated enough to match the threat from cyber criminals.
The signs are clear, most insurers will have been affected by the pandemic with significant losses spanning most key classes of business. This is on top of a market that has already started to harden over the last few years and the damage that the pandemic has also done both to business and the economy.
Cyber-criminals targeting insurers often have significant resources which enables them to employ sophisticated attacks that combine advanced malware with other techniques such as social engineering.
Attacks on insurance firms can result in fines, legal fees, lawsuits and fraud monitoring costs and as we have seen from the easyJet data breach where the account details of 9 million customers were exposed, consumers have had enough of their data being hacked and are willing to bring forward litigation. This loss of trust is no less significant than the impact of fines and lawsuits and since the insurance business revolves around trust, a data breach, however small, can have a negative impact on an insurer’s brand.
Most publicly reported data breaches by insurance companies have been short-term attacks, with cyber-criminals compromising a system, stealing specific information and then quickly moving on. However, the number of long-term attacks may be growing as cyber criminals quietly slip in undetected and establish a persistent, ongoing presence in critical IT environments during remote working.
A key strategy for insurance providers must be to look to develop their cyber security strategy to improve efficiency, reduce costs, identify profit areas, niches and gain transparency of business performance across distribution, underwriting, risk consulting and claims. However, in order to implement this strategy insurers and brokers need to understand what data they hold and where it is held, as the reality is that it is often stored in unconnected systems.
Another way to disrupt cyberattacks is to use technology to focus on employees who are vulnerable to spear phishing attacks during remote working. According to the Cyberthreat Defense Report, hackers use finely-tuned, personalised tactics to trick users into breaking security procedures, with 90 per cent of all cyberattacks executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers. Therefore, investing in your company’s human firewall is critical.
Any firm who cannot demonstrate robust data protection measures, risks not only falling foul of the regulator but suffering potentially irreparable long-term damage. In the end, how companies choose to tackle cyberthreats through the use of innovative technology and digital transformation may end up reshaping the conversation if not the industry itself with those that stayed at the forefront will likely be the ones left standing.