In a previous article, we discussed the alarming frequency of cyberattacks within the Hospitality sector, notably the widely reported Booking.com incident. However, Hospitality is far from the only industry targeted by cybercrime. Various reports and articles confirm that no particular organisation or industry is safe from cyberattacks.
The insurance industry has a vital yet complex network of carriers and reinsurers to brokers, claims processors, and specialised IT providers, who all play a role in the industry’s supply chain. The network poses one of the weak points for both external and internal threats.
Third-party attack vendors are responsible for a significant majority of cyber incidents in the insurance sector, highlighting critical supply chain vulnerabilities. According to a recent SecurityScorecard study [1], 59% of breaches among the top 150 insurance companies were caused by such third-party vectors. This demonstrates the systemic cyber risk inherent in an industry that holds a vast amount of sensitive financial and personal data.
Andrew Correll, Senior Director of Cyber Insurability, commented, “Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it. Cyber risks don’t stop at the first layer of defence—they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate.” [1]
Read more: Cybersecurity Threats Loom Large for Vietnam’s Financial Sector
Why are insurers becoming prime cyber targets?
Holding large quantities of confidential data (contact details plus financial information, medical records, and much more) is just one of the reasons that insurance is vulnerable to cyberattacks.
As mentioned earlier, the industry has a complex supply chain network combined with many meticulous, human-operated systems and workflows. As a result, an implemented threat might go unnoticed for a while. On the other hand, insurance staff responsible for data analysis often lack the necessary knowledge even to identify, let alone remediate threats associated with these diverse data types.
Insurers also face constant pressure to provide swift customer support, which potentially is another factor that makes them more susceptible to manipulation and social engineering.
Read more:Spear-phishing vs Phishing – What Are They & How to Avoid Them?
What about technology? Aren’t these advanced solutions supposed to protect businesses from harm? The growing dependence on technology to deliver more personalised and real-time experiences inadvertently expands organisations’ attack surfaces, leading to more potential vulnerabilities and opportunities for human error.
These breaches serve as entry points into entire ecosystems. Once attackers compromise an insurer system, they can escalate their activities, staging broader campaigns involving ransomware, data theft, and fraud that directly target policyholders.
The cost of weak cybersecurity in insurance companies
Weak cybersecurity will impact three key areas of the insurance company:
– Financially: The immediate, measurable expenses after a breach or attack:
+ Investigation to identify the source, scope, and impact of the incidents
+ Recovery costs to restore systems, patch vulnerabilities, or deploy new security solutions
+ Payment made to the attackers to decrypt data
+ Downtime of the infected system, which leads to delays, loss of revenue, and other expenses
– Legally: Intangible and long-term costs that erode the stability of the business:
+ Trust and reputational loss
+ Unwanted lawsuits or ongoing legal battles
+ Increased insurance premiums
– Strategically: Costs associated with the insurer’s competitiveness and risk management:
+ Security issues weaken the insurers’ data integrity, making it difficult to accurately assess clients
+ Resources are diverted to focus on fixing security and compliance issues, slowing growth
+ Severe and cascading impacts on the entire partner ecosystem.
Is your business ready and willing to weather this “digitally originated but leaves a very real and tangible impact” type of storm?
Read more:Ready to Predict, Prevent, and Protect? Data Reinvents Insurance!
Who is responsible for safeguarding insurers in cyberspace?
While it is true that everyone should play their part in the battle against cybercrime, this problem will not be solved with only one side taking action. It is important to remember that cybersecurity is a constantly evolving field, and it will take all of us working together to keep the internet safe from malicious attacks.
There are four levels of protection when it comes to risk management for insurance companies:
1. Avoidance: Simply choosing not to engage in risky activities.
2. Mitigation: Implementing measures to reduce the severity or likelihood of a financial loss in case a cyberattack occurs.
3. Transfer: The mechanism by which the insurer shifts a portion of its assumed risk exposure to another party (through premiums), thereby protecting its own balance sheet from outsized losses.
4. Acceptance: Acknowledge that there can be instances in which the company cannot achieve 100% security, and there might be certain residual risks that remain. Risk acceptance, or retention, is the deliberate decision by the insurance company to bear this remaining risk itself.
Read more:Zero Trust Architecture: A Non-Negotiable in SaaS Security?
By consciously defining the level of risk acceptance, insurance companies can allocate resources efficiently and ensure that management is fully aware of the maximum potential uninsured loss they may face.
However, understanding the risk alone does not protect insurers from cyberattacks.
Human error is the root cause of most data breaches, often occurring when a staff member accidentally or negligently downloads malware. Awareness through proper training is a key defence against practically any crime. Investing in training ensures insurers can transform this known human weakness into a solid layer of defence.
Training programs should address crucial knowledge gaps, including the importance of cybersecurity, password hygiene, physical security, data protection legislation, and how to identify and respond to phishing attempts, particularly ones that utilise social engineering.
Beyond periodic training, insurers must actively foster a robust cybersecurity culture, which goes deeper than simple training. Cybersecurity culture takes a long-term view, embedding cybersecurity engagement into every facet of the organisation.
What about risks from third-party vendors? Three words: third-party risk management. This is achieved by:
1. Risk identification and assessment: Conducting thorough due diligence before onboarding any new vendor and performing regular, ongoing assessments of existing vendors to identify potential vulnerabilities.
2. Remediation policy: Establishing clear, non-negotiable security standards and contractual obligations that all third parties must adhere to, including mandated encryption standards, incident response protocols, and continuous audit rights.
3. Systemic integration and control: Implementing technical systems that monitor the security health of third parties in real-time and continuously seek possible vulnerable holes or breaches.
4. Communication: Insurance firms must proactively collaborate with their network, providing guidance, sharing threat intelligence, and working together to promptly remediate any discovered weaknesses in their systems and policies.
Ultimately, by rigorously managing third-party risk, insurance companies can significantly mitigate the likelihood of a major incident originating from an external partner, thereby protecting policyholders, maintaining trust, and securing their critical business operations.
Beware of the emerging threat “Cybercrime-as-a-Service”
Cybercrime-as-a-Service (CaaS), doesn’t that sound evil already? It dramatically lowers the entry barrier for digital threats, enabling threat actors to launch cyberattacks with minimal or no technical expertise.
For CaaS to work, it needs to have specialised vendors, who can either be traditional organised crime groups or especially skilled individuals looking to make quick bucks [2]. These unusual service providers offer packaged “cybercrime” tools in exchange for some forms of cryptocurrency. Transactions occur primarily on encrypted messaging platforms and dark web marketplaces. Almost any common cyberthreat can now be purchased “as a service,” including phishing kits, ransomware, malware, Distributed Denial-of-Service (DDoS) capabilities, and botnets.
Read more:What ‘Transformers’ Can Teach Us about Enterprise IT Security
In short, threat actors (a.k.a., bad guys) can just simply purchase or subscribe to (how insane) the tools, services, platforms, etc., from the providers in the dark. What’s more alarming is that CaaS has gradually evolved from being an emerging phenomenon into a full-fledged industry operating across the globe, underscoring the increasing number of attacks and data breaches occurring in the digital world today.
This once again signifies that businesses are constantly facing new and existing threats, and the only way to move forward is to stay aware and stay updated.
To help modern businesses navigate the unprecedented future, TRG is dedicated to delivering crucial business insights and technological news bi-weekly through our curated and completely free newsletter. Subscribe today to always stay informed!
Sources:
1. https://securityscorecard.com/company/press/securityscorecard-report-59-of-breaches-impacting-insurance-sector-caused-by-third-party-attack-vectors/
2. https://www.microsoft.com/en-us/corporate-responsibility/cybersecurity/what-is-caas/
