A KPMG survey of 100 insurance industry CEOs revealed that less than 20 percent felt their organisation was fully prepared for a cyberattack. And that’s a dangerous place to be.
And the prediction is that with banks and other financial institutions responding to cyber threats with increased security, attackers are moving on to find weaker targets. This is bringing insurance companies and their ageing legacy systems increasingly into the firing line.
1. Taking Ownership
Cybersecurity is a business-wide issue, not just an IT issue. And a data breach is not just bad for PR – it can also be catastrophic from a regulatory and legal point of view. Just think about this recent case where a disgruntled senior auditor at UK supermarket Morrisons stole the financial details of 10,000 colleagues and released them online. The supermarket didn’t think they were liable for his actions, but the law did and ordered it to pay compensation to those whose data were compromised.
The lesson is not only that an attack can come from any quarter, but that the people at the top of the organization will be held responsible for it.
Many CEOs in the insurance industry are responding to this pressure by making sure their Chief Security Officers now report directly to the Chief Operating Officers, creating a more direct relationship between the business and the people responsible for keeping it safe.
The other lesson here is that cybersecurity benefits from strong central controls. There may, however, be obstacles to creating this kind of company-wide security strategy. For example, in insurance businesses where years of M&A activities have led to fragmented and siloed business units with different challenges and solutions in place.
Even so, central ownership of strategy, policy and procedure, as well as clear lines of sight upwards, downwards and across the organisation is key to controlling the risk of cyber breaches.
2. Be Vigilant
Being vigilant means making sure there is full threat awareness throughout an organization.
It’s important to know where your potential areas of weakness are and to limit access to sensitive data as much as possible. Do you know who has access to which systems and what they are entitled to do? Or rather, are there policies in place that ensure this information is disseminated, recorded and controlled securely throughout your company.
There are myriad areas of concern. Are best practices and procedures consistently and properly implemented across the organisation? Are you able to control access to systems centrally? Do you have unified endpoint management with integrated mobile threat defence in place? Are Information and IT asset registers complete and up-to-date?
Where the system landscape is heavily fragmented, possibly as a result of adopted legacy, data may be stored in different places which, in turn, increases risk. Maintaining security across multiple systems is no mean feat.
In the new digital landscape, where there is likely to be an ecosystem of third-party participants, including channel partners and supplier of ancillary services, – the risks associated with them need to be assessed and controlled.
3. Be Prepared
Having the right structure and the right balance between centralized and decentralized services will help you manage cybersecurity, reducing the risk of an attack as much as possible.
Maintaining up-to-date email, web and anti-virus protection, and applying patches in a timely manner is also fundamental to cybersecurity.
But one of the key pieces of advice from cybersecurity experts is to have in place a proper response and recovery programme in case the worst does happen. Best practice includes ‘red teaming’ exercises, simulating the way an attacker behaves to improve the way you will be to handle a hacking incident, as well frequent drills and training for employees.
One of the most demanding parts of a cyberattack is mobilizing the resources you need to address the problem itself and then the impact on the wider business, including any commercial and reputational damage you may suffer. Have you got the software professionals in place to step in at a moment’s notice to fix the problem? Do you have access to the legal and PR people you will need to mitigate damage to your brand or handle a regulatory backlash?
Legacy Systems are Most Vulnerable
Finally, it’s worth remembering that across sectors it’s older legacy systems that have been targeted and proved vulnerable to the most crippling cyberattacks. The WannaCry attack, for example, which hit the UK’s National Health Service in 2017, affected 48 hospitals and 16 other companies associated with the organization.
For their part, insurance companies still operating with ageing legacy systems should be mindful of these potential vulnerabilities and consider how well their systems, individually and as a whole, are designed to keep confidential data secure. Many firms are now overcoming concerns about managing data in the cloud, recognizing the significant investments leading cloud infrastructure providers have made to safeguard their customers’ data.
In the long term, the new digital ecosystems that support the modern insurance business, together with increased threats from ever-more sophisticated cyber criminals, will require companies to have a highly robust and secure systems architecture.