Cyber Focus: How can insurers protect themselves from cyber crime?

WE ASKED: ”Insurers themselves could be viewed as the targets of cyber crime due to the vast amount of data they hold; how can insurers protect themselves from this threat?”

Paul Wishman, vice president of financial services, CGI UK

”The very nature of the services provided by (re)insurance companies makes them attractive targets for a variety of cyber threat actors, especially organised crime groups. Since the start of the Covid-19 pandemic, cyber related organised crime has grown at an exponential rate. The motivation of the attackers is to obtain sensitive data relating to individuals to either sell on the dark web to the highest bidder, or for extortion where malware-as-a-service cartels will threaten to dump sensitive data, gathered as part of a breach.

”Over the last six months, phishing campaigns in this area have increased by over 650%. Cyber intelligence specialists within CGI UK’s cyber security operations team have been tracking an exponential rise in data breaches affecting companies across the financial services sector. While this is a cause for concern, the types of attack methods used by threat actors can be easily mitigated against by ensuring technical vulnerabilities are actively identified and rapidly remediated. Equally, by training members to identify cyber threats within an organisation, such as sophisticated phishing campaigns, you can reduce the likelihood of inadvertently giving access to criminals.

”The vast majority of successful attacks are the result of a successful phish. It is crucial that phishing detection and mitigation strategies are deployed to identify malicious emails and that heightened vigilance is applied to areas where sensitive data is stored. Furthermore, companies should ensure that perimeter remote access points that are under increased stress since due to the new home-working lifestyle are hardened and monitored, requiring users to use multifactor authentication.”

Alain Camenzind, head of cyber defense strategy and solutions, Swiss Re

”The evolving global cyber risk landscape shows that cyber risk exposure is constantly growing. Ransomware attacks have become more sophisticated and costly, the average total cost of data breaches has increased over the last year and regulatory bodies impose high fines for not protecting personal data.

”Phishing, malware, extortion, espionage as well as fraud and fake news are the current trends - the number of instances involving Covid-19 as an attack vector has increased too. Most companies even expect the threat landscape to worsen because of key events, like the US election coming up. Further usage of technologies like vishing, which is a form of phishing, is on the rise as an attack vector and will increase chief executive fraud, artificial intelligence (AI) technology and voice impersonation schemes.

”The insurance industry is no different than any other when it comes to exposure of cyber attacks. At Swiss Re, we accept that cyber resilience is a constant journey and requires ongoing and concerted efforts to foster a strong security culture and an effective and efficient cyber defence programme. Addressing cyber defence on a corporate level includes proactive involvement of the business to secure its ownership of cyber defence responsibilities, a well-established central coordination point and additional investments to address the continuously growing cyber risk exposure.”

Christian Arndt, cyber security director, PWC

“The volume of data insurers collect means that they are on the radar of cyber criminals, not only from a data theft point of view but also from ransomware perspective - a major trend in cyber for the last couple of years. This, in combination with years of underinvestment in cyber security, can make these firms a target.

 “Insurers’ main challenge in protecting their data and systems is their heavy reliance on old legacy technology estates. Several generations ago, both insurers and banks were early technology adopters, which enabled them to process and store data like never before. Now, in an effort to embrace the web and digitisation, new has been built on top of old, creating a complex environment that is increasingly difficult to protect.

”In trying to secure these complex environments, insurers have ramped up spending on security over the years. However, as technology races ahead and criminals become more sophisticated, these costs will only continue to increase. To escape this increasing cost cycle, insurers will need to think about how they might transform their business and IT to make them more ‘securable’. This could potentially require accepting more short-term risk and investing security spend in moving off legacy systems, alongside consolidating technologies, accelerating cloud adoption and, ultimately, reducing complexity.”

Oisin Fouere, head of cyber incident response, KPMG

“Insurers, despite supporting other businesses with their own cyber breaches, are not immune and must manage any threat accordingly. Covid-19 has brought additional pressures and an increase in security risks.

”While the physical risks created by remote working are perhaps the most discussed, it is critical that all firms consider other ways in which their workforce is more vulnerable at this time. Cyber security is not just an IT issue, it’s also about educating employees - if they are knowledgeable about what constitutes a security risk and how to protect themselves, this reduces the threat considerably.

”Insurers must consider maintaining the segregation of networks so that functional parts of the network, such as end points and servers, should be logically separated, while critical client data should be segregated. They should also impose multi-factor authentication on all perimeter and privileged systems - remote desktop or virtual private network (VPN) systems, for example, should only accept multi-factor logins. These use a username, password and a one-time token.

“Lastly, insurers should create a segregated back-up environment; back-up environments are often attached to the main network with no access control or logical separation, however these should be isolated to prevent attackers from gaining access, especially with the rapid growth of ransomware attacks.”