The digitalization of the insurance industry is bringing about benefits from improved customer services to operational efficiencies within the organization. On the flip side, these technological advancements have also increased the risk and scope of cyber attacks for insurers, who store significant amounts of sensitive data from policy holders.
The cost of cybercrime globally is expected to reach $10.5 trillion by 20251. Recent examples in the insurance industry highlight the scale and scope of the risks that companies face as cyber attacks ramp up. Earlier this year and as widely reported, attackers targeted two French companies that manage third-party payments for health insurance, and the personal data of an estimated 33 million people, the largest data breach in the country's history2.
From ransomware to business email compromise (BEC) and risks from Internet-of-Things (IoT) platforms, there is a growing list of threats that insurers must be vigilant about. Here are some key vulnerabilities that companies must address to ensure security as digitalization ramps up and the use of technologies such as Internet-of-Things and artificial intelligence evolves:
- Legacy systems and technical debt: Legacy IT systems present significant cybersecurity challenges for insurers. Outdated software and systems that have been in place for many years may lack the latest security features and patches, leaving companies vulnerable to cyber attacks that exploit known vulnerabilities.
- Direct ransomware: Ransomware attacks, which encrypt company data until a ransom is paid, pose a significant threat. As insurance providers hold valuable policy details, they are often prime targets. Such attacks can disrupt operations, compromise sensitive information and cause both financial and reputational damage.
- AI-augmented social engineering: Cybercriminals can also exploit human behaviour rather than technical weakness. Attackers targeting insurance companies may deceive employees using tactics like phishing emails, phone calls posing as legitimate authorities or in-person interactions to obtain login credentials, personal data or access to sensitive systems. AI has significantly enhanced these social engineering attacks. AI chatbots can convincingly impersonate humans, engaging in natural conversations to build trust and extract sensitive information. Deepfakes create realistic synthetic videos and audio, enabling attackers to impersonate authority figures or loved ones to manipulate victims. Additionally, AI can generate large amounts of content that mimics various writing styles and emotional nuances to influence opinions and promote specific narratives. Voice synthesis allows attackers to precisely mimic a target's voice, enabling them to impersonate trusted individuals like CEOs or company representatives through AI-generated voice calls or "vishing"3 attacks.
- Third-party cyber breaches: With over 88% of
insurance leaders relying on third-party providers4,the
scope for attack expands, increasing vulnerability to breaches.
Cybercriminals often exploit compromised vendors, underscoring the
need for robust attack-surface monitoring and Third-Party Risk
Management (TPRM) strategies. Some threats we have mentioned above
also apply to third-party vendors, such as outdated systems and
ransomware attacks. Additionally, the following vulnerabilities
must be addressed:
- Business Email Compromise (BEC) and Business Communication Compromise (BCC): Cybercriminals gain unauthorized access to third-party vendors' email accounts or communication channels, which can lead to infiltration of insurance companies' systems or theft of sensitive data.
- Data Breaches: Breaches at third-party vendors can expose insurance companies' customer data or proprietary information, resulting in regulatory penalties, legal action and damage to reputation.
- Distributed Denial of Service (DDoS) Attacks: By targeting third-party vendors with DDoS attacks, cybercriminals disrupt their services, indirectly impacting insurance companies' operations and customer service.
- Lack of Cloud Visibility: Insurance companies may have limited visibility into the security practices and controls implemented by their third-party cloud service providers, increasing the risk of cyber threats.
- Insecure Remote Access: With the increasing adoption of remote work and bring-your-own-device (BYOD) policies, third-party vendors may have insecure remote access solutions, exposing insurance companies to cyber threats like man-in-the-middle attacks or unauthorized access.
- IoT Vulnerabilities: IoT allows insurers to
provide additional services such as driver feedback, home
monitoring, and health/fitness tracking. However, embracing IoT
also exposes insurers to risks including cyber-attacks, data
breaches and operational interruptions, potentially resulting in
financial losses and harm to their reputation. Key cyber threats
include:
- Data Breaches and Privacy Violations: Unauthorized access to personal health information, medical records and biometric data can lead to privacy violations and potential misuse of sensitive data. Hackers may target systems to steal this valuable data.
- Insecure Communication Channels: Inadequate encryption or insecure communication channels can expose sensitive data during transmission, making it vulnerable to interception and eavesdropping.
- Botnets and DDoS Attacks: Insecure IoT devices can be recruited into botnets and used to launch large-scale DDoS attacks, disrupting online services and networks.
- Malicious Apps: Rogue fitness tracking apps or malware disguised as legitimate apps can steal data, gain unauthorized access to device sensors or serve as entry points for further attacks.
Cyber Maturity Rating
An organization's maturity level in terms of cybersecurity practices and capabilities can be measured by a Cyber Maturity Rating system. This assesses how effectively an organization manages and mitigates cybersecurity risks across various areas such as governance, risk management, security controls, and incident response.
The rating can be determined through a comprehensive evaluation of an organization's cybersecurity posture, typically by using a structured framework such as the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) for assessment against predefined maturity levels or criteria. These criteria may include factors such as the existence and effectiveness of cybersecurity policies and procedures, the implementation of security controls and technologies, the level of employee awareness and training, and the organization's ability to detect, respond to, and recover from cybersecurity incidents.
The rating therefore helps organizations identify areas for improvement in their cybersecurity posture, providing valuable insights for prioritizing cybersecurity investments, allocating resources and enhancing overall cybersecurity resilience.
The average cyber maturity score for insurance organisations is currently at a Medium-High Maturity Rating5. However, despite this relatively positive assessment, there are notable vulnerabilities in certain areas. Specifically, weaknesses are evident in the management of third-party suppliers and in the ongoing digital transformation efforts within the sector. These vulnerabilities make insurance companies particularly attractive targets for cyber adversaries.
Call for action
In summary, the digital transformation within the insurance sector is bringing about promising advancements in customer services and operational efficiencies. However, alongside these benefits come significant cybersecurity challenges that must be addressed.
The adoption of digital technologies like AI and IoT presents opportunities for personalized insurance offerings and streamlined processes. Yet, the sector faces increasing regulatory scrutiny and evolving cyber threats, including ransomware, social engineering and third-party breaches. Recent cyber incidents serve as stark reminders of the pervasive nature of these threats, with millions of individuals affected by data breaches and ransomware attacks.
While the average cyber maturity score for insurance organizations is relatively positive, vulnerabilities remain, particularly in managing third-party suppliers and navigating digital transformation efforts securely. Addressing these weaknesses is essential to safeguarding customer trust and maintaining operational stability in an ever-evolving digital landscape.
How A&M Can Help
By conducting detailed cyber risk evaluations, A&M identifies vulnerabilities in business assets, processes and technologies, providing tailored initiatives to mitigate these risks. In designing a multi-year cyber-ambition roadmap, A&M helps your organization develop a strategy that is aligned with your business goals and regulatory requirements and outlines concrete steps to achieve year-over-year cybersecurity maturity. A&M's clear analysis shows how investments will reduce risks and prevent losses, optimizing spending and externalization.
A&M can also provide personnel for interim chief information security officer (CISO) roles, ensuring continuity in cybersecurity leadership during transitional periods or operating model changes, while facilitating seamless knowledge transfer to permanent staff. Conducting table-top simulations, our senior experts test and improve the company's crisis response plans, training staff on effective techniques to enhance readiness. Furthermore, we review and refine current cyber operating models, incorporating industry best practices and the latest advancements in cybersecurity operations.
With its wide array of services, A&M can support insurance companies in enhancing resilience and upskilling personnel in a sustainable way. This involves improving risk management, strategic planning, budget justification, leadership support, incident preparedness and operational efficiency. This ensures regulatory compliance, protects critical assets and maintains strong defences against evolving cyber threats.
Footnotes
1.Cybercrime To Cost The World $10.5 Trillion Annually By 2025
2.France gets hit with its largest data breach ever
3.Vishing is a type of social engineering scam where attackers use phone calls to deceive individuals into revealing confidential information.
4.Top 5 cyber risks for insurance companies
5.Source: A&M internal data and experience
Originally published by 10 September, 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.