“82% of the largest insurance carriers are the focus of ransomware attacks from cyber criminals.” 
Insurance firms deal with enormous amounts of risk as they help clients, in its most basic form insurance is a mechanism where risks are transferred from one party (the insured) to another party (the insurer) in return for a payment (the premium). Giving the insured the promise that if the worst happens and a claim is made the insured is put back in the position they were immediately before the loss. This will be a familiar picture to many but woven into each transaction is data, a lot of data.
As well as risk transfer businesses insurance firms are data companies, dealing with vast amounts of data every day – client data, including financial information, personal information, health information and contact information, employee data and information on prospects and third-party suppliers as well as current and historical claims data, which is used to help build and price the products they sell.
Technology plays a large part in how insurance businesses deliver their services to clients, the pandemic accelerated digital transformation, and insurers and brokers rely on digital and remote solutions to deliver their services to clients.
Staff working from home has put more pressure on IT infrastructure and businesses have seen an increase in email scanning, phishing, and malware threats via web pages accessed by staff through company networks while they work at home, and as such the need for strong cyber discipline is more important than ever.
Insurance businesses are also reliant on technology to operate efficiently and within the regulatory framework set out by the FCA, most brokers and insurers use third-party software to quote, place, bind, invoice and amend risks, create documents, and log claims. Do we understand who is responsible for the data, and who is protecting it?
The desire for automation could come at a cost if these services suffer an outage caused by a cyber-attack.
“81% of C-level respondents think their company is not adequately protected against cyber threats.” Munich Re´s 1st Global Cyber Risk and Insurance Survey, March 2021.
Risk, data, and technology all offer opportunities to the insurance industry but also presents new challenges and exposes the weaknesses in process and how firms manage their own risk, we need to ask ourselves some tough questions about cyber preparedness and be robust in the preparation of our answers.
Written by guest author Catherine France, Insurance Copywriter and Francis West Chief Executive Officer, Security Everywhere, this article explores the following questions
- What could a cyber-attack on an insurer look like?
- What are the consequences of an insurer suffering a cyber-attack?
- How do you protect your insurance business from a cyber-attack?
- What are the cybersecurity requirements for insurance companies?
What could a cyber-attack on an insurer look like?
As banks strengthen their defences cyber-criminals are looking for new, weaker targets they are setting their sights on the insurance market, the volume of Personally Identifiable Information (PII) is attractive to cyber criminals who are also looking for details of cyber policyholders which can then be used to target businesses with cyber insurance.
Ransomware is the biggest threat, stealing data on policyholders, and maliciously looking for details of a company’s cyber insurance cover can also uncover details on security standards and processes to be obtained by hackers to use for fraud or another cyber-attack later.
Of particular interest to hackers are companies with cyber insurance policies that include cover for the payment of ransoms, these are targeted to maximise the opportunity to make money from the payment of a ransom amount.
Insurers are under additional pressure from data exposure if ransomware hackers publish the data to the dark web, there are regulatory consequences and reputational damage, Forbes Insight Report 46% of businesses suffered reputational damage following a breach in 2019. The theft of the data coupled with the threat of data disclosure and subsequent reputational damage is a step away from the traditional methods of encrypting data and holding it to ransom, the additional threat of dumping the compromised files on the dark web where they can be accessed by other criminals puts more pressure on insurers to pay ransoms, given the potential damage to customer confidence and the legal or regulatory implications of exposing customer or employee data.
The two main sources of a cyber-attack come from firstly the web, as we conduct more business online and as clients expect to be able to access their insurance via web portals, an app or even a plug-in to their vehicle it presents more ways for hackers to detect a weakness in the security of a company and more ways they can access and steal data, the second is employee error where business emails are compromised, the rapid acceleration of home working during the pandemic has seen a dramatic increase in the number of phishing scams, exposing vulnerabilities in security systems and a company’s ability to protect its networks, however, these threats are not entirely new a Google survey found that 65% of people reuse passwords across multiple or all accounts. 
Insurance firms have become more reliant on cloud services, an already highly concentrated market, there are warnings that a single point of failure through shared software, hardware and vendor, incidents could, in principle, spread more quickly, leading to higher losses for financial institutions and stress in the financial system. 
Without a doubt, insurers need to be on high alert as the threat of cyber-attack is not going away and their approach to the existing threat and how they build cyber resilience into new developments in technology will shape how well they can predict, prevent, react, and recover from cyber-attacks.
What are the consequences of an insurer suffering a cyber-attack?
If an insurer or broker suffered a cyber-attack the consequences could be far-reaching and costly in terms of time, cost and reputational damage, there would be an initial interruption to the business and material costs, ongoing operational issues, and direct financial consequences, and reputational damage, which could be irreversible.
A recent report by Hiscox shows insured cyber losses of $1.8 billion in 2019, up an astonishing 50% year over year.
The type of attack will of course impact what happens in the aftermath, whether data is encrypted or extricated if there is a demand for a ransom if data can be recovered from a backup, and how quickly can you get back up and running etc.
Insurers also face the fraud risk where personal PII data for retail customers including, health information for travel and sickness policies as well as high net worth clients’ details of cars, pets, antiques, and collectables could be sold to criminals and used in identity theft. Data stolen may also be combined with data hackers already have from other sources and sold on to criminals.
Reputational damage and cyber risk go hand in hand as identified in Aon’s 2019 Global Risk Management Survey which rates damage to reputation/brand and cyber as the number one and number three risks respectively for UK businesses, highlighting the point with the example of TalkTalk who lost the personal details of over 150,000 and subsequently lost 100,000 customers who no longer trusted the business with their data. Impact on the business can be catastrophic, also impacting negatively on share price, putting off would-be investors, deterring the best talent and impacting the business earning potential.
There is not only reputational damage but any attack on an insurer or broker is likely to catch the attention of the regulator, in the case of the Financial Conduct Association (FCA) as well as the Information Commissioners Office (ICO). It is also likely that the FCA will be looking closely at how insurance businesses process, retain, delete, and store data in conjunction with their ongoing commitment to promoting positive customer outcomes.
However, there is more positive news for companies who communicate quickly, are honest and genuine and are active and thoughtfully plan for such events as the Aon report dights that customers are more likely to forgive and even reward those who embrace and respond effectively to a cyber event.
Which insurers have suffered a cyber-attack?
There have been several high-profile cyber-attacks on insurance companies including the following
- Tokio Marine Insurance Singapore
- CNA Financial
How do you protect your insurance business against cyber-attack?
While insurers actively work with risk every day, in terms of cybersecurity they have lagged other financial businesses, namely banking in terms of cyber investment, focus and capabilities. Moving customer services to digital channels means insurance firms need a strong cyber security program, as it provides a target for cybercriminals to attack.
Prevention is far easier than trying to fix the damage, and that means taking IT security seriously within your business. As a matter of course you should have:
- Regularly updated software
- Protect data with multi-factor authentication.
- Have regular, decent-quality backups that can restore data quickly. If you can restore your data, then you will not need to consider paying a ransom if the data is stolen.
- Train your staff, they need your support and training to recognise good security practices and how to protect the data they work with as attacks become more sophisticated. With over 300,000 working in the UK insurance market hackers have a lot of people to target.
- Anti-malware, anti-ransomware, and anti-virus software
- Robust access management system
It is worth considering using both internal and external experts and resources, to create a robust security plan that can respond and adapt to the risks posed by a cyber-attack. Security experts looking to make a real difference need to look no further than the insurance industry.
How can Security Everywhere help insurance companies ?
- Help to Identify their own data security gaps and/or risks and how to fix it
- Help their clients understand their data security gaps and/or risks and how to fix it
- They can use our Cyber Health Quiz to help their clients evaluate their biggest Cyber Risks in under 2 mins and how to fix it
- Help their clients with advice around Cyber Insurance so that they comply when taking it out
- Make it easy and affordable for their clients to be protected by Enterprise Level Cyber Security Services including Ransom guarantees, on a 30 day rolling contract
- Penetration testing for their clients
- Internal and External vulnerability audits around data/cyber security
- Regular FREE Cyber Security Tips
- Cyber Essentials Accreditations
- Cyber Security Webinars and Seminars for their clients to improve Cyber Awareness
- Cyber Security articles and blogs to create Cyber Awareness
- Cyber Security workshops
The increasing frequency and sophistication of cyber-attacks, the fast digital transformation and the increased use of cloud computing and AI make insurers attractive to cyber criminals. Insurance firms are a natural target for cyber-attacks, as they possess vast amounts of confidential policyholder information.
While insurance businesses are familiar with identifying the cyber risks of their customers, they have been slower at identifying their risks, missing an opportunity to get ahead of the curve. Ensuring that the data we have on customers is safe and secure is critical to maintaining customer trust in the insurance market.
More action is required to strengthen the resilience of the insurance sector against cyber vulnerabilities, considering the dynamic nature of cyber threats and a comprehensive industrywide response which accommodates cyber risk assessment, cyber resilience and cyber insurance coverage would help create a new level of operational resilience.
“The best way to mitigate a cyber-attack is to protect yourself before it happens.”
(“Top Security Considerations for Insurance Companies”)
 Cyber Insurance Risk in 2022