In the crosshairs: the (re)insurance sector and cyber threats
(Re)insurance companies should be worried about the financial and reputational havoc that could result from a ransomware or DDoS attack
(Re)insurers are getting better at managing their exposure to cyber risk as underwriters. But how prepared are carriers when it comes to an attack on their own operations?
In 2019, the European Insurance and Occupational Pensions Authority (EIOPA) was sufficiently worried about the industry’s exposure to cyber crime to release a report outlining its concerns.
“The increasing frequency and sophistication of cyber attacks, the fast digital transformation and the increased use of big data and cloud computing make insurers increasingly susceptible to cyber threats,” the report said.
“Insurance groups also form a natural target for cyber attacks, as they possess substantial amounts of confidential policyholder information.”
EIOPA found that the most common cyber incidents affecting insurers are phishing messages, malware infections (especially ransomware), data exfiltration and denial of service attacks. Business interruption and material costs for policyholders and third parties were the main issue suffered by insurers following such incidents, the authority said.
According to Darren Thomson, head of cyber security strategy at consultant CyberCube, today’s insurers are fairly risk aware - but they are as exposed to the same panoply of cyber risks as any other organisation.
“It’s a dynamic threat landscape, but trends that insurers currently face are ransomware, closely followed by data breach and then business interruption,”
Ransomware and extortion continue to make up a sizeable percentage of cyber-attacks, and are typically the cause of the most significant incidents, says James Clark, senior associate at law firm DLA Piper.
“Insurance companies are particularly vulnerable for a number of reasons. They are highly reliant on their ability to access policy, claims and actuarial data on an ongoing basis, and therefore any disruption to that access (e.g. the shutdown of a key system by a ransomware attack) is a business critical event,” he says.
“Further, many insurance companies are relatively large, well-resourced businesses with significant reputations to uphold. They therefore present an attractive target to attackers.”
High price to pay
Regulatory fines are probably the most high profile consequence of a data breach, and to date €272.5mn ($332.4mn/£245.3mn) of fines have been imposed for breaches of Europe’s General Data Protection Regulation rules, according to DLA Piper’s latest GDPR fines and data breach report, published last month.
Two British firms top the list of highest ever GDPR fines, British Airways (€204.6mn) and Marriot International (€110.3mn).
However, there are other areas of potentially significant exposure, Clark says. “The costs associated with investigating, responding to and remediating a breach can be significant (think professional services fees, as well as the cost of fixing or replacing IT infrastructure).
“Second, many companies will face business disruption costs whilst an incident is ongoing and, potentially, a long-term loss of revenue if customers lose trust in the ability of the company to protect their data.
“Third, we are seeing increasing evidence of claimant law firms attempting to bring group (or ‘class action’ style) claims against companies on behalf of individual consumers who have been impacted by a breach,” he warns.
CyberCube’s Thomson thinks that lockdown potentially weakens insurers’ defences. “Homeworking is Christmas come early for cyber criminals [thanks to] home wi-fi networks that are not well secured, plus the blending of work and life where the same devices are used for both. Another factor is that IT support doesn’t work well when people are working from home. People have a habit of switching to alternative, not so secure, devices if their work laptop goes down.”
“Employees are adopting new [communication] technology at a rate not expected by even the providers - and with a rapid scale out comes security vulnerabilities,” Thomson adds.
Big changes in the way insurers store their data could be changing the industry’s cyber risk profile. In the past, most insurers operated their own data centre, plus a backup for disaster recovery purposes. Nowadays, cloud services operated by providers like Google et al have either replaced owned data centres, or prompted the use of a hybrid model.
This is effectively kicking the security can down the road, according to Thomson: “If you rely on one cloud vendor to provide your infrastructure there is a single point of failure, albeit with robust safety nets. Also, the contract between a user and a provider often states that their duty is to provide a robust infrastructure. Whether the data is protected, or not, is the responsibility of the user. That’s not always fully understood.”
It’s possible that, in future, insurance businesses might have multiple cloud providers to give the same sort of back-up they had with multiple data centres.
Risk management structures
Insurers are aware of the need to protect themselves from an evolving cyber threat, according to Richard MacKillican, spokesperson for the Global Federation of Insurance Associations.
“Many insurers, and particularly the larger ones, are aligning their ICT [information and communication technology] risk management structures with international frameworks and standards (such as the ISO/IEC 27000 series and the National Institute of Standards and Technology Cybersecurity Framework), and participating in cyber stress tests such as those conducted by the Financial Services Information Sharing and Analysis Center.”
For its part, Insurance Europe (the European insurance and reinsurance federation) is following the progress of a risk-based set of rules called the Digital Operational Resilience Act (DORA), which is a legislative proposal by the European Commission that focuses on the cybersecurity of the financial sector. It looks at ICT risk management, related incident reporting, stress testing of ICT infrastructure and relationships with ICT third-party providers.
The proposal is currently moving through the legislative process and is being examined by the two other European legislators, the Council of the EU and the European Parliament, who are developing their positions on it. Insurance Europe says it is calling on the EU to ensure that the DORA is risk-based.
Cyber risk management should be a boardroom issue for insurance companies, DLA Piper’s Clark believes: “It’s not just about securing buy-in and the resources to spend on security, but also about allocating those resources effectively. Doing so requires an understanding of the particular weak spots for your business, which is something that will vary from company to company.
“Ultimately, insurance companies need a thorough understanding of what data they process, where that data resides, and who it is shared with before they can build in appropriate protections.”