Unlike sectors such as healthcare, insurance companies have been spared from larger cyberattacks in recent times. However, this should not lead to a false sense of security.
Overall economic damage due to cybercrime has doubled to more than 100 billion euros in Germany alone, as estimated by industry association Bitkom. Criminals conduct attacks on insurers and the financial industry almost on a daily basis. However, they have so far been spared from spectacular consequences, like the ones that emerged in the healthcare sector at the end of 2019 due to the Emotet Trojan. In this case, major clinic groups were completely crippled as part of a large-scale attack.
Attacks against the insurance industry took place rather harmlessly. However, that should not make us lose sight of the fact that the threat situation is serious and will become more serious, since the attackers are using increasingly sophisticated strategies and refined techniques. The European Insurance and Occupational Pensions Authority (EIOPA) also came to this conclusion in their 2019 report, “Cyber Risk for Insurers – Challenges and Opportunities.” According to this report, the increased use of big data and cloud computing is making the insurance industry more vulnerable to cyberattacks.
Compliance is just the basis
When creating a security strategy, many companies focus on complying with IT and privacy rules, like the ones that have been defined by the Federal Financial Supervisory Authority (Bafin) for the Finance and Insurance Industry. European harmonization with privacy (GDPR) has increased the complexity of the requirements.
But the focus on maintaining compliance does not even begin to cover all aspects of cyber security, because the increasing connectivity and digitalization in the economy and society create new risks that management must consider.
Liability and policies are the key words: A company has inadequately insured their own infrastructure. Criminals have penetrated into IT systems and, in their search for more information, have altered the controls of a production unit to the extent that it produced an explosion and fire on company premises. The company has insured itself against the damage event. But does the insurance company’s risk management already have an answer to “explosion due to cyberattacks” damage?
Focusing on gateways such as network connections, firewalls, or data loss prevention from a technical standpoint are no longer enough for a modern security strategy. Due to the digitalization of service offerings, the increased interconnectivity with external partners such as Fintechs and the connectivity of IoT sensors or cloud services, the focus must shift from one’s own network to API, data, and identity management.
Resilience – Manage attacks before they occur
Criminals and companies are in a heated race with each other. Attackers are professionalizing themselves and are now even using AI systems to determine weaknesses in the infrastructure of a potential victim. Companies are responding to this by using security solutions that also use AI to detect and respond to anomalies in network traffic or when using proprietary systems at an early stage.
Technical measures and making employees aware of risks remain indispensable. However, they will not prevent successful attack attempts in the long run. At some point, an employee has accidentally clicked on an unknown link, or a Trojan that has not been detected by security software will suddenly slip into the network.
Accordingly, a comprehensive security approach in an insurance company must also include cyber resilience – a company’s ability to resist cyber attacks. In case of an acute attack, a forward-looking security strategy and architecture must limit the possible damage to the best extent possible. An attack must be identified early on, malware must be stopped from spreading, and the restoration of systems must begin. At the same time, it is crucial to orient processes and systems in a way that the organization can be administered well, even in the event of such a crisis, and that their ability to act is affected only minimally (if at all). Simply selectively including individual systems or compliance is insufficient for creating resilience.
Security by design and AI
Including IT and privacy rules and adopting a uniform security strategy are essential for insurance companies. However, preventing cyber risks is also a task for management and requires changing one’s views and foresight. Every new (IT) project and each app development must include the concept of defense and security, and this particularly holds true for AI and cloud projects as well, which are based on unhindered data exchange between various systems. The more interfaces and external data repositories are used, the more potential attack vectors are created.
The solution is “Security by Design”; an approach, in which security risks are already considered during the design and development phase. This is part of our advisers’ day-to-day work to protect the security and compliance of our customers.