For two years in a row, cyber threats remain one of the top concerns for CROs. Recent cyber incidents have shown the world what hackers with malware can do to business operations, so how are risk managers handling this threat in the insurance sector?
In an increasingly connected world, it was only a matter of time for businesses to start their digital transformation. The adoption of technologies have brought better customer experiences and increased value in many aspects, but it also left a gaping hole in companies’ security.
“Our professional inclination to be upbeat and optimistic, together with significant personal and organisational investment in how things are, can lead to us being slow to react, or even wilfully blind, to major shifts in the risk landscape and our capabilities for dealing with them”, Richard Anderson, Chairman of the Institute of Risk Management, wrote.
But gone are the days when cyber security was an IT problem. CROs understand that maintaining good cyber hygiene is everyone’s responsibility. Here we asked 4 cyber security professionals coming to RiskMinds Insurance this March to help us understand the particular challenges cyber risk poses, to paint us a picture of a cyber resilient business, and whether an attack is imminent.
What are the particular challenges that cyber risk poses for the insurance sector?
Mihai Popa, IT Area Lead Continuous IT Operations, ING (MP): The insurance sector seems one of the least threatened sectors currently. With all the focus being on payments solutions or banks in general, people do not look actively in the insurance direction. The reality is that the insurance sector is also investing massively in digitalizing their relationship with the customer. This digitization also means that a lot of customer info will be available on portals or will be transferred over the internet and today, the most powerful commodity is the information. Cyber criminals started to acknowledge that this info is very valuable and becomes more and more available which is very attractive. We are talking about personal data of the customers and especially card data. The challenges will be to digitalize fast but keeping the security at a safe level, the pressure will be high.
Mark Camillo, Head of Professional Liability & Cyber EMEA, AIG (MC): As the insurance sector becomes more reliant on technology, possible disruption, whether by cyber security attacks or system failures, can result in significant first party costs, liability and reputational damage. Also, due to the large amounts of sensitive information that the industry holds, data breaches or data privacy issues can be particularly problematic given the broad scope of the GDPR.
Rob Wainwright, Partner, Deloitte (RW): Overall, the sector is facing significant pressures to digitise, leverage cloud, and respond to InsurTech initiatives. As well as this, we are seeing a large number of mergers and de-mergers happening, all in a highly cost constrained environment.
Delivering “secure by design” and “privacy by design” systems is already difficult for the sector. But in this business environment affected by the level of change, that is now very challenging, and we are still fixing legacies.
Typical threats insurers have faced have been data loss or theft, resource availability and constraints, and also resilience, i.e. business interruption.
Collateral damage from Not Petya or direct Ransomware attacks have been acknowledged and considered but broader business challenges have meant there were limited (or no) actions taken to address the issues or to prepare for future attacks.
However, the old narrative in the insurance sector of “we are not a bank” has given way to the recognition that cyber threat is a big challenge and insurers are a target, given the amount of personal data they hold and the risk of business interruption.
On the Life & Pensions side of the sector, access to withdraw funds from pensions pots, similar to current accounts, has started to introduce an account take-over or fraud dimension. But oddly, the vast number of manual controls in insurers around this process has presented less of a risk than one would have expected.
On the product side of the business, cyber insurance is a big revenue driver. But there are a range of concerns and challenges around how those products are priced, and topics such as aggregation risk we have limited experience in.
Aurel Proorocu, Chapter Lead, Cybersecurity & Fraud, ING (AP): Cybersecurity risks are increasing every year despite the efforts of companies and their IT security teams.
At this moment, there are many challenges, but I would say that the main one is the lack of specialised security professionals. According to the 2018 CIO Agenda survey, 68% of organizations have a cybersecurity expert on board, but are still unable of managing all risks.
Overall, the problem has 3 main points. First of all, there are only a few specialists out there. Second, the few that we have receive many job offers which creates retention challenges. And finally, there are few companies that offer internal security development programmes. However, there is a good awareness trend for the latter issue. According to Gartner, by 2022, 30% of large enterprises will build a security skills management programme including experimental recruiting and talent development practices.
What are the key qualities of a cyber resilient business? How does the insurance sector need to change to become cyber resilient?
MP: I could talk about a lot of key qualities but in general I will focus on 3 of them. I think in any domain which is related to IT we are talking mainly about awareness and common sense. These two mean that while you are designing new solutions for your clients you do understand the world in which you live and you try to take measures to protect you from your new developments. You need to be aware of the changes that you introduce and of the world that is around you which is in a constant change. Imagine that you have to build a house with 3 floors, for sure you will take different measures of precaution compared to when you are building a house with only 1 floor.
The third element is knowledge. You have to keep your people educated all the time with the new trends in technology and software development in order to be able to face the new threats. The world is evolving, so the attackers and implicitly the defenders should do the same.
MC: Being able to quickly respond and recover from a cyber attack is a high priority for the insurance sector. There’s a growing recognition that despite the best security measures in place, there is no silver bullet to prevent cyber incidents, and when they occur, companies must be able to react with speed and the appropriate expertise in order mitigate the effects.
By offering cyber insurance, the industry in many ways is leading the way in helping not only to protect organisations from the financial impacts of a cyber event, but most of the policies include crisis response services (forensic providers, legal assistance, public relations, extortion consultants, etc) which can quickly contain and minimise the damage following a cyber incident.
RW: The qualities of a cyber-resilient business in insurance are in many respects very similar to the rest of the financial sector where digitisation and InsurTech have a greater impact. Organisations must ready themselves by exercising for an attack response, and employ technical measures to minimise the likelihood, frequency and impact of outages.
Specifically, the sector is moving away from “low touch” customer experience, where resilience was of less importance as manual processes could be relied on. Insurance is moving towards a 24/7 service with a changing product set, where insurance contracts aren’t necessarily 12 months but per trip or journey – again, highlighting the importance of resilience.
We have seen significant investment within the sector in cyber simulation exercises at both board and technical levels. However, we did not see a focus on technical measures on resilience and recovery after Not Petya in 2017 as we would have expected.
AP: Within the financial sector, I would say that all the players are paying extra attention to cyber-resilience, since the trust level between them and their customers has to be very high. An unfortunate event could have tragic outcomes for their businesses, and I believe most of the top executives are aware of this.
If we are talking about key qualities, the list is actually quite long. Due to different regulations, most of the companies within this sector should be aligned with a certain level of compliance that includes complex risk assessments and business impact analyses, which are further correlated with internal IT teams, projects, procedures & tasks.
Are we at risk of a cyber attack?
MP: Is it going to rain in June in Seattle? We are always under such a probability. We have to always stay sharp, and keep our developers focused. The companies should create awareness and remind all the time to the employees that cyber-attacks could happen and that they are serious, they can have an important impact in the company’s evolution and that this could impact their jobs as well.
Another point of view is that as long as you take care of your software and you have a minimum level of resilience, you will not attract the attention of the cyber-criminals because, generally speaking, humans use an intrinsic attitude that we will invest our time in something that is going to give a fast return. Therefore if the company is well prepared an attacker will try once to get in and if it will take too much time, although he will succeed he will not try next time if he lost time or if he has put himself in a dangerous situation.
MC: All companies are susceptible to a cyber attack. Companies need to attain an appropriate level of cyber security maturity to thwart most attacks and be diligent in having tested incident response and business continuity plans to quickly recover when an event occurs.
RW: In short yes. The insurance sector is an environment rich in customer data that is increasingly exposed to business interruption costs.
AP: We are always at risk of a cyber attack and I hope all companies are aware of that!
If we are talking about the financial sector as a whole, cyber attacks are mainly focused on banks (91% of the total), while insurance companies represent around 7% of the total sector (according to IMF – International Monetary Fund).
Even though the attacks are increasing in number and becoming more complex, I would say that overall, things are going in the right direction. In the past years, companies started to pay more attention to this topic and are currently investing a decent chunk of their budget in “IT security”.