Insurtech cybersecurity: An evolving space
According to the Hiscox Cyber Readiness Report 2021, the proportion of insurance businesses targeted by cybercriminals in the past year has increased from 38% to 43%, with over a quarter of those targeted (28%) experiencing five attacks or more.
Such breaches are damaging companies to the point where 17% of the report’s respondents said admitted financial impact materially threatened the company’s future.
So what are insurance companies doing to protect themselves financially and keep valuable customer data safe from hackers? We asked two industry experts, Altaz Valtani, Director, Insights Research, Security Compass, and Jonathan Miles, Head of Strategic Intelligence and Security Research at cybersecurity firm, Mimecast, about what needs to be done to protect the industry.
Digital transformation has seen cyber attacks increase massively. Has the insurtech sector been affected badly?
Altaz Valtani: Insurtech has been affected by cyber-attacks, but it certainly isn't the only industry impacted by cyber-attacks. In fact, digital transformation and cyber-attacks are actually orthogonal. There are other contributing factors such as the shift to a largely remote workforce. While it is important to undergo digital transformation with security in mind, there are many other factors that need to be considered such as risk management, which is a very difficult problem today.
Jonathan Miles: The past 18 months have seen a radical change in the way companies operate. In our recent State of Email Security report, we found that email threats rose by 64% compared to 2019. This staggering number is particularly worrying since many companies are ill-prepared to deal with cyber threats: only one in five provide cyber-awareness training to their staff.
The industry also relies on highly confidential personal and financial data to assess the risk of each client and create tailor-made policies. This data is a goldmine for hackers, and the shift to a digital-first way of working during the pandemic has made it easier than ever for cyber-criminals to gain access to corporate networks and take advantage of any potential vulnerabilities.
Why are attacks happening when we have so much heightened awareness and technology to counter them?
Altaz Valtani: Security is continually evolving. New threat vectors and vulnerabilities regularly emerge across a complex technology stack. There is also a marked shortage of security professionals, industry security reference architectures, and a lack of clear security risk models, making the issues with cybersecurity incredibly complex.
The context of shifting business models toward increased agility and better DevOps digital delivery brings about newer vulnerabilities that also need to be addressed. This is driving industry-wide conversations around balancing both speed and risk when it comes to innovation. That is why companies are moving towards automating their software development processes using Balanced Development platforms in an effort to achieve a strong balance.
Therefore, a company’s approach to security needs to evolve if it wants to continue innovating whilst also keeping cyber threats at bay and managing vulnerabilities.
Jonathan Miles: The pandemic has led to a surge in the use of digital tools and services. Yet, this hasn’t always been linked to an increase in cyber-awareness training among employees.
Cyber threat actors are opportunistic and inventive – often taking advantage of an organisation’s own information to use it against them. They assess how well the organisation secures its networks and communications processes to identify vulnerabilities in its infrastructure and defenses.
This assessment then enables hackers to formulate the attack they want to use against the organisation. This could include any weak link within the organisation – whether that’s a person or a device- as well as other entities such as business partners, suppliers, service providers, or other insurance firms, whose defenses may not be as robust, and use these external networks as an alternate way to gain access. Furthermore, criminals are cooperating, selling access to breached networks amongst themselves to facilitate further attacks.
Can large companies justify a breach happening when they have the resources to create better fortification? Or are hackers always ahead of the game?
Altaz Valtni: At this point, breaches are inevitable. It’s certainly not that insurtech organisations are not trying or are incompetent. In fact, some reasons for a breach may be unrelated to technology, as in the case of social engineering attacks. The goal is to limit the breach impact and shorten the recovery time – in a word, resiliency. The use of ephemeral subsystems, microservices, and policy-driven security controls all support greater resiliency.
Jonathan Miles: Email, URL link, business email compromise (BEC), or malicious website continue to be popular vectors for many cyberattacks. As a result, insurtech companies need to ensure that they not only protect their corporate network in the office but also guarantee that all devices and apps employees and policyholders may use to access and share confidential data are fully secure. Efficient protection in a hybrid environment should also encompass collaboration tools as well as ongoing cyber-awareness training to ensure all members of staff are armed to deal with new threats as they emerge.
Using a layered approach to fight against all cyber threats – including phishing, ransomware, and impersonation attacks - alongside a tried and tested continuity and recovery plan and having a strong backup system in place is the best method to keep a company, its customers, and its employees safe.
How can users be sure that the company they select will keep their data secure?
Altaz Valtani: There is an increased emphasis today from customers on ensuring that their data is well protected. This can be a positive thing, but unfortunately, some users have unrealistic expectations when it comes to security. It's incredibly difficult to be completely free of any security vulnerabilities, but we can take the right steps to minimise the impact of security breaches.
For example, every security issue needs to be addressed within 24 hours. Another example is a full forensic report on a data breach. What we need is pragmatism. There are several ways to help with this. Insurtech organisations need to undergo unbiased third-party audits and only necessary user information should be collected.
Jonathan Miles: Organisations that capture and retain data have a responsibility to ensure that detail in their charge remains confidential, complete, and available only to those with a need to access it. In order to achieve this IT security triad, it needs to be underpinned by a tested, robust, and considered cybersecurity policy. This policy should identify the requirement and process for implementing updates and patches when issued, and policies for software and hardware end-of-life activity.
What kind of technology and practices can insurtechs adopt to prevent cyber attacks?
Altaz Valtani: From a practice perspective, we need to include more diverse stakeholders in the cybersecurity discussion. That means bringing the compliance, legal, and risk personnel into the conversation from the start or early on. The diversity of thought from these diverse stakeholders will provide much-needed, balanced, and cross-functional guidance.
From a technology and tools perspective, a balanced development platform that integrates the diverse views of these stakeholders without significant disruption to their existing knowledge base, risk management, audit, modeling, and asset management tools, would be ideal to address security vulnerabilities.
Jonathan Miles: Connected devices have obvious benefits for insurers, claims analysis, risk acceptance, and policyholders. These devices can instantly exchange data or instructions and provide data across the insurance network. But this is where some of the greatest dangers lie. The devices are often involved in the monitoring of individuals as part of their policy terms and conditions.
To prevent this, insurtech should ensure that all the devices used to monitor individuals offer stringent protection – including when transmitting data over open networks - and provide consistent cyber-awareness training to their staff and policyholders.
Cybersecurity should be considered as a multi-layer, multi-discipline, and collaborative environment. Organisations should be encouraged to share information and adopt a proactive, rather than reactive, approach to securing networks, information, finances, and PII.
What does the future of cybersecurity in Insurtech look like?
Altaz Valtani: The shifting in emphasis from front-loaded threat analysis to mitigations has already started for many companies within the insurtech industry and outside of it. We simply cannot know every threat upfront which is why security is being democratised across the entire software development lifecycle.
We are seeing the emergence of balanced development platforms that integrate with existing DevOps tools and perform the essential translation between security policies and software development artifacts, making application development a more secure and faster process.
Jonathan Miles: With the threat environment constantly evolving, the sector must adopt an innovative and forward-looking approach to integrated security provision. Collaboration by experts in their respective fields ensures that the three areas of security (mail/web, own domains, fake domains) can be addressed effectively.
Although likely costly, consideration should be given to replacing outdated equipment and unsupported OS. All devices and accounts should have passwords changed on setup, every 90 days, and when staff who have access to devices or data leave or no longer require access.
When assessing the potential for attacks, cybersecurity teams should also think beyond the risk that data will become exposed or the financial value of said data.
With 5G and more sophisticated products like IoT becoming an integral part of insurtechs policies, we expect that cyberthreats will continue to grow. Insurtechs will need to combine an innovative method to harvest and analyse data with robust cybersecurity strategies to keep their staff and policyholders safe.
Creating a robust, layered, cybersecurity system
Layered protection, spanning the most comprehensive security hardware to the ‘human firewall’, will need to be enhanced through a robust cyber resilience plan. This will need to consider business continuity, and how an organisation will be able to continue to operate, should it fall victim to a cyberattack. This should include:
- A separation of back-ups from the operational network
- A tried and tested continuity plan
- Provision of ongoing security training and awareness activities for all employees; this would need to be a simple, yet consistent formula that educates users, tracks responses, and tests users regularly
- Talking to employees. Finding out what they are experiencing, and what types of training and programs they would benefit from the most
- And/or making security training a business requirement with measurable goals and results
Information supplied by Jonathan Miles, Mimecast
The commentators
- Jonathan Miles is Head of Strategic Intelligence and Security Research and has worked in the public sector as an intelligence, counterintelligence, and security analyst for more than two decades, with particular interests in threat intelligence, cyber intelligence, and threat modeling.
- Altaz Valani is the Research Director at Security Compass responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz was a Senior Research Director at Info-Tech Research Group.