Three major insurtech cybersecurity risks in 2022

As digital transformation settles into its groove following the chaotic implementations of 2020 and 2021, better, more efficient systems to prevent major cyberattacks will be put in place. The past two years have been frenetic, as companies have scrambled to shift their services online and continue to serve customers. However, the process has also led to a massive vulnerability reveal. 

We take a look at the top three cybersecurity threats set to trouble the insurtech sectors in 2022. 

Data breaches

According to research conducted by Munich Re, the insurance industry should brace itself for more data breaches in 2022. Attacks that occur as a result of personal identifiable information at the risk owner’s sites, as well as an increased criticality of data, including healthcare, financial and biometric information, are on the rise. Indeed, IBM reported that, in 2020, the time it took recognise a breach was 280 days, even though the average savings of containing a breach in under 200 days was $1mn

This means the global average total cost of a data breach in 2020 was $3.86mn. Data shows the world will store approximately 200 zettabytes of data by 2025, an aspect, that unless strictly fortified, will lead to many more leaks in the coming months and years.

Mark Adams, Regional Director, Northern Europe at Cohesity, a data management firm that has a large global finance customer base, says a number of major onsite company cybersecurity elements should be in place to prevent attacks. “Organisations must have an up-to-date and comprehensive backup solution in place. The way to best protect the organisation against the impact of ransomware and other cyberattacks is by doing regular data backups and protecting their stored data via encryption, rendering it immutable to attack."

He continues, "In addition, an automated rapid data recovery capability will help the organisation resume normal operations quickly, putting them in a position to reject any ransom demand.

Ransomware on the up

Another problem that is sweeping across all commercial operations, ransomware is predicted to increase in 2022. Once considered the petty crime of small-time operatives, demands are now reaching into the millions. The increase isn’t helped by large-scale corporations capitulating to hacker demands. 

For example, the ransomware attack on CNA earlier this year, resulted in the company eventually paying their way out of the attack, simply because their specialists couldn’t get a handle on the attacker's strategies - and it was costing them more to hold out than to pay them off. 

For insurance companies, where data and customer information is the very lifeblood of the operation, a data breach can be the death knell of the business, unless dealt with speedily and efficiently. But that’s easier said than done. Furthermore, increased payout claims for ransomware attacks, also directly impact on the insurance industry.

According to a recent report by Munich Re, the problem is being escalated due to the increased number of devices attached to the IoT. The payout claims from insurers to other sectors affected by ransomware are another huge area of concern that can even put human life at risk resources like power grids, medical systems, or transportation management are successfully targeted. For example, a hospital in Düsseldorf in 2020 was targeted by hackers and was unable to accept emergency patients after a ransomware attack. A patient, who needed to be re-routed to another facility 20 miles away, lost his life.

Altaz Valani, Director, Insights Research, Security Compass, explains, “Insurtech has been affected by cyber-attacks, but it certainly isn't the only industry impacted by cyber-attacks. In fact, digital transformation and cyber-attacks are actually orthogonal. There are other contributing factors such as the shift to a largely remote workforce.”

He adds, “While it is important to undergo digital transformation with security in mind, there are many other factors that need to be considered such as risk management, which is a very difficult problem today.”

Compromise of business emails

The third trend is related to human error in terms of fraudulent business email scams. According to figures from the Anti-Phishing Working Group, the average loss for a BEC was $80,183 in Q2 of 2021, up from $54,000 in Q1. 

Even more costly events occurred in 2020 when Puerto Rico lost more than $4mn across three separate BEC attacks on government agencies. Another example was when criminals stole $10mn from Norway’s state investment fund in a BEC scam.

This problem has been compounded by the remote workforce - an issue that is slowly being addressed by companies fortifying their systems, and creating a hybrid working environment for the majority of staff, who are back in the office either full time or on a part time basis. 

However, studies suggest that cyber risk specialists identifying scams like BECs will continue to be challenging in the remote work environment. In addition, the supply of technology will contribute to this as well, for example, when deep-fake audio and video are utilised in tandem.

Jonathan Miles, Head of Strategic Intelligence and Security Research at cybersecurity firm, Mimecast, explains, “The past 18 months have seen a radical change in the way companies operate. In our recent State of Email Security report, we found that email threats rose by 64% compared to 2019."

He concludes, "This staggering number is particularly worrying since many companies are ill-prepared to deal with cyber threats: only one in five provide cyber-awareness training to their staff.”