Why Cybercrime is Driving Change & Innovation in Insurtech
Malware, ransomware and phishing: these terms strike fear into the hearts of digitally-driven businesses globally. A hack could mean the difference between survival and failure in our data-sensitive age of technology ‒ and cybercriminals know it.
Political instability has contributed to a problem that was already awash with complications, from advancing technologies to a shortage of talent in the space ‒ and the challenge of helping companies realise that even the simplest change could result in the difference between preventing and suffering from a hack.
According to Nasdaq, and reports by Check Point Software, the scale of breaches is increasing exponentially. In May 2021, insurers paid $40mn in ransom to hackers. But since then, the IoT has continued to explode, the vast majority of companies globally are continuing to operate via a remote workforce, and political instability has ramped up the risk factors.
Major cybercrime threats facing insurtechs
Alex Jinivizian, Vice President Strategy and Corporate Development at eSentire, believes the volume of challenges facing the insurance industry ‒ not just regarding their own security, but for that of their customers ‒ has never been higher.
“Insurtechs are part of a highly integrated ecosystem of multiple firms, covering everything from claim management, quotation and policy management to customer web portals, complex processing and analytics. We know that the attack surface has expanded to the extent that there is no real traditional security perimeter for businesses. The confidentiality of customer data is a key asset, as well as intellectual property from some of the newer insurtech players using proprietary technology.”
The emergence of more sophisticated phishing campaigns and business email compromise also remain significant threats. “We see drive-by attacks and social engineering also increasing. We have seen major supply chain attacks over the past 12 months ‒ Solarwinds, Kaseya, Log4j ‒ affecting all industries,” he says.
Nigel Jones, co-founder of Privacy Compliance Hub, agrees, and believes failure by companies to adequately train their staff to fend off and fortify systems against attack is a leading cause of breaches. "Your greatest cybersecurity threat is your staff, but you obviously can't get rid of them, nor should you. The reason for this is that it is one of your people who will mistakenly leave the door open for a cybercriminal to walk through, either physically or virtually."
He goes on to explain further: “They need to engage their people in an effective way to care about privacy and security. If people understand the seriousness of these issues from a personal point of view, they will care sufficiently to make sure that such risks are minimised whilst they are at work. Getting your staff to do a training session is insufficient; it’s about building and maintaining a culture of continuous compliance."
Cybercrime technologies can help prevent hacks
New technologies in this space are key to helping prevent cybercrime events, although the situation is akin to a continual game of cat and mouse: as new protections emerge, hackers routinely work to find ways around them.
Jinivizian believes foundational preventative technologies are key. But he also says that they are simply part of the overall solution, which is about managing business risk from a holistic perspective. “In an ideal situation, the conversation should start with senior management, about what assets are at risk and need to be protected, what is our level of security maturity, and what are we aspiring to achieve through our cybersecurity strategy.”
He explains that, if 50% or more UK businesses have experienced a material breach or event in the past 12 months (UK DCMS report), then it’s evident many technologies are being bypassed. While every organisation is different, basic security hygiene ‒ such as proactive patch management, implementing multi-factor authentication, and considering zero-trust and privileged-access management ‒ is essential.
“Given the move to home working, having the right tools to monitor and manage those laptops and mobile devices is key. But assuming some threats bypass those technologies, there’s the need for businesses to act and respond, isolate and contain those threats to avert a compromise or critical event.”
That capability can be partly automated through technology, but with more and more sophisticated attacks being augmented by ‘hands-on’ adversaries (in other words, an individual on the adversary side actively engaged on a computer at critical points in attack to bypass defensive controls), experienced threat hunting and threat response skills are becoming more and more important. “Businesses need to recognise that a capability beyond prevention should be in place, as ideally should an incident response plan.”
Back to basics to prevent cybercrime
The insurance industry itself is a large target for criminals, who purposely select those industries that rely on a wider ecosystem, managing and collecting vast amounts of personal data. The stakes have never been higher for both insurance companies that rely on easily breached legacy systems and insurtechs that enjoy a large number of strategic collaborations.
Carmine Del Guercio, Manager of Cyber Attack and Defence, Mazars, says it’s no surprise that the insurance industry and its technology is a high-value target to malicious actors. “They often house vast arrays of sensitive information that can be sold on the dark web ‒ from personal and financial information to actual hard cash. The insurance industry will continue to be a target for those looking for a modern-day heist.”
But he is also quick to point out that the latest technologies cannot be the only protection companies rely on. “All too often, we hear how the latest product will be the saviour of cyber security for overstretched and under-resourced IT teams. The latest Security Information and Event management (SIEM) and End Point Detection and response (EDR) tools definitely have a place within the cyber security arsenal, but basics must come first.
“Our experience in red-teaming has shown that these tools require configuration and fine-tuning to provide the results companies expect out of the box. When the underlying cyber security has been neglected in favour of a shiny tool, the crumbs left behind give an attacker a way through the forest of defences in order to bypass the latest procurement.”
The future of cybersecurity in insurtech
Ultimately, cyber-attacks are not going away, ransomware incidents are increasing and payments are rising. Additionally, cyber insurance premiums are going up. A vast amount of the tools, data, and stolen credentials that adversaries use during the kill chain have been democratised, which has made the planning and preparation for a cyber-attack more streamlined and efficient.
Jinivizian concludes: “We will likely see more of the same ‒ supply chain attacks, exploiting slow-to-patch IT departments with zero-day vulnerabilities… It’s important that insurtechs ‒ and all industries ‒ think of IT security as an intrinsic part of risk management, a process of continual improvement. Technology strategies should support the business risk agenda.”