For insurers, assessing risk is a way of life, but sometimes insurance companies are struggle to evaluate and respond to their own cyber risks. The amount of sensitive data being held by such companies means that having vulnerabilities within their infrastructure should be a real concern. There is another thing to think about here; if you’re trying to sell cyber cover to clients and suffer a data breach in-house, then it makes that job a fair bit harder.
The Cyber Risk Assessment undertaken by Northdoor using the RiskXchange Cyber Risk Rating Platform sampled over 150 insurance companies. The RiskXchange ratings are based on freely available public open source data, where the higher the score, the less likely an organisation will be hit by a successful data breach in the next 12 months.
The Assessment calculated that the overall risk score for the UK insurance industry was 762 on a scale of 300 to 900. This indicated that organisations should be taking immediate action to reduce their exposure to cyber risk.
The key area of concern highlighted by the Assessment was application security where only 5.56 percent of companies surveyed got an ‘A’ rating. A breakdown by the types of company also shows some concerning trends. The report showed that only 38 percent of brokers scored an ‘A’ on email security, while 53 percent of MGAs scored a ‘D’ on application security. 20 percent of insurers were rated poor or very poor on network security.
The Cyber Risk Assessment encapsulates the struggle that the insurance sector has on its hands to remain ahead of the increasingly sophisticated cyber criminals. There are a number of ways that companies can better manage their risk and protection of data though.
- Use the NIST Cybersecurity Framework (or an equivalent) to develop an information security programme
- Cultivate a comprehensive understanding of your own network
- Pinpoint areas in the business where process and policy maturity come in under par
- Ensure that your network management policies are being followed and expose assets only where absolutely necessary
- Safeguard and examine network endpoints
- Confirm that active certificate-management programmes exist and are adhered to
- Stay on top of software patches and upgrades
By taking these measures, organisations can address the technical flaws, behavioural risk and skill gaps that leave them vulnerable to cyberattack.
The full Cyber Risk Assessment can be accessed here