In this article John Wareing, Account Director, Red Helix, takes a look at cyber risks across the insurance industry.
The insurance industry is a critical component of the UK economy, offering safety, financial stability and the potential for growth to millions of individuals and businesses across the world. For insurance companies to keep up with the changing markets, there is a growing pressure to embrace digitalisation – with technology spending in the sector expected to increase by more than 25% between 2022 and 2026.
While updating and modernising technology is no doubt beneficial – offering increased efficiencies and improved customer experiences – an increased reliance on technology is not without risk. As the industry becomes more digital, it is increasingly exposed to cyber threats that can be extremely costly, highly damaging to an organisation’s reputation and can undermine its ability to offer safety to its clients.
Not only that, but the threat landscape is also expanding. In a recent exercise to assess the volume of attacks against London based organisations, cyber insurer Coalition configured a number of computers to act as small businesses within the capital – known as ‘honeypots’ in the cyber security industry – and found the devices were attacked 91 million times over the course of 28 days. This figure is continuing to rise, as the risk to UK businesses continues to grow.
Therefore, as the insurance industry heads towards its digital future, it needs to focus on developing a robust cyber security infrastructure that will allow it to reap the benefits of adopting new technology, while mitigating risk.
Establishing a culture of cyber awareness in the industry
One of the most important, if not the most important, aspects of any organisation’s security is its Human Firewall. Not only has it been found that 95% of cyber incidents occur due to human error, but social engineering attacks – those that target staff and deceive them into giving up network access or sensitive information – are the most common threat vector currently faced by UK businesses.
Insurance companies must pay attention to this risk. To suitably protect themselves against these types of attack (such as phishing, spear phishing, baiting and pretexting) they need to ensure their staff not only understand what they are supposed to do, but why they are supposed to do it. This can’t be achieved through just a one-off training session. Instead, it requires ongoing training delivered to all employees – from the C-suite down to the front-line staff – to ensure they are educated on the latest cyber threats, alongside regular testing to identify any knowledge gaps that need to be filled. Key to the success of this process is encouraging a culture of responsibility to remain vigilant at all times.
As social engineering attacks become increasingly advanced, and new technologies like ChatGPT begin to pose additional risk, insurance companies have a duty of care to both their staff and their customers to ensure they are doing as much as they can to keep their data protected. The first step in doing so is developing the level of cyber awareness across their staff base, identifying the areas that need improving and putting the right training in place to improve them.
Assessing the current levels of cyber resilience
As well as identifying any areas of improvement within their staff’s awareness, insurers also need to look at their organisation’s security environment for any weaknesses. While there are numerous cyber security solutions on the market, not all of them are suitable for every company. Reviewing the current measures in place will help insurers determine what is working, what isn’t working and any areas that need further attention.
The way in which the security infrastructure is assessed will also differ, depending on the size of the insurer and the technology being used, but there are some common starting grounds:
- Regularly perform risk assessments – Identify and document potential threats and assess the likelihood, and impact, of an attack.
- Continuously evaluate security policies and procedures – Ensure that the cyber resilience strategy and incident response plan are up to date, fit for purpose and aligned with industry standards.
- Test defences often – Conduct penetration testing and vulnerability scanning to determine the strength of the security infrastructure.
- Frequently review software and hardware – Make sure all hardware is capable of running the most up-to-date software, and that the software is the latest version.
- Allocate budget and resource – Keeping on top of cyber threats is a continuous process and one that will require ongoing investment.
This is not by any means a full list of requirements, rather some areas from which to begin the process. The full assessment of an insurance company’s security infrastructure will require additional knowledge of the company’s digital environment. For those without the resource for an in-house security operations centre, it is recommended to conduct such assessments with the support of an external cyber security expert.
When assessing levels of security, insurers should also take note of the requirements included in the EU’s Digital Operational Resilience Act (DORA). For any companies that deal internationally, DORA will have a significant impact on their dealings with EU-based partners, and, though it isn’t in place just yet, the UK has suggested it will legislate a UK equivalent in due course.
Additionally, as both the cost and requirements of cyber insurance continue to rise, insurers themselves need to demonstrate that they are abiding to the same level of cyber hygiene they expect from their customers. Though not all insurers offer cyber insurance, some may still be required to underwrite the policies, and any insurer that falls victim to an attack that would fall outside of the scope of their own coverage would suffer huge reputational damage.
Flexibility in the face of evolving threats
Alongside the need to develop its protection against current cyber threats, the UK’s insurance industry must also prepare itself for the evolving threat landscape of the future. It is important that companies regularly review and update their cyber security posture, as well as collaborating with other industry stakeholders to share information and best practices, to ensure their security remains effective and relevant.
Fortunately, there are resources available that can help insurers develop future-ready cyber security strategies. The National Cyber Security Centre (NCSC) is a great source of information for security and regulatory updates. Manged security service providers (MSSPs) can provide additional support for prioritising, implementing and running necessary technology.
For new technologies to be safely introduced to the industry, insurers need to be aware of, and mitigate, any associated risk. Partnering with an organisation that has the cyber security expertise to guide and educate them, as well as an understanding of their business, is often the best way to achieve this.
A secure, digitalised insurance industry
Incorporating new technologies within the UK’s insurance industry will improve efficiency, provide better customer experiences, and ultimately help to fuel the sector’s growth. However, for these technologies to be implemented safely, the increased exposure to cyber threats needs to be acknowledged and properly dealt with.
This requires insurers to develop and maintain a strong culture of cyber security across all members of staff, conducting regular assessments of their security infrastructure and taking the necessary actions to fix any weaknesses. Insurance companies must also remain flexible in their approach to security, so that they can expand their protection when necessary.
By taking these steps, the UK insurance industry can build a robust and resilient security environment that will enable it to operate safely and securely in the new, digital age.