By Chris Camacho, Chief Strategy Officer, Flashpoint.
The insurance industry plays a unique role in modern society, providing individuals and organisations with a sense of financial security when faced with unforeseen circumstances.
Unfortunately, the insurance industry is also unique in how and why it is susceptible to fraud, phishing, ransomware, credential theft, and other cyber threats. Indeed, many of these threats have become especially familiar to insurers in recent years—largely due to the following circumstances:
Modernisation and innovation have driven the insurance industry to migrate to digital channels in order to broaden the scope of its service offerings. Although these initiatives enable insurers to remain relevant amid a fast-paced competitive landscape, they also increase a company's exposure to various threats. Similar to how the healthcare sector's rushed implementation of electronic medical record systems ultimately fuelled an uptick in healthcare data breaches, the insurance industry's rapid and continual adoption of cloud-based storage and services expanded its attack surface beyond traditional on-premises risks. While these types of systems do not automatically make security incidents and breaches inevitable for insurers, they can give rise to various risks and challenges that ultimately necessitate a more comprehensive and proactive approach to security.
Cybercriminals' Shifting Targeting Strategies
Another key characteristic contributing to the insurance industry's susceptibility to certain cyber threats inadvertently stems from a prominent trend across the financial services sector. Specifically, the ongoing adoption of stronger security measures has made financial services companies—though historically seen as prime targets for cybercrime—more and more difficult for adversaries to penetrate. But rather than halt their activity altogether, many of these stringent security measures have instead prompted cybercriminals to shift their attention toward what they perceive to be "softer" targets, such as insurance companies.
A Comparatively Lax Regulatory Landscape
Many of the financial services sector's aforementioned security measures continue to be implemented rapidly and effectively because of a strict regulatory landscape. Financial services companies have long operated under stringent requirements pertaining to secure data storage and encryption, as well as incident and breach disclosure. In the event that a financial services company fails to meet such requirements, the penalties can be severe.
Insurers, however, have historically faced far fewer regulatory requirements when it comes to information security. As a result, the industry has generally been less cognizant of how to address various cyber threats and subsequent business risks. While organisations across all sectors should strive for comprehensive security and risk strategies beyond what is required by regulations, looking to the effective security measures present in financial services and other sectors can be a valuable and insightful starting point.
The above characteristics have undoubtedly helped shape a complex threat landscape for the insurance industry. The good news is, however, that these characteristics are also driving many insurers to rethink their approach to security, risk, and more specifically, intelligence. In response, more companies are coming to regard intelligence as not just a tool to be siloed within their IT department but rather a core operational requirement. Insurance companies that integrate Business Risk Intelligence (BRI) into their security and risk strategies programmes glean actionable insights from the Deep & Dark Web communities where adversaries congregate and develop new schemes. By applying these insights to enhance their defences and inform their security and risk strategies, insurance companies can and do gain a decision advantage over these threats and adversaries.