Crawford and Company’s recently published white paper titled The Future of Cyber Insurance reveals that the insurance industry’s response to growing cyber risks has been inadequate, and the lack of experience and data leaves insurers reluctant to offer broad coverage and create an adequate picture of the exposure.
“With such an unsubstantial commercial insurance market for cyber,” it says, “some insurance buyers are opting to put these liabilities through their captive insurer – if they have one – or simply retaining the risk on their own balance sheet.”
Insurers need to recognize the cyber risks insurance companies face and strengthen their security to respond to it. As they move more aggressively into the web territory through integration and use of mobile applications, internet-based systems, and online portals, they open themselves up to new cyber risk vulnerabilities.
Cyber criminals have many reasons to target insurers, but the prime reason is that they store large amounts of personal information such as credit card data, social security numbers, names, email addresses etc. Also, their financial exposure entices hackers to attack company systems to gain access to credentials that could be worth more on the black market.
Online threats may not only affect insurance companies in monetary terms; a company might be able to notify customers of a data breach and recover the notification expenses – but that won’t necessarily save its customer confidence. PwC says that average loss in reputational or brand value for a company experiencing a data breach can be between $184 million and $330 million, and the collective loss when customer trust is considered can be even costlier.
While other industries may recover from defamation resulting from a breach, the bar is higher for insurers where the reputation of the company holding the future promise for its customers is so much more important.
Cyber criminals are also using more sophisticated attacks to extort money from companies. PwC’s clients have fallen victim to CryptoLocker, a malware that encrypts files and only releases them for ransom. Additionally, adversaries are stealing intellectual property to manipulate markets, such as getting access to the insights on a proposed deal between the insurer and its clients. The rigor of the underwriting process in these deals means that insurers know details about several individuals across different industries – an eye candy for criminals.
Therefore, the role of internal IT staff at insurance companies becomes important; cyber intelligence should be a part of the business model, with insurers collaborating with national and international authorities as well as external security vendors.
Such collaboration is necessary to locate vulnerabilities and come up with response strategies to resolve threats effectively. While the threat may be a week away from its arrival, which may go unnoticed because of a lack of effective policies, cyber attacks are a worry for insurers and they need to act to ease concerns.
Keeping up with cyber threats
Many existing practices for prevention and mitigation of cyber threats are reactive; forensic analysis is carried out after a breach occurs, so such solutions may provide guidelines to preventing attacks in the future; however their role in recovering from reputation damage and loss of customer information may be limited.
As a result, companies need to actively seek cyber intelligence and expand their security policies to cover the wide range of sophisticated cyber risks that companies face today. Covering privacy risks is just one aspect, but specialist companies can also provide cover for phishing attacks, identity theft, theft of money, fraud etc.
Certainly stronger measures and meticulous security management of network infrastructure is required; it is no longer a case of implementing firewalls, encryption and PC security programs being enough.
Lastly, insurers need to be thinking outside their four walls. That is because strengthening internal security does not guarantee that its service providers are addressing cyber threats. With cloud computing on the rise in the insurance industry, how are companies covering other providers in the cloud?
Best defenses within the enterprise do not guarantee the entities that insurers do business with will have equally strong defenses. The goal should be to align security measures with both internal and external business objectives.