The insurance industry is a prime target for cybercrime as threat actors know that it is a treasure trove of sensitive data and are searching for ways to access it. Sean Tilley writes

This is evident in the growing number of insurance companies that have been hit with ransomware, phishing, and other types of cybercrime in the past year. This is supported by the IBM Cost of a Data Breach Report, which states that the financial industry was the second-hardest hit sector overall in terms of cost per breach.

According to research findings from Cybereason, the financial services industry is besieged by ransomware, data theft, and phishing attempts, ranking among the top three sectors most likely to be attacked. Notably, cybercrime has maintained its position as the most prominent global risk in this industry since 2020.  

In a crowded market, a strong cybersecurity posture can be a significant competitive advantage for any business. With insurance companies collecting large amounts of customer data and customers growing increasingly aware of the importance of cybersecurity and conscious of whom they want to give their data to, cybersecurity must be a top priority for these companies and their providers if they are to meet their various stakeholders’ requirements.

Protecting sensitive data

Insurance companies collect, manage and store massive amounts of Personal Identifiable Information (PII) which is sensitive and confidential data ranging from personal information to financial records and medical data. Keeping this information secure is paramount to not only maintaining customer trust but also to meeting regulatory requirements which stipulate how to handle customer data and are placing additional pressure on insurance companies to keep it safe.

As such, insurance companies must adapt their cybersecurity strategies to stay a step ahead of the evolving threat landscape where cybercriminals are becoming more sophisticated and are employing new tactics and technologies to breach security systems and access data.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Eroding trust and soaring costs

Trust is the foundation of any business, and the insurance industry is no exception. Customers trust insurance providers with their personal data and in return expect these companies to have measures in place to protect this data. A data breach or cyber incident not only erodes trust, damaging the company’s reputation, but can also have severe financial ramifications for the organisation.

While it can be costly to investigate, mitigate and recover from a cyber incident, in some instances, insurance companies may be held liable for the losses incurred by their policyholders due to cybercrimes. Further cyber attacks can disrupt an insurance company’s operations, affecting its ability to serve its customers, process claims and conduct business efficiently, potentially leading to further financial losses and customer dissatisfaction.

Third-party risks

While insurance companies need to maintain stringent security standards within their organisations, it is equally important that they are aware of possible external risk factors too.

Insurance providers often collaborate with a network of third-party partners such as suppliers and outsourced partners, among others. These connections create additional vulnerabilities to the security posture of a company, while at the same time, the insurance companies retain regulatory responsibility for their third-party contracts. As such, insurance companies will be held accountable for weaknesses in their third-party partner contracts and need assurances that the same level of cybersecurity practices are in place across their third-party network. This must include ensuring that any potential risks are appropriately identified, managed, and mitigated to avoid a wider breach across the company which could affect customers.

Cyber resilience is the key to operational resilience

Building a culture of cyber resilience is key to establishing operational resilience which is a business’s ability to continue its critical functions and deliver services in the face of various disruptions. This is particularly important for insurance companies and to achieve this they will need to move beyond focusing on digital defences and look to foster a culture that anticipates and mitigates threats as they evolve. A robust cybersecurity infrastructure is the cornerstone of this resilience, serving as the foundation for all other measures.

At the same time, these organisations need to be sure to run regular system updates which are part of the foundation to ensure that its defences are equipped to handle the latest threats. Employee training also plays a crucial role in improving an insurance company’s cyber resilience and thereby operational resilience as a workforce that can identify and respond to potential threats is a powerful deterrent against ransomware attacks.

Get ready for the recovery

However, as prepared as a company’s defences are, it needs to be equally prepared for recovery after an attack as in today’s environment, it is not a case of if but when an attack will occur. Beyond prevention, cyber resilience encompasses readiness for recovery. Having a comprehensive cyber incident recovery plan in place is critical for every insurance company. This plan serves as a roadmap for navigating the aftermath of an attack, detailing the steps that it must take to recover compromised data, restore operations and mitigate damage, including periodic cyber recovery simulations to improve overall cyber resiliency posture.

Regular immutable or tamper-proof data backups are a key part of this recovery process, particularly for insurance companies that manage vast amounts of customer data. Ensuring that a recent and clean copy of vital data is always available can significantly improve the chances of a successful cyber recovery. Similarly, having clear protocols and procedures for responding to an attack and continuously monitoring and improving these measures as the threat landscape evolves can help an insurance company not only manage the situation efficiently but also minimise downtime.

Cybersecurity brings long-term viability

Cybersecurity is not a short-term concern but a fundamental component of an insurance company’s long-term viability. Those who invest in robust cybersecurity measures are better positioned to survive and thrive in a digital age, improving their cyber and operational resilience and their ability to recover quickly. Those who neglect to address cyber security adequately are likely to experience devastating consequences, affecting their finances, reputation, customer trust and legal standing.

Insurance companies can enhance their operational security and demonstrate a strong commitment to customer and societal well-being by acknowledging the significance of cybersecurity and implementing robust protective measures. After all, cybersecurity is a crucial investment for the long-term sustainability and success of the insurance sector.

Sean Tilley is the Senior Director of Sales of EMEA at 11:11 Systems