As banks get better at defending against cyber attacks, criminals are turning their attention to the insurance sector. In addition to money, thieves are also seeking premium rating tables, claims and accident and loss information, as well as customers’ personal and financial details.
The commercial and reputational damage can be significant, with further potential fines for inadequate systems and controls.
Four key sources of insurance cyber crime
- Organized crime: highly advanced, organized crime syndicates make direct attacks, extract substantial ransoms or set up fraudulent sites selling fake policies
- Petty criminals: largely opportunistic criminals looking to exploit system vulnerabilities
- State sponsored: certain governments are stealing cash or data, sometimes during cross-border mergers and acquisitions (M&A)
- ‘Hacktivists’ and terrorists: often targeting insurers that do business with drug companies, animal testing laboratories and defense companies
How to respond to cyber threats
According to KPMG’s 2012 Data Loss Barometer, the insurance sector is at the highest risk from social engineering attacks and system and/or human error incidents. The very infrequency of customer interactions makes it harder to spot trends.
Insurers can learn from banking by creating more robust structures and processes, and investing in back office technology and systems with greater connectivity and coordination. Such diligent cyber defense should also extend to any third parties that process claims.
Technical preparedness alone is unlikely to be enough to prevent insurance cyber attacks, and leadership should look at the wider culture and governance, to identify weak spots and encourage compliance.
Six steps to cyber defense maturity
- leadership and governance: with the Board taking ownership of risk
- information risk management: comprehensive practices throughout the organization and supply chain
- operations and technology: controls to address identified risks from cyber criminals and ‘hacktivists’
- human factors: a security culture that empowers people and gives them the right skills
- business continuity and crisis management: preparedness for security breaches, to prevent or minimize the impact through successful crisis and stakeholder management
- legal and compliance: relevant regulatory and international certification standards.
How vulnerable is your organization?
- Is insurance cyber crime high on the Board’s agenda?
- Do you outsource activities involving the handling of sensitive customer information?
- Have you ever received a cyber ransom threat?
To discuss these questions further contact:
To read the full article, download the PDF.