Other parts of this series:
A comprehensive study from Accenture Security evaluated organizations’ cyber resilience across seven domains and 33 capabilities. The key finding: Insurers have made steady improvement since 2017, but are still far from mastery.
Financial institutions generally pride themselves on having tighter cybersecurity defenses than other industries. But last week, I explained that without ramping up investment in advanced technologies like artificial intelligence (AI), machine learning and robotic process automation, insurers will find themselves poorly equipped to keep up with cyber criminals’ attacks.
Insurers still need to master cyber resilience
The 2018 State of Cyber Resilience study used 33 cybersecurity capabilities to evaluate organizations. Insurance respondents ranked as “high performing” in 20 of those capabilities (an increase from 12 capabilities in 2017). However, high-tech and consumer goods and services achieved “high performing” rankings in 19 areas, and life sciences in 21. In other words, insurers are no longer unique in their cybersecurity effectiveness—and there’s still room for improvement.
Four challenges to cyber resilience
Insurance fraud used to require collusion among bad actors, such as body shops or doctors. But today, cyber criminals can act alone, using stolen credentials, phishing attacks and social engineering to pose as agents or claims processors. And as banks shore up their defenses, many criminals are focusing their sights on the insurance industry.
In other words, today’s security gap could become tomorrow’s big liability, and on a much shorter timeline than many insurers are prepared to cope with.
In particular, here are four challenges to cyber resilience that insurers face:
- Legacy technology. While insurers are digitizing many areas of their business, they’re still operating legacy technology—and in many cases, many pieces of legacy technology cobbled together. That makes it hard to protect their systems from cyber attacks.
- Proliferation of data. Data can help insurers make smarter business decisions, from improving the customer experience to enabling more sophisticated pricing strategies. However, as the volume of data increases exponentially, so does the complexity of the data environment—and an insurer’s risk profile.
- Stricter regulations. The European Union’s General Data Protection Regulation (GDPR) requires more rigorous data protection. In the US, the New York State Department of Financial Services has issued a similar mandate for financial services companies. The regulation—23 NYCRR Part 500—requires companies to use periodic assessments to determine criteria to identify, evaluate and remediate cybersecurity risks.
- The rise of the Internet of Things (IoT). From light switches to thermostats, connected smart devices can help insurers better assess and prevent risks. But these unsecured devices can also be used by cyber criminals to carry out sophisticated attacks at scale. In 2016, the Mirai botnet attacked IoT devices, rendering much of the Internet inaccessible on the US east coast.
Balancing cyber resilience with innovation
Importantly, all this is happening while insurers are taking steps to innovate. Cyber resilience doesn’t have to hamper innovation. However, it must be considered. For example:
- Cyber security must be baked into ecosystems. Ecosystem relationships with business partners, vendors and other organizations are important for an insurer’s ability to deliver living services—highly relevant, personalized offerings that go beyond an insurance transaction. However, insurers must be vigilant with their cyber security defenses, as well as those of their ecosystem partners.
- Customer identities matter. Compared to insurers, banks are far more vigilant in verifying customer identities. Insurers, on the other hand, rarely re-verify customer identities, and thanks to automatic payments, rarely interact with customers. As insurers seek to remove friction from the customer experience, they must also be sure they are paying genuine claims to real customers.
It’s reassuring that many insurers have invested in preparedness, but because the threats never end, preparedness is a moving target. That said, it can be possible to develop the capabilities required to master cybersecurity. Join me next week as I look at seven of these characteristics.
Register to download the full report, “Insuring the Future: 2018 State of Cyber Resilience for Insurance.”
To learn more:
- Read my previous blog series on the current state of cyber insurance—and what the future might look like.
- Read Werner Rapberger’s blog series on the cyber insurance opportunity.
- Contact me to discuss how Accenture can help you foster cyber resilience.