Other parts of this series:
- Cyber insurance – the third wave is here
- Cyber insurance: three ways to reduce carrier risk
- Cyber threats: the IoT security gap—an opportunity for insurance
- Markets offering the largest cyber security insurance opportunity
- The new shape of cyber security insurance—meeting evolving threats head on
- Cyber security – the threat that insurers face
The interconnectedness of everything—commerce, business, people, assets, things—is causing the frequency and severity of cyber attacks to increase. For insurers, it’s a bigger threat than for most, given the sensitivity of their data. Accenture research shows that traditional defensive approaches are proving less than effective … a proactive, resilient cyber security posture is required.
In this series on cyber security, I have discussed the opportunity for insurance companies to develop robust cyber security insurance offerings. Many already are. In this post, I want to look at the cyber security threat that insurance companies themselves face.
Insurers like Anthem and Premera Blue Cross have had millions of customer records compromised, making their members vulnerable to identity theft and exploitation. But they are not alone—an Accenture survey reveals that insurers are suffering from an astounding number of security breaches.
A typical insurance organization will face an average of 113 targeted breach attempts every year, a third of which will be successful. That’s more than three effective attacks per month. Yet 79 percent of the large insurers’ security executives surveyed expressed confidence in their cyber security strategies. There is clearly a serious dissonance between cyber security confidence and cyber security capability.
61% of insurer say that it takes months to detect successful security breaches
34% of insurer have proper cyber incident escalation paths
Insurers’ internal security teams discover only 66% of effective breaches
What does that add up to?
The threat to insurance companies is huge. The well-known breaches reach back to 2015. These include:
- Anthem, the second-largest US health insurer—80 million records stolen.
- Premera Blue Cross, a US health insurer—11 million customers may have been affected.
- CareFirst BlueCross BlueShield, a large US health insurer—1.1 million people affected.
But there are more recent incidents in July 2017 that tell us that security infrastructure can certainly be improved:
- Anthem has confirmed that the records of 18,500 members have been compromised.
- London-based private healthcare group Bupa has suffered a data breach affecting 500,000 customers on its international health insurance plan.
It’s time for insurers to reboot their approach to cyber security
Protecting a company requires an end-to-end approach that considers threats across the spectrum of the industry-specific value chain and the company´s ecosystem, identifying and minimizing business exposure and focusing on protecting priority assets. The following steps can help insurers to deal effectively with the high-impact cyber threats they face.
- Realistically assess the company’s capabilities to protect against high-impact threats, whether internal or external.
- Pressure-testing company defences can help leaders understand whether they are likely to withstand a targeted, focused attack.
- Invest to innovate and outmaneuver. When it comes to cyber security, standing still is no longer an option. Organizations need to innovate continually to stay ahead of potential attackers.
- Make security everybody’s job. Employees also play a critical role in detecting and potentially preventing breaches. 98% of breaches not detected by security teams, were discovered by employees.
- Lead from the top. Build the board’s cyber literacy with the goal of making it an equal priority to business risk assessment.
- Build on past lessons. Effective cyber security requires organizations to achieve greater maturity and improve their ability to protect the business from losses.
Next steps—make the right investments
Making the right investments can improve an insurer’s cyber security capabilities and strengthen its resilience to cyber attacks. However, this will require continuous and systematic security investment. Key areas of investment are:
- Business alignment—assesses cyber security incident scenarios to better understand those that could materially affect the business.
- Governance and leadership—focus on cyber security accountability, nurturing a security-minded culture and creating a cyber security chain of command.
- Build cyber resilience—establish the capability to deliver operational excellence in the face of disruptive cyber adversaries.
- Cyber response readiness—have a robust response plan, strong cyber incident communications, and tested plans in place for the protection and recovery of key assets.
- Involve the extended ecosystem—ensure it is ready and able to cooperate during crisis management; develop third-party cyber security clauses and agreements, and focus on regulatory compliance.
- Investment efficiency—drive financial understanding of investments across cyber security domains and the allocation of funding and resources.
For more on the cyber security conundrum for insurers, and to get detailed insight into Accenture’s research, read this report.