As a holder of significant amounts of sensitive and valuable data, how can the insurance and risk sector protect itself from cyberattacks?
Are you thinking about cybersecurity for your company? If you aren’t, you should be.
Three quarters of the world’s 500 biggest asset managers have already boosted their resources focused on it, the Thinking Ahead Institute found in October 2022. Insurers and wealth managers, with a higher proportion of data relating to high-net-worth individuals, attract more concentrated attention from the most sophisticated cyber-threat actors. But there are ways to protect your business.
Biggest cyber threats
The biggest threats facing insurers and wealth managers, according to cybersecurity firm Darktrace, are: account compromise and malware leading to system compromise and outages; and ransomware leading to data theft. Both can lead to, among other consequences, authorised push-payment fraud, where a fraudster tricks their victims into willingly making large bank transfers to them.
Toby Lewis, global head of threat analysis at Darktrace, says: “The key difference for wealth managers and insurers would be the sensitivity and value of their customer data, which raises the stakes of any potential data leak to the level of an existential threat to the business.”
Larger firms may suffer from increased targeting due both to their market cap and the net worth of their clients. “The bigger the organisation, the more complex and sprawling its digital world and supply chains are likely to be, offering attackers more places to hide,” says Lewis. But 46% of all cyber breaches impact businesses with fewer than 1,000 employees. This is according to Verizon's 2021 Data Breach Investigations Report, which also found the percentage of smaller businesses being hit has climbed steadily in the last few years.
David Carvalho, co-founder and CEO of Naoris Protocol, another cybersecurity firm, says for most companies’ traditional security setups, “there is currently no way to measure the trust status of devices and processes from moment to moment”. This means a bad actor on the inside of a company could manipulate processes that could sabotage the company or redirect funds, and no one would know for potentially months. According to IBM, the average breach lifecycle takes 287 days, with organisations taking 212 days to initially detect a breach and 75 days to secure it.
Every digital device is a potential point of failure or point of entry for a cyberattack into your organisation and its networks. Carvalho says: “In an increasingly decentralised business environment, with working remotely, the distribution of devices and cloud servers pose a risk, as they become single points of failure as any security is minimal or non-existent – for example, employees’ mobile phones.” At the same time, company IT architectures are centralised, “which makes it easy for attackers to target and compromise the entire system or take over processes”, Carvalho explains.
Cyberattack protection
Fighting back against cyber hackers is an ongoing battle firm by firm, according to the experts. With threats constantly evolving, it’s not just a one-and-done thing.
Tim Smith, partner and cybersecurity and data protection expert at law firm DWF, gives some ground-level examples: “Ensure hardware and software is up to date, have regularly updated and properly secured air-gapped backup systems, ensure staff use strong passwords, vet staff carefully, train them well, have proper physical and IT security, and make full use of technological protections such as multi-factor authentication and encryption.”
Systems should be designed to ensure, insofar as possible, staff only have access to the parts they need, and that the most valuable information is the best protected. The National Cyber Security Centre provides good advice on all of these issues, as does the Information Commissioner's Office.
From the point of view of a firm that creates them, Carvalho says financial-sector businesses should consider implementing a decentralised cybersecurity mesh architecture strategy (dCSMA). This removes the threat of having a single target in your business for scammers (for example your IT department). With whatever system a firm currently has, however, there are screws to tighten.
Carvalho says: “Implement firewalls, add intrusion detection and prevention systems, and antivirus software to protect against common attacks.” Financial firms should conduct regular security assessments, he adds, including vulnerability scans and penetration testing to identify weaknesses in the network. And prepare for if the worst happens. “It’s important to have an incident response plan outlining the steps to be taken in case of a security incident,” Carvalho says.
Critically, cybersecurity should be a board-level priority. DWF’s cybersecurity expert Smith says boards should make sure that they are on top of cyber risk. “The firm's IT security professionals need to be given a voice and access to decision-makers who need to ensure that they understand what they are being told,” he says. And for added security, who better than the financial sector to consider purchasing cyber insurance to protect against financial losses in case of a successful attack?
