The International Association of Insurance Supervisors (IAIS), a body composed of insurance market regulators in various countries, said insurers are at risk of loss of confidential data, disruption of operations and reputational damage as a result of cyber attacks.
IAIS said the insurance industry is especially vulnerable, as companies collect, process, and store substantial volumes of data, including personally identifiable information. Insurers are also connected to various financial institutions through investment, capital raising, and debt issuance activities.
The report highlighted various cybersecurity weaknesses, saying insurers should keep track of the data flow in all IT systems, applications, and components. They must also be mindful of the user access privileges they grant their employees, placing sufficient controls on which employees have access to ‘superuser’ accounts. Cybersecurity must be addressed at all levels of the organization.
Based on a survey by the IAIS last year, there is no uniform practice in the way insurance market regulators address the supervision of cybersecurity. Regulators must also increase their understanding of cyber risk and supervisory capabilities to protect the insurance sector.
According to cyber risk expert Ian Birdsey of law firm Pinsent Masons, many cyber security initiatives have been focused on securing banks and protecting their systems and data from attack. Less attention is paid to insurers, which are very much connected to the finance industry and hold rich data, making them a target for attackers.
"The volume and complexity of cyber attacks against the UK are rising sharply," said the annual report. "Digital technology is revolutionising every aspect of our lives. But the changing technological landscape is opening up new vulnerabilities and new opportunities for our adversaries. We need to work even harder to keep pace with the evolving threat. The [new cyber security strategy] … will set out the government’s vision for cyber security in 2021 and the objectives and respective roles and responsibilities that will enable us collectively to achieve that goal."