While insurers provide protection to other firms through cyber insurance, they themselves can become targets of data breaches, due to the massive amount and sensitive nature of the data they hold. In September 2017, for example, AXA suffered a cybersecurity breach in Singapore, in which the data of 5,400 of its customers was compromised.
To learn more about how insurers (and other firms) can protect their customers’ sensitive data from malicious attacks, Insurance Business spoke with Eugene Lee, director of business development at Connectivity Global, a Singapore-based cybersecurity company.
Lee examined the AXA breach, as well as other notable cyberattacks, highlighting the importance of learning from such incidents.
“Unfortunately, details about how [AXA’s] health portal was hacked into were not provided by the company,” Lee said. “But one likely attack would be a cross-site scripting (XSS) attack, wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application such as their health portal.”
He also floated another possibility of an undetected email containing backdoor malware being opened by AXA employees, resulting in the hackers gaining access to the insurer’s network and database. This method is known as social engineering.
“Recent attacks such as SingHealth (July 2018) and Mindef (February 2017) highlight the fact that companies which collect individuals’ personal data are an attractive target for cyber criminals and these companies should ensure that necessary steps are taken to mitigate these cyber risks,” he said.
Lee provided the following tips for insurers and related firms to reduce their chances of being targeted by a cyberattack:
Lee warned that, in the near future, cyberattacks are going to become more sophisticated as technology develops, and the rise of artificial intelligence can aid attackers. However, AI can also be used to defend against breaches. One such application is Connectivity Global’s Receive Guard product, which is an AI-enabled email security solution, now available in Singapore.
“Advanced malware, coupled with social engineering, is now capable of evading traditional detection measures,” he said. “With a shortage of cybersecurity experts around the world, companies are losing the cyber arms race as a result. This has led to a growing number of AI-enabled cybersecurity uses - including optimising incident detection and response, better identifying risks to the business, and coming up with the appropriate counter measures against cyberattacks.”
Aside from the financial costs and reputational damage caused by data breaches, companies can also expect penalties from regulators if they fall behind in their cybersecurity protocols.
“Given the rising importance of data protection with the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, and a growing list of emerging data protection regulations around the globe, organisations which suffer from data breaches could suffer from hefty fines and be held accountable by regulators,” Lee said. “We will therefore likely see an increase in companies prioritising their investments in cybersecurity to mitigate such risks.”
