Protecting the insurance sector from cyber threats

Cybersecurity expert analyses major insurance data breach and provides tips on how firms can protect themselves

Protecting the insurance sector from cyber threats

Insurance News

By Gabriel Olano

While insurers provide protection to other firms through cyber insurance, they themselves can become targets of data breaches, due to the massive amount and sensitive nature of the data they hold. In September 2017, for example, AXA suffered a cybersecurity breach in Singapore, in which the data of 5,400 of its customers was compromised.

To learn more about how insurers (and other firms) can protect their customers’ sensitive data from malicious attacks, Insurance Business spoke with Eugene Lee, director of business development at Connectivity Global, a Singapore-based cybersecurity company.

Lee examined the AXA breach, as well as other notable cyberattacks, highlighting the importance of learning from such incidents.

“Unfortunately, details about how [AXA’s] health portal was hacked into were not provided by the company,” Lee said. “But one likely attack would be a cross-site scripting (XSS) attack, wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application such as their health portal.”

He also floated another possibility of an undetected email containing backdoor malware being opened by AXA employees, resulting in the hackers gaining access to the insurer’s network and database. This method is known as social engineering.

“Recent attacks such as SingHealth (July 2018) and Mindef (February 2017) highlight the fact that companies which collect individuals’ personal data are an attractive target for cyber criminals and these companies should ensure that necessary steps are taken to mitigate these cyber risks,” he said.

Lee provided the following tips for insurers and related firms to reduce their chances of being targeted by a cyberattack:

  • Ensure that policies and procedures relating to cyber security are clearly communicated to staff (e.g. checking personal mail, downloading files, plugging in unauthorised USB thumb drives, etc.)
  • Adopt an effective email security solution as over 90% of malware are transmitted via email, which is the most common channel for business communication.
  • Invest in IT personnel/consultants with strong cybersecurity backgrounds and who are constantly abreast of developments in cybersecurity and related fields to provide sound recommendations on how to deal with new threats.
  • Insurers should formulate a sound response plan including incident management (such as when and how to tell their customers), damage control to protect and recover their other assets in the event of a breach, how to respond when a staff member discovers a breach, who to inform, etc.

Lee warned that, in the near future, cyberattacks are going to become more sophisticated as technology develops, and the rise of artificial intelligence can aid attackers. However, AI can also be used to defend against breaches. One such application is Connectivity Global’s Receive Guard product, which is an AI-enabled email security solution, now available in Singapore.

“Advanced malware, coupled with social engineering, is now capable of evading traditional detection measures,” he said. “With a shortage of cybersecurity experts around the world, companies are losing the cyber arms race as a result. This has led to a growing number of AI-enabled cybersecurity uses - including optimising incident detection and response, better identifying risks to the business, and coming up with the appropriate counter measures against cyberattacks.”

Aside from the financial costs and reputational damage caused by data breaches, companies can also expect penalties from regulators if they fall behind in their cybersecurity protocols.

“Given the rising importance of data protection with the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, and a growing list of emerging data protection regulations around the globe, organisations which suffer from data breaches could suffer from hefty fines and be held accountable by regulators,” Lee said. “We will therefore likely see an increase in companies prioritising their investments in cybersecurity to mitigate such risks.”


Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!