A leading software security expert has called on corporate boards to be the “custodians of stronger cyber security” after insurance providers came under criticism for their lacklustre approach.
“This year, the Australian Prudential Regulation Authority (APRA) issued a strong warning to the financial sector, including insurance providers, about their sloppy cybersecurity policies,” said Jeff Hurmuses (pictured), VP of Asia-Pacific for Malwarebytes.
In the reprimand, APRA also warned corporate boards that it will treat “basic cyber hygiene” as fundamental to Australia’s financial stability.
In fact, APRA’s latest corporate plan identified cybersecurity as one of four key priority areas for the sector and noted that it should be a board’s responsibility to demonstrate clear strategies and implement relevant systems to respond to emerging risks.
According to Hurmuses, the insurance sector’s vulnerability shouldn’t come as a huge surprise.
“Insurance organisations use and store large amounts of personal identifiable information (PII), including financial details on their policyholders,” he told Insurance Business.
“As the industry continues to digitise and expand its number of connected endpoints, and as the Australian and global regulatory landscapes become harder to navigate, compliance and building resilient cybersecurity strategies will not only become more complex, but even more necessary.”
As a result, it’s never been more pertinent for business leaders to revisit what basic cyber hygiene means to their organisation, and how they can refine their cyber resilience strategies.
“Insurance organisations are facing growing pressure from a variety of fronts, ranging from far-reaching global regulations such as the European GDPR, to regional industry requirements governed by independent bodies such as APRA,” said Hurmuses.
“Additionally, there are government-issued requirements for cybersecurity control that insurers are encouraged to adopt, like the Australian Signals Directorate’s Essential Eight, which outlines a strong baseline to make it harder for cyber criminals to compromise systems.”
According to Hurmuses, all of these are necessary components of the digital age to provide adequate care to safeguard customers’ sensitive data – however, it also creates a more complex landscape that insurance companies must navigate carefully as part of their daily operations.
“The challenge is to plan and build a framework for cyber resilience where the company’s compliance position is also supported by operations that can perform with agility and precision when incidents occur,” said Hurmuses.
