Cyber risks: a giant insurer’s response to the big attacks

"We've taken cyber and data risk very seriously for a long, long time"

Cyber risks: a giant insurer’s response to the big attacks


By Daniel Wood

The damaging succession of cyberattacks on Optus, Medibank and Latitude exposed the personal data of millions of Australians. In the wake of those attacks, have the country’s giant insurers – custodians of huge reservoirs of customer information –  changed their approach to cyber prevention and mitigation?

“We haven’t changed our strategy as it relates to cyber,” said Neil Morgan (pictured above) when Insurance Business asked him this question. “We’ve taken cyber and data risk very seriously for a long, long time and we’ve invested pretty heavily in that area.”

Morgan is COO of Insurance Australia Group (IAG) and responsible for the insurer’s digital strategy.

Multiple layers of defence

“We have a cybersecurity team, we have multiple layers of defensive plays but like many organisations we have a complex technology architecture and that means that we continue to test our controls regularly,” he said.  

Morgan said the continuing work includes vulnerability management and looking at new technologies that can help protect customer data.

“It’s a pretty dynamic environment,” he said. “What we have done is look very, very closely at issues that organisations have had both locally and globally and tried to apply those learnings and scenarios to our own environments to make sure that we’re continuously current in the way we’re approaching it.”

Morgan said that the high profile attacks on Optus, Medibank and Latitude, while not changing the firm’s cyber strategy have “certainly given us direct focus on what’s going on in the world around us.”

What about legacy systems?

Many big insurers still have considerable amounts of customer data in legacy data systems. IB asked Morgan how concerns around data privacy and cyber vulnerabilities condition the switching off of legacy systems?

“The process there - and actually it’s an area we invested in three or four years ago which put us in a reasonable place - is having a really robust archival and retrieval capability, which is really key to decommissioning,” he said.

Morgan said this facilitates managing customer data through all stages of decommissioning.

“This is really critical and it really is the customer data that’s at the heart of this and that’s what we take responsibility for and hold dearly,” he said.

230 applications switched off and counting

In August last year, IAG’s CEO, Nick Hawkins, had this to say about legacy technology:

“I think the key is to bring them together and then turn them off,” he said in answer to a question from IB at the end of his firm’s FY22 results presentation. 

“Turning systems off is always an interesting challenge, right?” said Morgan. “So while they might be turned off from a new business, or new claims prospective, of course, there’s a whole set of data and history within those platforms.”

As a result, he said, switching off this old technology is “a long journey.”

More than three years ago, Morgan recalled, he had a conversation with a technology team about how many applications the firm had switched off during the last 12 months. There was only one example, he said.

“We’ve turned off 230 application components now – I just got an update this morning -  through having a dedicated squad on decommissioning, literally just focused on switching capability off as early as we can,” said Morgan.

He said this represents a significant shift but there’s “still a long way to go.””

“But it demonstrates what can be done by taking a really strategic approach to how we consolidate platforms,” he said. “The ripple effect of that consolidation is quite significant with the interconnected nature of the architecture.”

He said when IAG’s decommissioning process started it was the responsibility of a small team.

“As with all of these things they become most powerful when it becomes part of a scaled job, so part of everyone’s mindset and thinking,” said Morgan.

On the morning of his interview with IB, Morgan said he’d met with his extended leadership team.

“We were talking about this topic and it’s moved from a focal point and a small central team to include actually everybody being incentivised and organised around trying to make sure that we take advantage of the opportunity to decommission existing technologies,” he said.

What are your cyber challenges? Please tell us below

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!