Cyber insurance is one of the fastest growing segments of the industry, with insurers, underwriters and brokers regularly encouraging end clients to adopt better online security and more thorough response systems – but could it be that the industry is actually lagging when it comes to setting standards?
According to a recent report by security firm Mimecast, Australia’s insurance industry has some significant gaps, is slow to adopt better standards, and even suffered a major attack back in August.
The Threat Intelligence Report: Risk and Resilience Insights indicated that the local insurance sector is falling behind on cyber security standards and failing to adopt stricter guidelines largely due to an age-old problem – that is, legacy systems.
“The insurance sector being notably slower pace in adopting appropriate cybersecurity standards is likely due to its use of legacy mainframe systems and the technical debt many providers have acquired over the years,” said Garrett O’Hara (pictured above), principal technical consultant for Mimecast.
“Insurance has been around for centuries – it’s not a cool new 2.0 concept or service – which means, culturally, the industry may not be as aware of online risks,” he continued.
“This creates an odd tension, as cyber insurance providers are the ones who should have the most sound understanding of cyber security – because their premiums depend on it.”
The lack of pace has, unsurprisingly, already brought problems – data from Mimecast shows the insurance industry was targeted earlier this year in a one-day attack which was likely to have been organised by criminal groups attempting to compromise highly sensitive, valuable client information.
According to O’Hara, the attack was most likely propagated via an email attachment and was “particularly worrisome” as it was a Trojan virus.
“Unlike ransomware, which overtly notifies the user of its presence, a Trojan virus often disguises itself as legitimate software to enable remote control of a user’s machine – which allows the attacker to hack into systems, run commands, browse compromised websites, access financials, download malware and see the credentials of other network users,” said O’Hara.
“Given the highly personal nature of information held by insurance companies, the ramifications of cybercriminals gaining such unprecedented access would have been significant,” he added.
With the insurance industry already suffering from damaged consumer trust, a significant cyberattack exposing personal information would be a disaster for the sector’s reputation, at best.
“Breaches are a universal cause of distrust across every industry, not just insurance,” said O’Hara. “The highly personal nature of the information held by insurance companies also means the expectation of trust is higher than, for example, a retailer.”
If a hacker were to breach a retailer’s loyalty program, they’d discover someone’s taste in clothes or food – but if a hacker breaches an insurance company, they can find out an abundance of sensitive information including medical records, financial data, personal assets, employment details, business details and home addresses.
While the Mimecast report casts some doubt over how prepared Australia’s insurance sector is for a serious attack, steps are being taken to push the industry forward.
Jacqui Kernot, a partner with EY’s financial services cyber security team, said recent legislative changes have had a positive impact on the security of banks and insurers.
“In Australia, the recently released prudential standard CPS 234 focuses on cyber security,” she said. “This has had an immediate impact on the financial services community and our work with clients and their boards highlights that boards are engaged, curious and willing to learn about cyber.”
Kernot also added that there are some “great questions” being asked about what should be tracked and measured, how insurers can improve and what other companies are doing to enhance their cybersecurity position.
“Certainly, in financial services we are seeing very swift change within organisations, up to and including board level, in terms of their interest and engagement on cyber, which is really positive and will likely flow through to the rest of the market,” she said.