The volume and sensitivity of the data held by the insurance industry means it is a prime target for hackers and cybercriminals – and can expect an uptick in attacks – according to a cybersecurity firm director.
Law firms, particularly those involved in M&A activity, have been the target of cybercriminals over the past several years, but the potentially lucrative data held by insurance companies means they will likely be in the sights of criminals too, says ITC Secure’s director of cyber risk.
“The insurance industry needs to wake up and think that they are front and centre in terms of data attacks, because they are where the data is,” Gareth Lindahl-Wise told Insurance Business.
“The market needs to recognise the value of the data that it holds, which obviously varies depending on the lines of business, but it’s very attractive data for maliciously-minded people. I would expect an upsurge in more structured, systematic, and capable attacks to try and get to that data,” he said.
But while cyberattacks from external actors are widely discussed, there is also an insider threat too.
Last month, insurance group Canada Life took a former senior executive to court over claims he had taken “significant and highly confidential information” with him before transferring to another company.
The firm alleged that the executive had sent three emails with documents attached from his work account to his personal account, containing confidential information about the group’s underlying assets and the market value of each fund and related asset breakdown.
“The insider threat is one of the most difficult to deal with,” said Lindahl-Wise. “Even where you have a good cybersecurity regime in place, you are giving access to trusted individuals. If those trusted individuals turn bad, that’s your worst-case scenario… If you can’t detect anomalies, for example someone downloading data or sending work to personal emails, that really is an exposure.”
When it comes to the insider threat, it’s important that businesses assess who within the organisation should have access to what data.
“Data segregation allied to role segregation is probably your best way of doing this,” the director said.
But that may mean facing some uncomfortable conversations: for example, while senior executives would likely have access to strategic, top-line information, they would not necessarily need access to personal customer data.
“Sometimes there’s a reluctance to have a hard discussion – just because you’re the CEO, doesn’t mean you should be able to access this, because your role doesn’t require it,” Lindahl-Wise said.
“Ultimately, the volume, sensitivity, and potential to exploit the data that insurance companies hold is going to attract the wrong attention. That’s something that insurance companies really need to be on guard for, and they should really be assessing their threat posture.”