Surfing the Seas of Risk: Cybersecurity Challenges in the Insurance Industry

Surfing the Seas of Risk: Cybersecurity Challenges in the Insurance Industry

The insurance industry, a bedrock of financial stability, has been facing turbulent waters as it faces an array of risks. Recent research conducted by PwC and CSFI from May to August 2023, known as the Insurance Banana Skins 2023 report, shed light on the pressing cyber risks and concerns affecting the insurance sector. This comprehensive research, based on 589 responses from 39 territories, presents a vivid picture of the challenges that insurance market practitioners and observers find most urgent with cybercrime at the top of the list as a leading risk.

The Dominance of Cybercrime

Among the numerous risks identified, cybercrime stands out as the unrivaled leader. The report reveals that concerns related to potential data breaches, theft of sensitive data, phishing, and ransomware attacks have taken center stage. This not only mirrors the rise in claims for cyber incidents, but also highlights the vulnerability of insurance companies' own systems to attacks. In 2023, themes such as the growing sophistication of criminals and government backing further intensified the gravity of the situation.

Sector and Region-Specific Concerns

Breaking down the results by sector provides quite interesting insights. The composite insurance sector identifies cybercrime as its primary concern, reflecting the pervasive fear of digital threats. Life and non-life insurance, as well as reinsurance, place cybercrime in the second position (right after climate change and regulations), acknowledging its significance. Brokers, while recognizing the threat, place cybercrime in the third position.

Geographical disparities also play a role in shaping the cyber risk landscape. For Europe and the Asia Pacific, cybercrime is the top "banana skin," reflecting the global nature of digital threats. In contrast, for Africa and North America, cybercrime ranks as the second most pressing risk, highlighting regional nuances in the perceived severity of the threat.

A Growing Landscape of Vulnerability and Cyber Risks

The research conducted by PwC and CSFI indicates a rising concern among respondents that phishing and hacking attempts are ever-present. The ease with which criminals can monetize stolen data adds a layer of complexity to the challenge. The consequences of a data breach or a successful cyberattack extend beyond mere financial losses, as the theft of sensitive data, for instance, health insurance-related information, could have far-reaching consequences for both individual firms and the industry at large.

Reasons Why The Insurance Sector Is Targeted

In all honesty, who would be surprised that insurance companies are often attacked? Handling vast amounts of valuable personal identifiable information and sensitive data, these organizations become an attractive target for cybercriminals due to several compelling reasons. Firstly, insurance companies store a wealth of personally identifiable information (PII) and financial data, making them a lucrative source for identity theft and financial fraud. The value of protected health information (PHI) within the healthcare insurance sector is particularly attractive for cybercriminals, as this data brings big profits on the dark net. Additionally, insurance companies hold critical data on assets, liabilities, and financial transactions, making them a prime target for those seeking insider information for financial gain.

Moreover, the interconnected nature of the insurance ecosystem, involving collaborations with various third-party vendors and partners, creates potential entry points for cyber threats. Attackers may exploit vulnerabilities in the supply chain, leveraging less secure partners as gateways to infiltrate the primary insurance company network. As the insurance sector embraces digital transformation and adopts technologies such as cloud computing and IoT devices, the attack surface widens, providing cybercriminals with more avenues for exploitation.

The nature of insurance operations, often involving large transactions and the transfer of significant funds, further increases the attractiveness of insurance companies as targets for cyber attacks.

Cybercriminals recognize the potential for substantial financial gains through ransomware attacks, more than 40% of which are carried out through phishing, where they encrypt critical data and demand hefty ransoms for its release.

Fragile Fortifications: The Alarming State of Cybersecurity in the Insurance Business

Unfortunately, despite the fact that insurance companies hand huge amounts of highly sensitive and valuable data, and the representatives consider cybercrime to be one of the most urgent risks, several researches highlight the fragile state of cybersecurity in the insurance industry. According to the Cyber Insurance Risk in 2022 report, nearly 20% of the top 99 insurance carriers have a high susceptibility to ransomware, while 82% of insurance firms are vulnerable to phishing attacks.

The Phishing by Industry Benchmarking 2023 report reveals that, for large organizations (with more than 1,000 employees), the insurance industry remains the most at-risk for the second consecutive year, with a phish-prone percentage of 53.2%, showing little improvement from 2022

Additionally, according to the Insurance Banana Skins 2023 report mentioned above, the respondents, when asked to rate their preparedness for cyberattacks on a scale of 1 (poorly) to 5 (well), gave an average response of 3.20. This marks a decrease from 3.22 in 2021, signaling a slight decline in already low confidence in the industry's ability to address the changing cyber threat landscape. The worry is palpable enough, with a sense that a successful cyberattack could jeopardize business continuity and lead to disastrous reputational consequences.

The Post-ChatGPT Era: A New Wave of Threats

The emergence of ChatGPT in November 2022 has ushered in a new era of challenges for cyber attackers. Historically, markets like Japan experienced fewer claims from phishing attacks due to the complexities fraudsters faced in translating attack emails. However, the deployment of large language models has transformed the cyber attack landscape, enabling the creation of more sophisticated phishing emails, analysis of code to find vulnerabilities and even the generation of malicious code. This shift underscores the need for increased vigilance, consistent measures, and innovative solutions in the face of evolving cyber threats.

To sum up, the insurance industry is at a critical juncture as it battles the ongoing onslaught of cyber threats. The Insurance Banana Skins 2023 report serves as a sharp reminder that cybercrime is not just a technical issue but a multifaceted challenge requiring an integrated approach. As the industry navigates these perilous waters, coordinated efforts towards strengthening cybersecurity, embracing advanced technologies, and developing a culture of resilience are imperative to protect the stability and trust that the insurance sector provides around the world.


Start using SafeDNS for free

Take advantage of the SafeDNS trial period and try all the best features