What can insurers do to reduce their cyber risk and enhance organizational preparedness?
Like it or not, insurance organizations are moving into the cross-hairs of hackers. They know what insurance decisionmakers and regulators have understood for years: that insurance organizations hold some of the world’s most valuable data.
Depending on the line of business, insurers tend to possess not just personally identifiable information, they also have access to deeply personal customer information such as health records, financial histories, driving records, family histories and credit information. Cyber thieves want it all.
At the same time, the risks associated with a cyber breach are also rising for insurers. It’s not just the costs — everything from conducting the cyber investigation through to preparing the legal defense — it’s also the disruption that a cyberattack can cause as systems are shut down, investigations are conducted and processes are updated.
The reputational impacts of a cyberattack can also be significant. Customers expect their insurers to not only protect their insured assets but also their data. Any erosion of this trust can quickly lead customers to change insurance providers. And the chances of them coming back are slim.
Regulators around the world recognize the heightened risks and implications. And that has led many regulators to promulgate strict cybersecurity and privacy laws that require insurers to demonstrate a much higher level of cyber preparedness than they had in the past. Whether it’s Europe’s General Data Protection Regulation (GDPR), California’s State Privacy Act, New York’s Cyber Security Laws or new legislation in the UK, regulators increasingly expect their insurers to demonstrate a strong understanding and level of preparedness for cyber breaches.
If the cyber risk would remain static, most insurers would have no problem shutting the door on the hackers and ensuring compliance. But the reality is that the cyber risk is continuously changing and evolving. Try as we might to eliminate new vulnerabilities, the hackers are always one step ahead. Some may simply be bored teenagers looking for some excitement. But, more often than not, the hackers are very sophisticated, dedicated and (often) wellfunded criminals. There is no ‘getting ahead’ of the threat.
The types of risks being faced are also rapidly changing. In the past, the majority of attacks tended to focus on exploiting vulnerabilities to either access and steal confidential information, or to cause some type of business disruption. In the future, we expect to see attackers start to also attack the integrity of insurers’ business — changing data and editing rules in a way that erodes business confidence and creates unexpected customer challenges.
It’s not just the risks that keep changing. It’s also the expectations. Indeed, with every large-scale and public cyber breach, customer expectations for cybersecurity evolve. What was considered a ‘good enough’ response last year is likely to be lambasted for being ‘not enough’ today. Companies are expected to learn from the last attack, regardless of whether their organization or industry was involved.
Our experience and our data suggest that some insurance decision-makers may not be fully aware of the risks that their organizations face. According to a recent survey of insurance CEOs conducted by KPMG International last year, just 49 percent of respondents believe that their organization may be vulnerable to a cyberattack. This is dangerous thinking; every organization — no matter the size or the scope — is vulnerable to cyberattack.
What is perhaps more worrying is that just 54 percent of insurance CEOs believe their organization is ‘fully prepared’ for a future cyberattack. Even assuming that CEOs are fully aware of the risks they face (and our conversations suggest that they are not), this data insinuates that many insurers recognize they are woefully behind in their cyber planning and preparation.
The good news is that there are a number of actions that insurers can take to dramatically reduce their cyber risk and enhance their overall preparedness.
One obvious action is to improve access controls across the enterprise. Indeed, a significant number of the cyberattacks we have witnessed over the past decade have largely focused on stealing (or phishing) employees’ access credentials and using them to gain entry into various systems (with the ultimate goal of achieving a level of administrative or ‘super user’ status that would enable them to loot data and change permissions at will). Strengthening access controls both inside the enterprise and across relevant third parties would help eliminate a significant percentage of potential attack vectors.
The other obvious action tends to center around poor systems and software management. In fact, many of the more virulent attacks take advantage of ‘known vulnerabilities’ — identified gaps in software security that (for the most part) could be eradicated by simply downloading the latest security and software patches. The WannaCry ransomware attacks of 2017 were successful against those organizations that had failed to ensure their security was up-to-date.
Insurers could also be working to improve their cyber risk reporting. The reality is that most risk managers and decisionmakers only achieve a very limited view of the actual risks that their organization faces on any given day or month. Far too often, reports are fragmented across lines of business, offer too limited a view of the risks or ignore the potential interdependent risks that cyberattacks could create. Ensuring that the first and second lines of defense have a realistic view of the cyber risks and controls is critical to managing the risks.
While these actions may help eliminate the vast majority of the cyber risks now facing insurers, our view suggests that more must be done to ensure that organizations are fully prepared for the next attack.
For example, insurers should be focusing on embedding a level of cyber awareness into their risk and organizational culture. Every employee must understand the risks and buy into the need for greater vigilance. In part, this is about moving from a ‘penalize’ approach to employee awareness towards a ‘promote’ approach where employees are rewarded for demonstrating compliance and initiative.
Risk managers, executives and boards could also be working to ensure that the organization enjoys a much more robust awareness of the overall cyber risks, the available controls and current ‘leading practices’. Participating in industry and cross-industry forums and task forces is a good first step. Improving internal governance processes and enhancing cyber education will also be key.
That insurance CEOs and decisionmakers may be becoming fatigued by the continuously evolving cyber risk is understandable. But it is no excuse. Given the regulatory direction of travel over the past few years, it is becoming increasingly clear that it will be the organization’s executives that will be held to account if customer data is stolen or if systems are rendered inoperable by a cyberattacker. The onus is on the board and the executive team to ensure that preparedness is high.
So if you’re not fully prepared for a cyberattack — and 46 percent of those reading this article know that they are not — it’s time to get serious about cybersecurity.
© 2020 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ('KPMG International'), a Swiss entity. All rights reserved. KPMG International Cooperative ('KPMG International') is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.