Insurers selling cyber cover are themselves open to risks from hackers

Cyber attacks are becoming increasingly common and the threat they pose to business is growing in severity. Insurers offer cover against losses from those attacks, but in many cases they are themselves at risk.

The Association of British Insurers recently described the IT infrastructure of many of its members as "archaic" and "potentially prone to cyber attack".

Post recently submitted a Freedom of Information request to the Information Commissioners Office to determine which insurers had suffered cyber breaches since 2011.

According to the most recent data, Norfolk broking company Hugh J Boswell is the latest to report a cyber-attack.

The firm, which itself sells cyber cover, declined to comment. However, Post understands that the attack was extortion and was perpetrated by an ex-member of staff who got onto its system but did not manage to steal any customer data.

Hugh J Boswell was not alone. The investigation found other insurers to report cyber-attacks in the last four years include Staysure, Axa, Brightside and The Royal Insurance Society.

Under attack
A government report revealed, in 2014, 81% of large corporations and 60% of small business suffered a cyber breach.

The same report indicated that a cyber attack costs large businesses £600,000-£1.15m and costs small business on average £65,000-£115,000.

The Cyber Governance Health Check report of 2015 revealed that almost half of FTSE 350 businesses regarded cyber attack as the biggest threat to their business, up from 29% in 2014.

In Axa’s case, the insurer experienced a ‘denial of service attack’ in which an attacker tried to bring down its external website; there were no damages incurred through loss and it was a relatively small cyber attack. For insurers coming under attack, the key is in how quickly they react.

“We had a lot of monitoring in place that picked up on the attack. We have software and third-party management to assist us when we have such an attack,” said Matt Potashnick, IT director at Axa.

“We constantly face attacks because, as with any online presence, people try to find if you have any holes in your software. We regularly see people trying to run script kiddies [using scripts or programs developed by others to attack computer systems] to see if there are any holes in our website.”

The very nature of insurance businesses means firms are always a target for hackers who are looking to get their hands on client information. Yet, despite the threat having an ever-present and growing profile, some insurers don’t realise how vulnerable they are.

Vulnerable data
“Insurance companies need to be proactive in identifying where sensitive data lives within their networks,” said Fortunato Guarino, solution consultant Europe, the Middle East and Africa, cybercrime and data protection adviser at Guidance Software.

“Too often, organisations don’t fully understand where sensitive information resides on their networks.

“Some estimates say that as much as 60-80% of stored information is dark data – where organisations simply don’t know what it is. That creates a tremendous amount of risk. By understanding where data lives, insurance companies can better protect it and reduce the risk of cyber attack.”

Guarino said it is not a case of if insurers face a cyber breach, but when; not only do insurers need to monitor their systems but they also need to avoid insider threats by looking closely at staff.

“Organisations need the right tools in place to monitor their system, identify potential threats, and be able to take action to remediate any issues before data loss occurs,” he added. “Second, hiring and retaining seasoned security professionals needs to be an HR priority.

“With the scale and scope of cyber threats today, it’s no longer a question of if an organisation will be breached, but when a breach will occur. But if they have the right teams, the right processes in place, and proper detection and response tools, they can significantly reduce the risk associated with an attack.”

Safeguarding IT infrastructures can be difficult for all businesses, as cyber risks are constantly changing. To make sure a network is safe from threats, it can be beneficial to think like a hacker.

“Like other insurers in the industry, we carry out regular penetration tests,” said Potashnick. “We use third-party companies to employ ‘hackers’ who purposefully try to find any holes that we may have. There are many layers that we look at to ensure that we have the controls in place so we don’t put holes out there.”

Increasing cost
As the issue of cyber security grows across the industry, so does the cost; but the industry is growing alongside the risks and is diligent in tackling the issue head on.

“Cyber risk is growing very rapidly and the profile of the issue has grown over the last 18 months,” said Matt Cullen, head of strategy at the ABI. “The cost is growing and the types of risks and cyber incidents are constantly evolving and, therefore, we have a growing need to manage the risk.

“The insurance industry is taking cyber very seriously from an operational perspective and the ABI has taken a lead on that by becoming cyber essential certified, which is the government’s cyber hygiene standard.

“The cyber hygiene standard is a five-point checklist to ensure cyber hygiene and there are lots of insurers doing similar things to ensure that they are protected. The industry is very keen to make sure that it’s resilient to this type of risk.”

Insurers offering cyber cover for businesses aren’t immune from attacks themselves. Darren Desmond, assistant director of fraud, investigations and dispute services at EY, believes that insurers that offer cyber cover are just as vulnerable as other firms.

“Unless they’ve applied an enhanced level of security around their cyber insurer infrastructure then they’re just as vulnerable as the next company out there,” said Desmond.

Putting in place tougher security for their cyber cover elements may actually leave insurers open to attacks in other areas of their business, he added.

“If they cover their cyber insurance element of their organisation in an enhanced way, the hackers will begin to look at softer targets and other infrastructures that aren’t part of the cyber insurance element,” said Desmond.

Head above the parapet
“It will have the same results – they’ll get hacked, client data will be exposed and the brand itself will be embarrassed. It’s a risk for the brand because they’re putting their head above the parapet and offering themselves up to be targeted.”

But part of the problem lies in the fact that the risks aren’t taken seriously enough by firms and often insurers aren’t held accountable when they come under attack from malice.

Tom Spier, director of business development at IDT911, believes the issue will be taken more seriously if insurers are forced to report attacks.

“The vast majority of businesses need to improve their resilience to cyber threats,” he said. “Across the board it’s not taken seriously enough and part of that is because of the current legislation that we have in place.”

He said it was possible that more insurers have suffered breaches than those uncovered by the Post investigation.

“The Data Protection Act is quite woolly on when you need to notify a regulator about a data breach and when it should notify the victims of the breach.

“The law says you have to report it when it’s ‘serious’ but it doesn’t define what is serious. Hopefully there will be more robust legislation in the future, which will mean mandatory notification.”

Cyber communication
Ultimately, Spier said, insurers should have more responsibility to communicate with each other and their customers when it comes to cyber security.

“Communication between businesses about what problems they are facing is always to be encouraged,” he added. “That’s a drum that everyone bangs in insurance and they communicate a lot about fraud, firms are only starting to do this about cyber attacks.

“As a consumer, one of the things I’m most shocked about from doing this job is realising the extent and the scale of the problem. And realising the amount of businesses that have experienced breaches and potentially how much data has gone missing but no one has told me about it.

“I understand why insurers don’t want to release a statement but instead of not talking about it, they could actually help the customers more proactively. People will start to forget that the insurer was the one that lost the data, what they’re doing is engaging the customer and actively trying to help them. They could have a positive outcome from it but it depends on how they handle it.”