Insurers in the firing line
Nitin Khanapurkar, partner, Consulting at auditing firm KPMG discusses cybercrime and why insurance firms need to take a holistic approach to securing their IT infrastructure.
As banks become more sophisticated and effective at defending themselves against attack, the focus of much cybercrime is changing. Increasingly, insurance companies are becoming the target. The risks are very real and very serious. Insurers need to raise their game as a matter of urgency.
In more recent years, with the massive growth of the Internet, online connectivity and remote access, it has again been banks which have borne the brunt of cybercrime. Not only is the money there; banks also hold critical information about all of their customers which, in the wrong hands, can be equally valuable. However, the focus of much cybercrime is now changing rapidly, away from banks and onto insurers.
There are a number of reasons. Perhaps the most significant and straightforward is simply that over the last 10 years or so, banks’ defences have become more sophisticated and effective. The industry has appreciated the threat and has taken measures to counteract it.
It is clearly not possible to prevent all attacks from succeeding and for obvious reasons, individual banks are reluctant to publicise those attempts which do result in loss. But overall, the banks have become increasingly effective in repelling cybercrime.
Another key factor is that cyber criminals have come to realise that banks are not the only potentially lucrative targets. Certainly, banks are where the money is. But money can also be stolen from insurance companies.
The insurance market in the UAE is very diverse. With around 60 insurance companies in the UAE, there are the large players, along with a mix of small-sized insurance companies. Foreign based insurance players also have a significant presence in the country. Unlike the banks, the insurance companies do not have a large portfolio of online services to offer and hence have a limited exposure to the threats that the banking industry faces. Nevertheless, the insurance sector needs to be ready to upgrade their security protection levels or else they may be a prime target for attackers.
As insurers amass greater amounts of customer data through new online channels, social media, telematics and web-based claims management systems, they become even more attractive to cyber criminals.
In 2012, a major security breach of a US insurer affected 1.1m policyholders and potential customers. Hackers stole names, social security numbers, driver’s license numbers and dates of birth. The insurer acted swiftly, offering credit monitoring and identity theft protection for those impacted, including US$1m in free identity theft insurance coverage with no deductible.
Organised criminal networks have also begun to realise that it is not actually necessary to steal anything. The mere threat of loss – or of operational damage and disruption – can be enough to extract a substantial ransom from the targeted organisation. Once again, many companies are reluctant to reveal publicly when they have been hit. But many have paid up quietly.
The rapid growth of online insurance purchasing offers greater opportunities to organised crime. It can be difficult for customers, attracted by low prices, to distinguish legitimate insurers from fraudulent ones. We are seeing a spate of “ghost brokers” being set up on the internet selling fake policies, taking premiums and leaving the policyholder with no cover.
There is no doubt that certain states have developed and maintain sophisticated technological capabilities designed either to extract cash or data from vulnerable Western companies or, more commonly, to sustain the capability to hold those organisations to ransom as part of a more extensive coordinated attack. There are fuzzy lines between traditional electronic espionage, commercial espionage and theft of data for commercial and strategic advantage.
Security awareness should not be improved for just the employees, but significant programmes should be developed to enhance the security awareness of customers. Cyber Security should be a priority topic on the board agenda and adequate investment should be made to improve security programmes.