3 Cybersecurity Considerations for Insurers

Insurance companies store large amounts of information about their policyholders, and attacks are expected to grow in frequency and severity in the coming years.

Blue image of a camera lens with a lock on the inside showing cybersecurity

With the number of cybersecurity attacks growing every year, it’s not a matter of if, but when, a threat comes knocking on your organization’s door. The U.S. was the target of 46% of cyberattacks in 2020, more than double any other country.

With the threat of more attacks growing every year, companies in industries that are considered high risk should be prepared in every way. What makes an industry more vulnerable than another? It’s not that one is less or more prepared than another, it’s what they are trying to protect. The insurance industry is one such vertical – with attackers penetrating this sector to access the personally identifiable information (PII) of millions of Americans. Insurance companies store large amounts of information about their policyholders, and attacks against the insurance industry are expected to grow in frequency and severity in the coming years.

Approximately 68% of business leaders feel their cybersecurity risks are increasing. If you are a leader of an insurance firm, the time is now to minimize all possible risks and maximize efficiency and response to an impending threat. Here are a few ways to ensure preparedness against cyber criminals. 

1. Properly Train Employees to Mitigate Risk

All potential weaknesses are important to take into consideration when weighing security risks. According to a study, 95% of all cybersecurity breaches occur due to human error, and such error can occur at any access point in online activity, which is why educating and training employees in safe online practices is the first step in avoiding catastrophe. 

There are a few best practices: 

  • Encourage Taking Care of Devices — A study conducted by Forrester found 15% of company breaches are caused by lost or missing devices. With remote work becoming more common, awareness and prevention is absolutely essential because every gadget–personal or professional–becomes a possible gateway to your company’s network. A device management and monitoring solution might be considered, so the IT team can manage employee devices from anywhere and mitigate risk. However, keep in mind this should only serve as a backup solution.
  • Teach Employees to Spot Suspicious Activity — Training may be required to improve employees’ ability to spot suspicious activity, such as: the sudden appearance of new apps or programs on their devices; the device slowing down for no apparent reason; new extensions or tabs in the browser; or loss of mouse and keyboard control. Every employee should be fully aware of these signs while operating a company device. 
  • Reinforce Confidentiality — Fully explain the rationale of virtual private networks (VPNs), multi-factor authentication, frequent password changes and other secure processes to employees. It’s best to provide examples and scenarios of data breach consequences to help them understand risks can occur anytime, anywhere, and can affect them and their personal information just as much as it can affect the company as a whole. This highlights the essential need for meticulous management practices. 
  • Take Advantage of Training and Online Courses — All of the above and more can be properly addressed through the use of online training courses and frequent “security check-ins” throughout the year. The Federal Trade Commission, Department of Homeland Security and others provide courses and programs for organizations to help ensure your company will be safe from harm.

2. Employ Artificial Intelligence (AI) and Machine Learning (ML)

The more insurance companies join the digital landscape, the more incorporating AI and ML into systems will help mitigate risk. Intelligent data gathering will significantly help insurance companies protect against malware, ransomware and advanced persistent threats (APT). The newest artificial intelligence and machine learning technologies can analyze a vast amount of data quickly and can detect any deviation from an expected pattern in data behavior. These programs can be used to monitor data workflows and respond to attacks immediately.

Technical cybersecurity solutions for the insurance industry must focus on access control management, data behavior, the encryption of large data volumes and the prevention of data leaks. Remember these elements when searching for a cybersecurity solution for your firm.

See also: A New Era of Cyber Risk

3. Have a Plan of Action in Place

Perhaps most importantly, having a written plan and protocol in place provides peace of mind for insurance leaders, investors and customers. This plan should outline every possible measure of safety and action. Here are some examples of best practices:

  • Data Privacy Policy: Provides an in-depth guide around the handling of corporate data to ensure maximum security
  • Retention Policy: Describes how various types of corporate data are expected to be stored or archived, where and for how long
  • Data Protection Policy: How the organization handles the personal data of its employees, customers, suppliers and other third parties
  • Incident Response Plan: Responsibilities and procedures that must be followed to ensure a quick, effective and orderly response to security incidents like ransomware attacks and breaches

The considerations outlined above are intended to maximize preparedness and security against a potential cyber attack on an insurance firm. Even in circumstances where a threat seems unlikely, countless businesses of all sizes have fallen prey to cyberattacks in the past few years, and that number is rising. If employees and digital systems rely on the online ecosystem, there’s a good chance of an attempted or successful attack. 

Can your organization afford to risk such an event? If the answer is no, it’s time to put an action plan in place. Protect what matters – your resources, your people and, above all, your customers.

Grant Gibson

Profile picture for user GrantGibson

Grant Gibson

Grant Gibson has more than a decade of experience in the cybersecurity industry and is the chief information security officer at CIBR Ready, a cybersecurity think tank. 

Gibson also serves as chair of National Initiative for Cybersecurity Education, where he provides a voice of leadership to emerging cyber technology education standards in the U.S. He is a proud veteran of the Marine Corps, serving as a critical communications chief and pioneering IT instructor.


Read More