It's a common misconception that the "supply chain" only applies to the movement of physical goods. However, the insurance supply chain (which connects reinsurers, carriers, agencies, and customers) is a key example of a non-tangible connection. Through this chain, brokerages, agencies, and carriers all provide customers with competitive products, dependent on each other's expertise and financial capacities.
With this connectivity comes a wealth of opportunities and risks. Insurance firms within the chain that rely on third-party vendors, and those that are increasingly digitizing their operations, put themselves at an increasing threat of cyberattacks.
Risks may vary from firm to firm. However, supply chain attacks in general increased by 431% across two years, indicating now is not the time to assume your firm isn't affected.
How Cyber Risks Emerge in the Global Insurance Supply Chain
Global insurance businesses that digitize their services, including documents and other operations for efficiency and accessibility, are doing so while increasing their cyberattack surfaces. The more third-party software and network devices are rolled out, the more opportunities there are for hackers to target.
Third parties pose an increasing level of risk to operations within global insurance supply chain. Regrettably, as secure as your own networks and processes might be, any lapses in your software or hardware vendors' securities may still put you and your customers at risk. In fact, operational risk from third parties is now a leading concern for companies on most chains.
With modern insurance firms reliant on content management systems, cloud storage and servers, and customer relationship management software solutions, they cannot simply avoid working with third parties.
What's more, cyber risks emerge in the global insurance supply chain when there is variation in security policies and standards between linked firms, and when parties simply neglect to update software versions, hardware, and security processes.
This is all compounded by the fact that hackers see insurance companies as prime targets for ransomware and data theft. The data you possess on customers is not only sensitive but also financially lucrative in the wrong hands. It also provides cybercriminals with a target list of organizations, as well as an understanding of the limits their insurance will cover, any exclusions that may apply, and the terms and timelines of payments. This enables them to focus and customize their efforts on both attack vectors of the victim organization and the amount of funds they can look to extort from the victim organization, maximizing their ability to achieve an ROI on their time and resources.
Common Cybersecurity Vulnerabilities in the Supply Chain
Although cyberattacks are evolving in scope and sophistication (for example, through the proliferation of artificial intelligence), there are still many common vulnerabilities that supply chain insurers can easily monitor and patch, and implementing strategies to address these gaps can further strengthen your defenses.
What's more, in cases where weaknesses may not be so obvious, firms use penetration testing techniques to map out security flaws beneath the surface.
Here are some common vulnerabilities in the supply chain that insurers must keep vigilant for:
- Poor security standards adopted by third-party vendors and partners
- Gaps in security knowledge among internal personnel
- Outdated software, hardware, and firmware
- Shadow IT devices (systems or programs added to networks without approval)
- Misconfigurations and coding errors
- Poor access controls and user permission standards
Of course, the risks facing any specific insurer or agency will vary. However, companies can best prepare themselves (alongside working with a cybersecurity expert) by consulting OWASP's software supply chain security cheat sheet, which breaks down the threat landscape affecting software artifacts and explores potential risk mitigations.
Why Cyber Risks in the Supply Chain Are Business Risks
Cyberattacks are no longer "just problems for IT to worry about." They pose a genuine risk to business operations and customer livelihoods, particularly given the scope and depth they can reach in the current landscape.
Cyber risks in the insurance supply chain could result in innocent firms losing customer data, revenue, and reputation. Even with a robust internal security process, companies may also risk falling foul of compliance violations, leading to heavy fines and further reputational damage.
Any data leaked through European Union vendors, for example, may fall under the scope of the GDPR, where businesses can face fines stretching into the millions.
The "domino effect" of a cyberattack on the insurance supply chain could see multiple vendors (and therefore thousands of customers) at risk of data loss and operational slowdown.
For example, a reinsurer attacked by ransomware, which holds systems to ransom until payment is made to hackers, may freeze operations for other firms dependent on their expertise further down the chain.
Effectively, the right (or indeed wrong) attack could halt the movement of the supply chain for indeterminate amounts of time, causing loss of revenue, loss of business, and customer trust.
Practical Steps to Identify and Reduce Supply Chain Risk
Although there is no way to entirely remove cyberattack risk from the insurance supply chain, there are stringent measures individual business owners can take to protect their interests (and others). For example, they might:
- Draw up an airtight vendor security agreement and carefully vet new partners to mitigate the passing on of risks
- Embed certain cybersecurity controls within supply chain vendor contracts (i.e., to bind new parties to agreeing to security measures)
- Carefully train and refresh employees on cybersecurity standards and appreciation for security hygiene (and insist upon such measures for vendor employees)
- Adopt zero trust principles (i.e., assume no connections, requests, or network additions are safe, and require multi-factor confirmation before releasing access)
- Follow security frameworks such as ISO/IEC 27001 to ensure all bases are covered (without the need for intensive cybersecurity knowledge)
- Create software and hardware updating schedules, and only take on new tools and partnerships if deemed vital by major stakeholders and directors
Of course, it is still prudent to consult cybersecurity professionals for a customized analysis and action plan (as these steps offer a high-level overview of potential actions).
The Role of Governance, Compliance, and Risk Culture
Ultimately, every level of an insurance supply chain firm must take cybersecurity seriously. That means there needs to be oversight and buy-in from the top downwards, with a company culture built around data compliance and on the principles of zero trust.
The best step an insurance firm can take immediately is to start embedding a culture of risk preparation and proactive remediation. This is easily started by taking greater care in vetting new partners, training internal staff, and adopting more stringent access controls.
What's more, there needs to be open communication and collaboration. Regardless of where attacks may stem from in the supply chain, pointing the blame only wastes time and resources even further. Take care of your own cybersecurity, but at the same time, plan to support your partners and others in the chain with accountability, awareness, and proactive measures.
