Insurers Unprepared on Cyber Threats

65% of insurance technologists cited cyber-attacks/threats as even a greater concern than inflation (45%) and retaining and hiring talent (40%)

Neon circle of light

The insurance industry has a full plate these days – dealing with everything from economic and political instability, climate change, a hardening market and increased claims expenses, to finding skilled workers and operating in a fiercely competitive environment where digital transformation is a must. However, according to a recent survey we conducted with global IT decision-makers, C-suite executives across the industry think cybersecurity is the largest challenge of all. 65% of insurance technologists cited cyber-attacks/threats as a greater concern than inflation (45%) and retaining and hiring talent (40%), and cloud evolution/migration is a big part of the story.

The consequences of cyberattacks can be devastating to insurers that are unprepared. 63% cited operational downtime as a leading concern, while 51% percent reported concerns over intellectual property loft and theft, and smaller percentages say they are concerned about damage to brand reputation (47%) or revenue loss (33%).

See also: Cyber Trends That Will Change 2023

Good News 

There is some good news in the survey. Insurers have increased their investment in cybersecurity, and that shows no sign of changing. Despite the economic challenges brought about by the pandemic, 81% of insurers report that their cybersecurity budgets have increased over the past three years. Respondents also note that the issue receives an increasing share of board visibility. They also cite increased collaboration between the security team and the C-suite to address cyber risks. More than ever, security teams, boards and C-suite executives at insurance companies are working together to ensure risks are appropriately controlled:

  • 72% note an increase in board visibility for cybersecurity over the past five years 
  • 73% cite increased investment in cybersecurity due to better collaboration between the security team and members of the C-suite.

…and Some Bad News 

At the same time, carriers are moving their infrastructure away from proprietary data centers through multi-year cloud transformation initiatives. Maintaining a security posture that meets compliance challenges and addresses top risks while these structural IT changes are taking place is emerging as a challenge. With IT infrastructure spread across public and private clouds, and a significant installed base of legacy IT infrastructure still not on the cloud, holistically managing cybersecurity becomes more challenging, especially in a world where IT talent and cyber talent are at a premium.

It is not surprising that the leading targets for new cybersecurity investment among insurers are cloud native security (69%), data security (51%), consultative security services (51%) and application security (42%). According to the survey, cloud native security is the area where organizations are most likely to rely on an outside partner for expertise. 

These investments align with the top areas insurers perceive as their greatest concentration risk, led by network security (55%), closely followed by web application attacks (54%) and cloud architecture attacks (64%).

The consequence of these converging dynamics is that fewer than half (42%) of insurance IT professionals said they are “fully prepared” to respond to cybersecurity attacks and threats. In addition, a majority report being either “unprepared” or only “somewhat prepared” to respond to major threats like identifying and mitigating threats and areas of concern (50%), recovering from cyberattacks (53%) or preventing lapses and breaches (66%). 

For all the industry’s efforts to put cybersecurity at the top of the agenda and the increased spending on new technologies, there are still too few insurers adding cloud-native security functionality or third-party SaaS security tools that are built specifically for cloud-based workloads. As threat actors continue to target cloud workloads and access points, and as IT architectures grow in complexity, there will clearly be a need for carriers to use outside security assistance to identify and mitigate their threats. 

Gary Alterson

Profile picture for user GaryAlterson

Gary Alterson

Gary Alterson is VP of security services at Rackspace. He acts as GM for Rackspace's security solutions, focused on supporting digital transformations and cloud acceleration.

Previously, Alterson led customer experience and services product management at Cisco Systems, where he built professional, managed and support services addressing cloud security and advanced threats. At Cisco and at Neohapsis, a nationally recognized cybersecurity boutique consultancy, he and his teams were instrumental in transforming enterprise and government security programs to effectively address shifting business models, emerging technologies and the evolving threat environment.

As a previous CISO and security architect, Alterson has over 20 years of experience on the front lines of security, protecting and responding to threats across multiple industries. He is often sought out to speak on secure digitization, cloud and emerging technology security frameworks, as well as enterprise security.


Read More