Insurers are 'vulnerable' to cyber attacks, says regulatory body

The IAIS, whose members are insurance market regulators based across the globe, said insurers face potential loss of confidential data, disruption of operations and reputational loss as a result of cyber risks.

"The insurance sector is vulnerable to cyber incidents," the IAIS said in a new paper on cyber risk that it has opened to consultation. "Insurers collect, process, and store substantial volumes of data, including personally identifiable information. Insurers are connected to other financial institutions through multiple channels, including investment, capital raising, and debt issuance activities. Insurers execute mergers and acquisitions and other changes in corporate structure that may affect cybersecurity. Insurers outsource a variety of services, which may increase exposure to cyber risk."

In its report the IAIS highlighted examples of cybersecurity weaknesses that regulators in the insurance sector have come across. It said insurers need to have oversight of the flow of data between their different "IT systems, applications, and components". It also flagged failings with "user privileges" extended to staff and said there needs to be "sufficient controls" on the access employees have to 'superuser' accounts.

Insurers have to address cybersecurity "at all levels" of their organisation, the IAIS said.

"Generally, a cyber risk management program includes ongoing process and control improvements, incident management procedures such as response and disaster recovery, state-of-the-art network policies and procedures, rigorous management and control of user privileges, secure configuration guidance, appropriate malware protection procedures, consistent control of removable media usage, monitoring of mobile and home working procedures, and ongoing awareness and educational initiatives for all personnel," it said.

The IAIS said that a survey it conducted last year showed that there is "no uniform practice" in the way insurance market regulators address the supervision of firms' cybersecurity. It said regulators "should seek to increase their understanding of cyber risk and their supervisory capabilities concerning the insurance sector’s cyber resilience".

"Such supervisory focus might appropriately include, but should not be limited to, insurers’ awareness of cyber risk and cyber resilience, and insurers’ development and implementation of policies, procedures, and technology to increase cyber resilience, including the implications of outsourcing and other third-party connections on cyber resilience," the IAIS said.

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "Many of the cyber security initiatives pursued in recent times within the financial services sector have been focused on the actions banks are taking to secure their systems and data against attack. However, insurers also hold rich data which makes them a target for attackers, such as sensitive medical information they may process in handling claims."

"Insurers typically have a number of third party agreements in place with other businesses they contract to manage claims or business processes on their behalf. Insurers need to account for the cyber risk they face directly and indirectly via outsourcing arrangements by identifying what the risks are and managing that risk either by ensuring that suppliers take a share of that risk on via contractual arrangements or by taking out appropriate cyber insurance cover," Birdsey said.

The IAIS paper, which was prepared by its financial crime task force, also looks at the applicability of the IAIS' insurance core principles to cyber security and possible responses from individual supervisors to the risks. 

The paper calls for the risk of cyber crime to be addressed on a global basis, including through work by financial sector standard setters such as the Committee on Payments and Market Infrastructures and the International Organisation of Securities Commissions.

There should be better understanding and scrutiny of cyber risk by supervisors, and improved cooperation between the private and public sectors, the paper said.

In its latest annual report on the UK government's cyber security strategy (34-page / 705KB PDF), Cabinet Office minister Matthew Hancock said that to address cyber risk, "continued, sustained and close collaboration between government, industry, academic and international partners is vital". The UK government intends to set out a new five-year cyber security strategy later this year, according to the report.

"The volume and complexity of cyber attacks against the UK are rising sharply," the annual report said. "Digital technology is revolutionising every aspect of our lives. But the changing technological landscape is opening up new vulnerabilities and new opportunities for our adversaries. We need to work even harder to keep pace with the evolving threat. The [new cyber security strategy] … will set out the government’s vision for cyber security in 2021 and the objectives and respective roles and responsibilities that will enable us collectively to achieve that goal."

"We will ensure that all parts of government and the public sector play their full part in delivering efficient and secure services. But government alone cannot provide for all aspects of the UK’s cyber security. All sectors of society have a role to play and it is vital that everyone plays their full part, adopting secure cyber behaviours that, together, will help protect the UK," it said.