Emerging cyber risks in a connected world
With the introduction of 5G, the speed and connectivity to these networks create more opportunities for malicious actors to comprise data.
As an information security professional in the world of insurance, the emergence of cyber threats and how we prevent and mitigate these risks are somethings I think about often (as do my colleagues and peers). Many believe that 2020 may prove to be a tipping point for both the critical nature of cyber risks and the new ways we think about mitigating them. I tend to agree.
Many of these risks have been emerging in the years leading up to 2020, but with 5G well on its way, they’ll be taking on new urgency and scale. At the simplest level, the speed and connectivity of 5G networks mean more information flowing through devices — providing more opportunities for malicious actors to access and compromise it.
It’s important to note that we’re not necessarily talking about 5G technology itself when discussing these threats; rather, the number of Internet of Things (IoT) devices connected to the internet and each other, and the data or data transfer generated as a result.
Gartner forecasts that 5.8 billion enterprise and automotive IoT endpoints will be in use in 2020, a 21% increase from 2019 — and a number expected to continue to rise in the coming years.
Emerging risks for claims professionals
The continued growth of the IoT market (and 5G’s emergence) affords many new and exciting opportunities for insurance professionals — but with opportunities come new threats to be addressed.
Here are several emerging risks that will require careful and diligent navigation:
Ransomware
It is estimated that U.S. insurers are ramping up cyber-insurance rates by as much as 25% — in large part due to a surge in costly claims from ransomware exposure. The harsh truth about the emerging risk of ransomware is that it’s really a people problem. While malicious programs are very sophisticated and are always finding new ways to compromise consumers’ data, you can’t dismiss ransomware attacks where people are doing something they simply shouldn’t be.
Sadly, ransomware presents a tremendous opportunity for malicious actors to exploit — and this will only become more serious once 5G becomes more widely accessible. And, speaking of sophisticated, phishing attacks are becoming just that — sophisticated and realistic. You only have to check your inbox to find examples of false email addresses or misplaced punctuation glossed over that would de-legitimize the attempt.
Voice
Voice presents one of the more complicated emerging risks. While claims professionals are certainly going to be heavily involved if this risk becomes a reality, the chief concern should lie with consumers. Think about the spam calls you’ve received in recent times. Yes, smartphones are getting better at identifying and translating the call to enable informed decision-making, but there is a reason spam calls are so frequent — they work.
Can programs or people pretending to be your insurance company call and engage with you via voice? For example, offering to verify your address on a policy or confirming a payment method? It can be hard to tell if the human being or program in question is someone with malicious intent. This extends to automated responses — can programs be fooled to respond on your behalf and give your personal information to a malicious actor?
Wireless and contactless communication
A premium is being placed on understanding the implications of wireless and contactless networks — and the different devices that can put any consumer or organization at risk. These forms of communication can be interfered with simply by walking by something or someone. Risks here come in many different forms, ranging from data interception to denial of service — not to mention the potential for improperly secured networks that become compromised.
The challenge for claims professionals is understanding where that risk lies — and where the risk is trending. For example, at which point is a device or network being compromised (or most at risk)? At what point is data either encrypted or not as it travels between devices?
Added stresses and pressures for insurance
In addition to specific threats coming from the proliferation of IoT devices and the emergence of 5G networks, the nature of these technologies themselves means that claims professionals can expect added stresses and pressures during trying times that have the potential to strain the industry.
Seasonal or environmental pressures
As we’ve seen numerous times in history, the prevalence of seasonal or environmental disasters or extremes puts an incredible amount of stress on the insurance industry. To a claims professional, the sheer amount of data and the pace with which claims come flooding in will be an area of concern.
Misinformation
In addition to the specificity of claims — and as more and more claims become submitted through apps or portals — legitimizing claims again becomes challenging. When disaster strikes, malicious actors can see a prime opportunity for fraud as a means of quickly taking advantage of a problem with the hope that their claim is processed or slips through the cracks.
This extends beyond purposeful malicious acts as well, especially as consumers are the ones actually reporting incidents and filing claims — not always the professionals themselves. Nowadays, snap a few pictures and that can suffice as a claim. What are the indicators that a claims professional can use to determine if someone is being truthful or that the right information has been submitted?
How we can mitigate fraud
In a perfect world, the answer would be to prevent it. However, that’s not always possible. Instead, the answer to mitigating fraud lies in reimagining the tools and techniques at our disposal and pushing to make sure that new or evolving devices in the Internet of Things (IoT) market are secure — or have met a certain security standard.
Automation
No matter which way you look at it, automation in some way, shape or form is going to be essential to protect against emerging cyber threats. There is just too much data right now (and it will only increase) for individuals to be able to manage themselves. Automation must be a part of a claims professional’s toolkit when it comes to mitigating risks — and the individual’s role will be to understand the key data indicators they need to focus on in order to efficiently and effectively manage the claims process (and those that will be most significant in terms of dollars).
Many industry professionals see gaping holes that technologies such as artificial intelligence, machine learning and big data analytics can fill. The role of the human individual isn’t going away anytime soon, but there is simply not enough manpower or hours in the day to sift through and make sense of all of the claims and claims data being processed.
Education
Claims adjusters and agents will need to remain as vigilant as ever and be wary around the legitimacy of claims. It’s going to require continued education and also the development of new techniques to determine which claims are real. With claims and pictures submitted through apps, insurers are constantly trying to give consumers options to submit claims that fit their device-driven, on-the-go lifestyle.
It’s fair to say that people trying to falsify claims isn’t anything new; however, the ways people can manipulate their claims and the new options for filing them means that adjusters and agents will rely on up-to-date techniques and the assistance of technology. This education must also filter down to consumers continuing to expand their device portfolios and invite new IoT technologies into their networks — education can go a long way in mitigating the risks and issues that arise once it’s too late.
On-device security standards
One of the bigger unsolved risks within the IoT ecosystem is the security of the devices themselves. As it stands, the industry is somewhat lacking when it comes to standards around on-device security — and this is going to be a challenge to solve.
Let’s step back and look at an industry like auto, for example. It conducts tests (such as crash tests) that benchmark the safety and security of vehicles. This information becomes public and consumers can use the results to make informed buying decisions, showing what they value in a product. Based on these decisions, their insurance options and insurance rates are adjusted as a result.
Can the same thought process be extended to the broader world of IoT devices? Is there a way that we can test on-device security and reward those that are built with security at the core? Can we incentivize in a manner that puts security first over other factors such as speed to market and price?
One example is the encryption of data on IoT devices. Unknown to many consumers is that the information and traffic going through IoT devices is often unencrypted, meaning that if your security is compromised, the letters and numbers pertaining to addresses, credit cards or even the video from your cameras or the codes for your “smart” door locks are often able to be seen or accessed by an unwanted party. Is there a method by which we can reward both manufacturers and consumers of these devices for promoting secure choices?
This is a complicated concept that will require a lot more beyond these initial discussions; however, as a claims professional looking at navigating emerging risks, it should be on your radar.
The world of IoT and connected devices (both existing and new innovations) are always going to be a big deal in the world of cyber risk and fraud, but with the emergence of 5G networks, it’s only going to become more challenging to manage.
Are you ready?
John Germain ( john.germain@duckcreek.com) is Duck Creek’s chief information security officer (CISO), accountable for the strategy, direction, and management of the company’s overall security program and capabilities. He has a strong background in building and managing IT security programs for large, global organizations.
Related: