Pandemic should prompt insurers to reexamine cybersecurity

Cybsecurity has become even more critical now as the global coronavirus pandemic has exacerbated many of the threats facing insurance carriers and their distributors.

The pandemic has disrupted insurers in terms of both internal operations and customer engagement. For one, as remote work became the rule rather than the exception, the use of potentially unsecured personal devices, videoconferencing platforms, and team collaboration applications skyrocketed. Such emerging exposures may not dissipate as companies recover. Indeed, a recent Deloitte report found that many financial institutions are evaluating permanent remote work for at least part of their staff.

Meanwhile, the pandemic has prompted many companies to accelerate their digitization efforts. As office closures and restricted movement compelled everyone and everything that can operate virtually to do so almost overnight, many insurers had to more fully embrace a digital transformation in back office operations, distribution, and claims to remain competitive and fully connected with customers.

Adapting to these sudden shifts, however, has often compounded problems facing many Chief Information Security Officers (CISOs) and their cybersecurity teams. Hackers and cyber scammers were quick to try to take advantage of expanding attack surfaces. As early as April, just a couple of months after COVID-19 had significantly surfaced in the United States, the New York Department of Financial Services highlighted the significant increase in cybercrime related to the COVID-19 outbreak.

Insurers should, therefore, be digitally enabling the cybersecurity function to keep pace with rapid IT transformation and protect critical assets against increasing levels of cyber threats and attacks.

That will likely be easier said than done. Given the lingering macroeconomic impact from the COVID-19 pandemic, many companies are taking a hard look across the board as to whether they need to cut non-core expenses or at least delay any additional planned investments. Insurers, however, should be particularly judicious before making reductions in cybersecurity budgets or pausing capability upgrades, and perhaps even consider investing more to secure their altered operations, as cyber risks confronting most organizations are only likely to intensify.

New threats emerged before pandemic

Of course, the effects of the pandemic aren’t the only challenge facing insurance company CISOs. Their struggle to stay ahead of the curve and keep up with an ever-evolving threat landscape was apparent well before anyone had heard of COVID-19.

That’s one of the takeaways from this year’s cybersecurity survey conducted by the cyber risk services team at Deloitte & Touche LLP and the Financial Services Information Sharing and Analysis Center (FS-ISAC). Even though the survey was fielded just before the pandemic hit the United States, the results already indicated that many insurers may need to further prioritize, reinvest in, and perhaps even reorganize their cyber protection programs to maintain their ability to adapt as new exposures arise.

The survey spotlighted several significant concerns, which are outlined below along with the implications for insurers and other financial institutions:

1. Budget: FS-ISAC members responding to the survey reported an increase in cybersecurity spending, with emerging technologies such as cloud, data analytics, and robotic process automation as top cybersecurity investment priorities. Access control, protective technology, and data security were emphasized as rationales.

2. Keeping up with transformation: For the last three years, respondents identified rapid IT changes and rising complexities as their top cybersecurity challenge. To help effectively mitigate emerging cyber risks, companies should consider digitally enabling the cyber function within the broader IT service development process. Adopting “security by design” principles during technology development could also help financial institutions create more secure products.

3. Governance: Cybersecurity is often included as part of the IT function, and CISOs typically report to the Chief Information Officer or Chief Technology Officer at their companies, according to most respondents from large financial institutions surveyed. This reflects the need for close integration of cybersecurity and IT. At the same time, insurers may want to retain a certain level of independence for cybersecurity, which could help ensure risk management decisions are not overshadowed by IT constraints.

4. Access control: With lines blurring among employees, customers, contractors, and partners/vendors in general, firms should consider implementing “zero trust” principles for access since the organization’s perimeter is essentially gone. This means imposing verification requirements on all those looking to access a firm’s data or systems from either inside or outside the company.

5. Adaptation: Finally, many companies will be under pressure to reduce expenses in a recovering economy. However, actions taken to reduce operational costs should be evaluated carefully for their cybersecurity implications. Companies should consider corrective measures to ensure that cost reduction initiatives do not expose them to additional cyber risks, such as insider threats.

Despite the added cybersecurity challenges posed by the pandemic, CISOs should not take their eyes off longer-term goals, which likely include aligning with the company’s strategic priorities, managing talent challenges, and addressing external issues such as regulation. Such broad engagement can highlight the value cybersecurity adds to the business.

To execute this well, stakeholder engagement will likely become critical, regardless of the operating model used. Such collaboration will become even more important in addressing emerging cybersecurity exposures both during and after the pandemic.

Click here for more details about the Deloitte & Touche LLP/FS-ISAC annual financial services cybersecurity survey report, co-authored by Mark Nicholson and Julie Bernard, principals with Deloitte & Touche LLP. For an on-demand webcast on the report, click here.

Former National Underwriter Editor-in-Chief Sam J. Friedman (samfriedman@deloitte.com) is insurance research leader at Deloitte’s Center for Financial Services. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn.

Nikhil Gokhale (ngokhale@deloitte.com) is an insurance research specialist at the Deloitte Center for Financial Services and project leader for the insurance premium forecasting series.

These opinions are the authors’ own.

This piece is published with permission from Deloitte. As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of Deloitte’s legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Keep reading…

• SEC warns of rise in ‘credential stuffing’ cyberattacks
• Growth in 5G and IoT presents new ‘physical’ cyber threats
• HSB study: Smartphones, connected tech invite cybercrime