Why Insurance is at High Risk for API Security Incidents

By Yaniv Balmas, VP of research at Salt Security

Today’s organisations rely on APIs to deliver digital services and key business initiatives. In fact, API traffic has grown 168% in the past year, with APIs being developed, deployed and modified more quickly than ever before. With API usage increasing at this unprecedented pace, hackers now have a wider attack surface to exploit, leaving organisations faced with a new set of security risks.

APIs propel digital transformation and innovation particularly in the financial services organisations by enabling the exchange of data that supports everyday transactions ranging from account transfers to online payments. The growing usage of APIs in financial services has created a new and broader attack surface that enables bad actors to threaten business-critical digital initiatives.

As part of the financial services ecosystem, insurance is among the industries at higher risk for API security incidents. The insurance industry relies on APIs to supply its increasingly digitised services and fuel business innovation. Today’s consumers expect to buy, set up, renew and claim on their insurance online and aren’t willing to compromise on the security of their personal and financial data to do so.

To provide these services, insurers need to process and share sensitive customer data with third parties, while ensuring their customers can reliably access and modify their information 24/7 through their websites and mobile applications. This places APIs at the heart of insurance and brings new security risks that can’t be addressed with traditional security solutions.

The Problem with Data and Compliance

All insurance services require the exchange of customer data, which poses security and data protection challenges. However, because some types of insurance require extremely sensitive personally identifiable information (PII), such as medical history, driving records or address history, these challenges become even more heightened. With 91% of APIs exposing PII or sensitive information, insurers cannot afford to endanger their customers’ data and ultimately compromise their business reputation and revenue.

Insurers face the same compliance and regulatory obligations as other financial services organisations. In recent years, regulations around data protection, cyber resilience and cybersecurity have tightened around the world, with authorities in the United Kingdom (UK) and the European Union (EU) leading the way.

Regulations that came into effect in the UK in March 2022, by the hand of the Bank of England and the Financial Conduct Authority (FCA), establish strict requirements for financial services companies to ensure business continuity and cyber resilience.

The new rules include specific steps such as mapping important business services, robust security testing and having appropriate tooling in place. The same requirements are included in the EU’s Digital Operational Resilience Act (DORA). In this new regulatory landscape, financial services organisations, including insurers, can face hefty fines and penalties for non-compliance, on top of the reputational damage that can cost them their customer base.

Regulators also pay close attention to insurance companies due to the fact that countries in the region mandate insurance products, such as car, home or professional liability insurance. APIs deliver the capabilities needed to share the data needed to deliver insurance products, further broadening the scope for potential API attacks.

Innovation, Automation and Increasing Risk

The Covid pandemic has propelled the increasing usage of APIs in insurance and accelerated the industry’s automation efforts. Today, a growing number of insurers around the world use AI-based technology to provide automated services, process policy changes, handle customer claims and facilitate the underwriting process. According to McKinsey & Company, AI will reshape insurance by 2030.

APIs are being developed, deployed and changed faster than ever to support technological innovation in the insurance sector, expanding the attack surface available to hackers to take over account information, complete fraudulent transactions or insurance claims and disrupt services.

At this crucial stage in insurance’s digital innovation journey, APIs play an important part in supporting new, innovative services. AI-based API security enables insurers to remain competitive in this fast-evolving landscape while safeguarding customer retention and compliance.

Without the ability to protect their customer data while developing key business initiatives, insurers will fall behind in their digital innovation efforts. A successful API attack can have catastrophic financial and reputational effects.

Why Traditional Tools Fall Short

Traditional security solutions such as bot mitigation, WAFs and API gateways don’t offer adequate protection against today’s API attacks, which are low and slow, and can happen over days and even months.

Attack activity looks like normal API traffic to these traditional tools and their architectural limitations mean that they are only able to inspect one transaction at a time while depending on signatures to detect known attack patterns. Basic security controls, such as authentication, authorisation and encryption, which are widely used in insurance, also fall short of meeting today’s API security challenges.

Insurance providers need rich context to understand their growing API ecosystems and fully protect them. They must be able to understand what normal API behaviour looks like so they can automatically detect anomalies among millions of API calls. Without this depth of context, insurers place themselves at risk for API security breaches that can have catastrophic effects.

Insurers Must Prioritise API Security

In insurance, data protection and compliance are not only legal obligations but essential requirements for business survival. In addition, APIs represent the heart of digital business innovation, making them critical for insurance companies to bring new and emerging services to their customers.

At the same time, APIs have also become the top attack vector. In the past 12 months, 94% of organisations experienced an API security incident in production with API attack traffic growing 117% in the same period. This reality makes dedicated API protection essential for insurers to innovate in a highly competitive market while meeting their customers’ high expectations and remaining compliant.

To harness new business opportunities, insurers must protect the APIs that support the connectivity of their customers’ essential and sensitive data. Purpose-built API security solutions enable insurers to support the next generation of insurance services that their customers have come to expect, while guaranteeing the safety of their data and complying with new security requirements.