Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

WHY THE FCA’S IT OUTAGE SHOULD BE A CALL TO ACTION FOR THE INSURANCE INDUSTRY

Robert Rutherford, CO of the business and technical consultancy QuoStar
It’s no secret that the number of cyber-attacks on increasing year on year, and while this trend is noticeable across many industries, the insurance sector has become a prime target for hackers.

The Financial Conduct Authority (FCA) was the latest organisation to suffer an IT outage, affecting a variety of systems including Gabriel, a repository for roughly 50,000 regulatory records. Whilst the FCA has reassured consumers and businesses that the outage was a result of a data centre failure rather than a cybersecurity breach, it could have easily been a cyber-attack.

In recent years, insurance firms have been targeted by numerous cyber-attacks, both internal and external, including those by disgruntled former employees and organised cyber criminals. With the Association of British Insurers estimating that UK insurance industry is managing investments of £1.9 trillion, it is no surprise these firms are such an attractive target. Not only do they have a large amount of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for blackmail, or to release to the public with intent of damaging a firm’s reputation.

How do cyber criminals target insurance firms?

Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s systems, now the motives of cyber criminals are far more calculated, leading to a change in the method of attack. Now, these motives are lead by the potential for financial gain or to damage a firm’s identity and reputation, sometimes irreparably. Cyber-attacks are rapidly becoming more sophisticated and for those willing to be patient, the rewards stand to be substantial.

While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. This involves using tricks and tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeted employees pretending to be from IT or maintenance and request log in details to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual training and education with new and existing members of staff. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.

How can insurance firms protect themselves?

When it comes to determining a security strategy, and an overall IT strategy, the insurance sector is facing pressure from multiple angles. Not only does the sector face increasing regulatory burdens, but from a technical aspect firms are also under continual pressure to modernise their systems to ensure that data is kept highly secure, yet instantly available for review and processing.

These pressures combined can result in increased overheads and reduced margins, which can result in decreased technical investment. However when it comes to cybersecurity, technology should actually be the last piece of the puzzle.

Determining a security strategy should really begin with a firm understanding what their assets are, and identifying what the potentials risks to these are. A reliable starting point is the ISO 27001 standard, a global accreditation which helps firms manage IT security by reviewing, assigning controls and monitoring processes.

Education will always be a key element of any security strategy.As social engineering is developing at a rapid pace, the human element (i.e. a business’ staff) remains vulnerable as these attacks are essentially a manipulation of trust. A comprehensive policy should cover basic tools such as password strength, disclosing confidential information and physical security among others. Having a security aware culture means that potential threats will flag up with employees and they will be able to make the correct decisions, even when the request seems incredibly genuine.

The FCA outage, along with other recent high profile security breaches, must serve as a warning to insurance firms that they are a prominent target for cyber criminals and security is an issue which must be prioritised and addressed.

Taking steps to protect customer and financial will protect an insurance firm’s reputation and profitability, so these organisations must take the time to implement policies and systems to secure the business, and ensure these policies are reviewed regularly. The consequences of failure can be devastating, or even fatal, so it’s imperative that cybersecurity is made a priority.