The COVID-19 pandemic has sped up digital transformation and accelerated the shift to digital channels, introducing new cyber risks which insurance companies need to manage and mitigate, insurers and cybersecurity experts said during a virtual panel discussion.
Simon Chandran, Financial Services Technology Consulting Partner at EY in Hong Kong, explained during a Fintech Fireside Asia session,
“EY runs a global international security survey every year and what we see from our respondents, and those from the insurance sector as well, is significant increases in the types of phishing attacks, the sophistication of malware attacks and ransomware as well.
It was interesting for me to read a recent report that cited Hong Kong’s as one of the top 10 locations ranked globally suffering from cyber-attacks on cloud accounts.”
Insurance firms are increasingly adopting emerging technologies, including big data, cloud, online services, and even remote working, widening the “threat surface”, said Yiing Chau Mak, Director of Data Science at cybersecurity firm Shape Security (part of F5 Networks).
In the insurance sector, he’s observed two primary types of cyber threats: the ones targeting users with attacks such as account takeovers where criminals aim for personal information and data for future phishing attacks or to sell; and the ones targeting insurance companies themselves where competitors launch attacks between themselves to garner information.
Charles Hung, CEO and Executive Director of Hong Kong digital life insurer Blue, said that insurance companies are a great target for criminals because of the valuable data and sensitive information they carry, for example personal data, payment information, but also beneficiary information.
The “treasure trove” of personal information and medical data can be very lucrative for attackers. The panelists said that since insurance is largely a trust-based business, cyber threats are not only detrimental to the economic stability of an organisation, but also to its reputation.
“For digital players, we need to be three times as conscious and careful, we need to have a really clear framework and strategies in place to protect the customers, it’s certainly a priority but not just for digital insurers like us but conventional insurers as well,” Hung added.
There seems to be a misconception that cybersecurity is a cost center, Yiing said. Another popular misconception he often sees is the belief that security and usability are mutually exclusive.
“Some people think that you can’t get better security, without compromising usability. These are some misconceptions that needs to be challenged and changed,” Yiing said. “There are solutions out there that offer both security and usability … [and which] do not impose [unnecessary] friction to users … and those aren’t that costly.”
Legacy systems are another major challenge that’s hampering innovation and preventing insurers from adopting new, sophisticated tools, Hung said.
“From a technology perspective, I would argue that … the insurance industry, for a lot of historical reasons, is actually quite behind. There’s a lot of legacy systems … For example, many insurance systems are not ‘cloudable,’ making themselves very limited to having a greater capabilities for flexibility,” Hung explained.
“The second perspective is about knowledge. These days, you still see hundreds of people maintaining [very old] systems. When you have a deeper problem, who is going to fix it? Not to mention, today, cybersecurity is becoming very complex with complex issues. It’s evolutionary and constantly evolving.”
Echoing Hung, Chandran said that all the new, innovative solutions being launched are built for modern infrastructures. Relying on old systems is not only potentially more risky from a cybersecurity perspective, it could also become very expensive in the long run.
“If you look at the technology landscape, in terms of the tools that are coming out, these are geared towards the ‘new’ so there is potentially a risk of having high costs when continuously maintaining your legacy infrastructure and systems,” Chandran said. “That doesn’t help the challenge that’s already there from the cybersecurity spending perspective.”
