Almost daily, we read of how cybercrime has affected large enterprises, causing hundreds of millions of dollars in losses. However, the unabated expansion of cybercrime is also affecting small business, including insurtechs, as evidenced by the steep increase in global spending on cyber security.
By July of 2018, cyberattacks had increased over 140% from the year before, indicating that the problem is worsening. International data security company, Gemalto, has observed that there were 3.3 billion compromised data records across 944 breaches in the first half of 2018. More than 50% of the breaches were malicious in nature, accounting for about 80% of unauthorized access, theft or compromise of records. While financial access is a growing cause of loss, identity theft continues to be the most frequent type of breach.
One of the more difficult attacks to ward off is that of various malware. Cyberattackers become more skilled with each passing year at developing software that will avoid detection techniques, employing increasingly sophisticated code.
Insurtechs present an attractive target
We’ve recently – and often – read about breaches to large companies such as Nordstrom, Facebook and Marriot in the news. However, small and medium enterprises, which includes most insurtechs, should be concerned about the growing incidents of cyberattacks. The connected nature of insurtechs make them very attractive targets, as connected technology creates new gateways for cyber criminals. In 2017 alone, IoT attacks were up 600 percent, reported Symantec. The modes of attack included phishing schemes, ransomware and denial-of-service. Insurtech employees generally use their own mobile devices, an aspect of the business that increases the risk of unauthorized access.
Absorbing the financial loss, along with the damage to reputation – something that is paramount to the success of an insurtech – are nearly impossible to overcome. Insurtechs, however, are uniquely equipped with sufficient talent to take steps to prevent, discover and respond to a cyberattack. Although it requires the dedication of resources, prioritizing loss prevention has the potential to deliver huge returns.
Consider the secondary exposures an insurtech faces from a cyberattack: The attacker could use the insurtech’s systems to access the systems of their partners, such as large insurers, creating liabilities that the insurtech may not be able to absorb. The famous Target breach was caused by cyber criminals using the poorer security measures of a Target contractor to then access Target’s data through the contractor’s billing interface. Another secondary exposure of great importance to an insurtech is the reputational damage in the minds of potential investors. The “tech” aspect of an insurtech is the key selling point of the concept. Exposure to cyberattack may signal a lack of technical skills that investors consider critical.
Cybercrime risk control techniques
There’s no easy solution to prevent cybercrime, and there likely won’t be in the near future. However, insurtechs can better prepare themselves.
Consider a handful of measures the security-conscious insurtech can take to “Protect-Detect-Respond.”
Prevention – Consider a hackathon day wherein you challenge employees or consultants to access your systems without authorization. This is an excellent measure to determine where you need to add security and prevention techniques to prevent unauthorized access.
Seek Out Vulnerabilities – Examine all of the ways cybercriminals can access your networks, both within and outside of the company. Entry points include workstations, laptops, mobile devices, portable storage, access cards, passcodes, Wi-Fi and susceptible employees. You’re likely using two-factor authentication, but if not, it is a simple and effective security technique.
Security Audit – Take inventory of your network vulnerabilities and test your existing security measures to see if they can respond adequately. There are many independent firms that can help with such an audit, and your cyber insurance provider can likely recommend options to you.
Threat Assessment – Cybercriminals will exploit many aspects of your business to access your system, including client lists, passwords, data logs, back-ups, emails and people with authorized access such as employees, customers and vendors. Assessing these areas for vulnerabilities and weaknesses can improve security.
Incident Response Plan – Cyberattacks will unfortunately occur. A well-written Incident Response Plan, triggered by first discovery of an attack, will help mitigate the loss. Early detection could mean the difference between regulatory notification or keeping the incident private, the effects of which could save the business enormous expense and protect its reputation. Acting immediately upon discovery will also help find the source of the attack and cut it off.
Insurtechs are often startups, with most existing depending on investment funding for growth. Meaning, budgets are small, money is tight and resources are limited. However, it pays to make cybersecurity a priority by increasing spending on protection measures and developing qualified cybersecurity personnel. The investment may seem steep at the time but is a no-brainer when comparing the cost to the massive economic losses that would occur in the face of a breach and the threat of the business completely going under. Cyber insurance will also help keep costs manageable which makes your business more attractive to investors.