Nitin Khanapurkar, partner, Consulting at auditing firm KPMG talks about cybercrime and why insurance firms in the Middle East need to take a holistic approach to securing their IT infrastructure.
As banks become more sophisticated and effective at defending themselves against attack, the focus of much cybercrime is changing. Increasingly, insurance companies are becoming the target. The risks are very real and very serious. Insurers need to raise their game as a matter of urgency.
In more recent years, with the massive growth of the Internet, online connectivity and remote access, it has again been banks which have borne the brunt of cybercrime. Not only is the money there; banks also hold critical information about all of their customers which, in the wrong hands, can be equally valuable. However, the focus of much cybercrime is now changing rapidly, away from banks and onto insurers.
There are a number of reasons. Perhaps the most significant and straightforward is simply that over the last 10 years or so, banks’ defences have become more sophisticated and effective. The industry has appreciated the threat and has taken measures to counteract it. Key steps have included implementing layers of technical protection as well as concerting efforts across the industry – in what is, after all, a challenge facing all banks – to exchange information and develop strong counter-measures together.
It is clearly not possible to prevent all attacks from succeeding and for obvious reasons, individual banks are reluctant to publicise those attempts which do result in loss. But overall, the banks have become increasingly effective in repelling cybercrime.
Another key factor is that cyber criminals have come to realise that banks are not the only potentially lucrative targets. Certainly, banks are where the money is. But money can also be stolen from insurance companies. Furthermore, money is not the only valuable commodity available; insurers need to protect premium rating tables, claims and accident and loss information. Almost equally valuable are customer details – personal information, names, addresses, account details, passwords, health and lifestyle information, payment card information, etc. – which can either be parlayed into cash or sold on to other criminal interests that will attempt the same thing.
The insurance market in the UAE is very diverse. With around 60 insurance companies in the UAE, there are large players, along with a mix of small-sized insurance companies. Foreign based insurance players also have a significant presence in the country. Unlike the banks, the insurance companies do not have a large portfolio of online services to offer and hence have a limited exposure to the threats that the banking industry faces. Nevertheless, the insurance sector needs to be ready to upgrade their security protection levels or else they may be a prime target for attackers who are looking to target the ‘softer’ section of the financial services industry.
As insurers amass greater amounts of customer data through new online channels, social media, telematics and web-based claims management systems, they become even more attractive to cyber criminals.
In 2012, a major security breach of a US insurer affected 1.1m policyholders and potential customers. Hackers stole names, social security numbers, driver’s license numbers and dates of birth. The insurer acted swiftly, offering credit monitoring and identity theft protection for those impacted, including US$1m in free identity theft insurance coverage with no deductible. In another case, a global insurer was fined £2.2m for failing to have adequate systems and controls in place to prevent the loss of customers’ personal information.
Organized criminal networks have also begun to realise that it is not actually necessary to steal anything. The mere threat of loss – or of operational damage and disruption – can be enough to extract a substantial ransom from the targeted organisation. Once again, many companies are reluctant to reveal publicly when they have been hit. But many have paid up quietly.
Reverse engineering of the malware distributed by cyber-criminal organisations can reveal the kind of targets crime networks are focused on; increasingly over the last year or so, the evidence is that insurance companies are becoming targets.
The rapid growth of online insurance purchasing offers greater opportunities to organized crime. It can be difficult for customers, attracted by low prices, to distinguish legitimate insurers from fraudulent ones. We are seeing a spate of ‘ghost brokers’ being set up on the internet selling fake policies, taking premiums and leaving the ‘policyholder’ without coverage.
There is no doubt that certain states have developed and maintain sophisticated technological capabilities designed either to extract cash or data from vulnerable Western companies or, more commonly, to sustain the capability to hold those organisations to ransom as part of a more extensive coordinated attack. There are fuzzy lines between traditional electronic espionage, commercial espionage and theft of data for commercial and strategic advantage.
The first priority is, obviously, to recognize the nature of the contemporary threat. Historically, insurance companies have sought to defend themselves against fraudulent claims by mobilising resources to analyse broad patterns of incidence and investigate individual instances of particular concern. But the threat today includes not only the risk of financial loss, but also that of disruption to systems and processes that can cause both financial and reputational damage.
Second, it is a truism that insurers’ back-office technology and systems are a generation or more behind those routinely employed by banks. There is a lack of connectivity and coordination between different systems and, therefore, less capability to identify and counter attempts at penetration and diversion. Less automation, more manual interventions and more breaks in the chain of information processing increase the potential vulnerability.
Where claims processing is outsourced, security can be more difficult to monitor; more effective supply-chain management is needed. Recent research by Proofpoint Inc. shows that insurance companies currently face a higher number of email-based threats to security than any other business sector. In fact, KPMG’s 2012 Data Loss Barometer states that the insurance sector states is at greatest risk from social engineering attacks and system and/or human error incidents. A separate KPMG research shows that financial services companies are among those industries with the most vulnerable software.
Insurers need to understand how to develop a mature and effective response. The threat is all too real. But it needs to be countered with intelligent and sophisticated action. This needs to look beyond pure technical preparedness against cyber-attacks to take a rounded view of people, process and technology in order to understand areas of vulnerability identify and prioritize areas for remediation and demonstrate both corporate and operational compliance, turning information risk to business advantage. In our experience, this means acting on six key dimensions that together provide a comprehensive and in-depth view of an organisation’s cyber maturity.
Some of the larger financial services organisations in the UAE are taking steps to build their security monitoring capabilities, and be ready to respond in the case of cyber-attacks. These programs and capabilities should be regularly tested to ensure that they operate in the right manner. Cyber Security in the UAE is slowing moving away from a technology focused option to a more holistic cyber security program. However, emphasis should be laid on the people and the processes around security. Security awareness is key to ensure that the effectiveness of cyber threats is minimised. Security awareness should not be improved for just the employees, but significant programs should be developed to enhance the security awareness of customers. Cyber Security should be a priority topic on the board agenda and adequate investment should be made to improve security programs.
