Cyber Resilience in the Insurance Sector: The Importance of Penetration Testing Within GRC Practices
As digitalization continues to advance, insurance companies are increasingly threatened by cyber-attacks. Due to the vast amounts of data they hold, insurance companies are natural targets for cybercriminals, seeking to attain sensitive data or cause disruptions to operations. This can include commercial, personal, financial, and medical records. Details of cyber insurance coverage can be especially attractive for cybercriminals, as it can provide them with insights that aid them in targeting other companies or individuals more effectively. Furthermore, threats of data disclosure of policy holders add a new layer of extortion to ransomware attacks, beyond the traditional focus on encrypting files for a release fee.
The impact of a targeted cyber-attack on insurance companies can be significant. Data breaches and business disruption can compromise financial stability and cause serious reputational damage, not to mention regulatory and legal consequences that could entail eyewatering penalties. In contrast to other parts of the financial sector, the insurance sector is confronted with a dual threat.
On the one hand, earnings calls of insurers reflect a mounting concern within the industry itself, whilst from an underwriting perspective, cyber-related claims are also escalating. Soon artificial intelligence will likely produce increasingly sophisticated and automated forms of cyber assaults. Despite an already increasing frequency and impact of cyber-attacks on financial entities, the full extent of malicious attempts is often underreported for reputational reasons, leaving the true scale and consequences of cybercrimes unknown.
Nevertheless, the rising threat of cybercrime is clearly reflected in the regulatory authorities increased focus on cyber security. This is clearly highlighted by the European Supervisory Authorities EIOPA, ESMA and EBA, in their report on the risks and vulnerabilities in the financial sector. As a result of their rising concerns, the authorities continue to develop corresponding compliance requirements on insurance companies. It is now mandatory for the insurance sector to make cyber protection an integral part of their governance, risk, and compliance systems, and penetration testing must be a key component of any cybersecurity strategy.
Cybersecurity and Compliance – Navigating a growing regulatory space.
Insurance companies are governed by the European Insurance and Occupational Pensions Authority (EIOPA) guidelines on cybersecurity for insurers, which emphasizes the need for risk management, incident response planning, and data protection. Penetration testing, also known as security reviews, is a critical component of all IT-related frameworks, including ISO 27001, NIST, and CIS. The EU General Data Protection Regulation (GDPR) approaches the subject from another angle, by holding companies accountable for the security of protected data through the implementation of appropriate technical and organizational measures. On top of staying abreast of a company’s own cyber vulnerabilities, insurance companies also have a responsibility to assure the adequate security of outsourced functions and third-party systems under the Solvency II directive.
Companies that are already compliant with existing requirements have a clear advantage as regulations become more stringent. The Digital Operational Resilience Act (DORA) will come into force in January 2025. This act aims to establish a comprehensive regulatory framework for the digital operational resilience of financial entities, including insurance companies.
Penetration testing, commonly referred to as pentesting or ethical hacking, is a critical security assessment tool used to evaluate the security of computer systems, networks, and applications.
Penetration testing is a systematic and repeatable process for identifying and assessing cyber risks, thereby gaining the insights required to develop and prioritize suitable risk mitigation activities. This strengthens the company’s resilience and ultimately reduces the risk of a successful cyber-attack. In addition to identifying and validating cyber risks, penetration tests also unveil the strengths of a system, allowing for a full risk assessment.
To conduct effective penetration testing, organizations should prioritize areas of high-risk exposure, such as internal and external corporate networks, central and mission-critical infrastructure services, cloud services and mobile and web-based applications. Application security tests should focus on identifying and mapping vulnerabilities in designated and mission-critical applications, particularly those that are exposed to the internet, and those developed in-house.
It’s important to note that ethical hacking testing is not a one-time event but requires ongoing and systematic security work. Organizations must continually monitor their systems and networks for vulnerabilities and develop specific subsequent security measures, ensuring these are effectively implemented. Insurance companies that can demonstrate a commitment to cyber security can gain a competitive advantage over their peers, as this can help attract and retain customers who are increasingly concerned about the security of their personal and financial information.
At Advisense we have the expertise and experience to offer our clients a superior integrated approach to cybersecurity risk management.
We assist a range of companies to conduct comprehensive security reviews as a core component of our outsourced risk management function. Our dedicated team of in-house subject matter experts perform penetration tests using a variety of tools and techniques to simulate a real attack, tailored to your specific systems, resources and regulatory requirements.
From initial planning to ultimate implementation, we support you through the entire process. We assist you in defining the scope, level, and frequency of testing, while ensuring the entire process aligns with your overall risk management strategy. Our integrated approach provides cost-effective solutions, customized to meet your business requirements.
We also offer penetration testing as part of various freestanding offerings including:
- CISO as a Service –Outsourced Function
- BCM Services – Business Continuity Management, Crises Management, Incident Response Management and Disaster Recovery
- Compliance – Review compliance with internal rules and external regulations.
- Internal Audit – Testing third party vendors’ compliance with ICT clauses in outsourcing agreements.