Nearer home, Saint Gobain and its subsidiary Glass Solutions, a major supplier to the insurance industry, suffered information downtime, supply chain disruption and a €220m dent in first-half year sales as a result of a cyber-attack.
It is reasonable to suppose that insurers undertook robust enquiries into the IT security of all their approved suppliers.
In a recently published article, just 2% of UK businesses think that a large-scale attack will affect their operations for more than 10 days. In reality, a separate report reveals that actual recovery time could take months or years.
One of the main problems highlighted is that companies are using older versions of systems that are either not supported or not regularly updated with patches to secure against vulnerabilities that have been identified.
It is these vulnerabilities, which it could be argued have been caused by a lack of resource and investment in IT, that the criminal’s malware exploits.
In view of the complexities of the insurance industry’s requirements, new IT platforms are a significant multimillion pound investment involving many years of planning to implement. Hence, insurers are justifiably starting to lose sleep over an issue that will simply not go away.
Migrating to a private cloud-based platform that is centrally managed vastly reduces the risk of falling victim to attacks such as Petya
Many insurers have a long way to catch up with their supplier. At Auger, for example, we recognised this some time ago, and as one of the insurance industry’s leading drainage and water claims specialists, we have ensured we are protected in terms of IT security.
Migrating to a private cloud-based platform that is centrally managed vastly reduces the risk of falling victim to attacks such as Petya.
Using desktop terminals which simply connect to a network and don’t even have an operating system eliminates the need to maintain security on a PC, allowing the focus to be primarily on the network. Centrally managed networks enable IT service providers to deploy updates in a simple and efficient manner and remove the risk of individual devices being overlooked.
Having robust systems with regular backups, honeytraps and penetration tests is only one part of the solution. It is essential to look at non-technical points of failure as well.
What processes are in place to install updates, do you have clearly defined roles and responsibilities for testing and launching enhancements? Does every member of staff understand their responsibility for protecting the network?
We all need to be vigilant, and we need to commit to investing not just in technology but in training for everyone.
We’ve undertaken training with all of our staff to understand basic information security principles, the risk of opening emails with links and attachments from unknown senders and, more recently, phishing attacks (malicious and often targeted attacks to obtain sensitive information via electronic communication).
The idea that IT is solely responsible for cyber-security is a myth. Every one of us has a role to play.
The other concern for insurers is the approved supplier’s delivery model. Although many insurers and adjusters look at the governance surrounding sub-contractors, few have fully considered the implications of the IT platforms and security of smaller local or regional suppliers employed by the main contractor.
Unfortunately, it is most unlikely that this is the last we’ll hear about cyber-security in the insurance industry.
