Insurers are being targeted by cyber criminals, just as their customers are

Insurance companies are double-sided with respect to cyber security. As they retain valuable personal information, they themselves are a prime target of cyber criminals and must therefore have effective protection. On the other hand, they can design and sell insurance that protects their customers from cyber risks, as well as helping them to cope with an eventual attack. Vincent Van de Winckel asks Mauro Almeida, from everis Portugal, who is responsible for information security and cyber-security, his perspective on the issue.

Vincent Van de Winckel (VVdW): With regard to safeguarding their own activity, how should insurers proceed in order to be immune to cyber risks? What are the key processes to implement and monitor?

Mauro Almeida (Pictured below): Insurance companies generate millions of personal and sensitive data from their customers, information that is critical to their business. Today, more than ever, all the management, control and custody of this information is on systems. Business is being completely digitized as well as all client interaction. The responsibility for information security, and cybersecurity, on the part of insurers gains added weight due to the quantity and criticality of the data that is processed and stored.

Undue access to confidential organizations’ data, or its tampering, can lead to loss of confidence on the part of customers, reputational damage, loss of intellectual property or the imposition of fines for non-compliance with regulations, or standards, with the consequent financial losses.  It is therefore essential that insurers preventively implement, for example, technological solutions such as network segmentation, device monitoring, the implementation of multi-factor authentication (MFA) mechanisms, data loss prevention and classification and information protection mechanisms.

However, in cybersecurity, there is no one – size – fit – all. The approach I advocate is to acquire solutions in the perspective of cyber – risk, and risk assessment as the cornerstone of a robust and holistic security strategy. This approach enables organizations to the proper selection of solutions to acquire, or implement, and ensures efficient application of available and correct budget prioritization of investment with the consequent reduction of the cyber – risk.

VVdW: What is the level of awareness of organizations in Portugal regarding cyber risk? Is there a need for awareness campaigns? By whom?

Mauro Almeida: Cyber – risk is already a key theme in top management agendas of organizations that effectively consider it as an operational risk. That is, a risk with the potential to generate a negative and profound impact on the organization, be it reputational, financial, regulatory, or capable of generating a break in production.

However, although we are seeing an increased awareness of organizations to cyber – risk, we also witness a considerable reduction in the level of confidence of these in their ability to manage it. This loss of confidence is often associated with the difficulty that companies have in understanding the likelihood, and priority, of the occurrence of these risks and how to act on them.

Another risk factor for organizations, which should not be neglected, is the fact that a large part of company employees is not aware of the issue and, therefore, do not take the necessary precautions. This risk is increased with a higher level of remote work, since employees are no longer on the perimeter of the organization and begin to use their home networks, to access confidential and sensitive information, or the assets of the organization. These personal networks do not have the same security controls as corporate networks and are yet another attack surface, uncontrolled by organizations.

Along with the adoption of some technological measures, it is essential to work on safety from the perspective of training and raising awareness among employees. It is not enough to invest in the best services, acquire the best hardware and software and define internal processes, if there is no investment in employees, who are really going to be at the forefront of the battle against cyber threats. It is wrong to think that users are the weakest link in organizations’ information security, when in fact they have the potential to be a company’s strongest element in protecting against security threats.