By Dinesh Nair, Chief Technology Officer, Novac Technology Solutions
Every industry has been a target of cyberattacks, and the insurance industry, with a plethora of sensitive data, is under constant threat from data breaches, resulting in a growing concern for the insurance sector.
The recent major data breach of the country’s major health insurance company involved over 31 million customers’ sensitive personal information being allegedly sold to hackers. The Insurance Regulatory and Development Authority of India (IRDAI) took measures to review its data security policies as more customers’ sensitive data was being available for open sale. This resulted in the regulator taking the best security measures, including regular audits and more, to safeguard said data.
But why is the BFSI Sector the most targeted?
The BFSI sector houses some of the most sensitive data, including card details, KYC information, and other data that can be sold to money launderers who may use it to open fake accounts. Although the BFSI sector is heavily guarded against such attacks, weak infrastructure, constant regulatory updates, third-party integrations, and other factors can allow hackers to bypass security measures by exploiting a single breach in the insurance industry chain. Over the past few years, the destruction of systems involved in this infrastructure has shaken several insurance giants. The ongoing trend of cybercrimes against the global insurance industry will cost them $9.5 trillion in 2024. (Source: Cybersecurityventures.com).
It is high time for insurance companies to anticipate the inevitable and strengthen their defenses in anticipation of potential attacks. Companies must take necessary long-term action and formulate sustainable security strategies now to reinforce their infrastructure against both known and unknown threats.
Expanding Horizons: New Ways to Strengthen Data Security
India’s transformative shift towards digitalisation has led to a surge in insurance companies rapidly scaling up and adopting emerging technologies such as Artificial Intelligence (AI) and Machine Learning (ML), to enable swift damage assessment, policy coverage verification, and more, elevating the quality of interactions across channels.
However, in most cases, companies may remain unaware of a breach until it is exposed on a public forum, resulting in significant damage to consumer trust and the perception of the company’s security—reputations that may have taken years to build can be undermined in an instant.
To combat these constant threats, insurance companies should establish a proactive course of action with the following four key strategies:
– Secure by Design and Default
– Secure Hosting
– Secure Usage
– Secure Business-as-Usual
Secure by Design and Default
Companies must conduct an in-depth analysis of business risks and exposure to identify loopholes where cyber risks may pose a threat. A step-by-step process can ensure effective risk transfer:
– Diagnose organisational capabilities regarding cybersecurity by utilising the standard cybersecurity frameworks issued by NIST (National Institute of Standards and Technology) or ISO Standards.
– Evaluate the financial impact of a data breach or network outage on the company by examining both frequency and severity.
– Conduct a thorough analysis of cyber risk by creating risk scenarios that simulate the potential magnitude and likelihood of an attack.
Additionally, companies can encourage their business vendors to adopt the principles of “Secure by Design and Default” when developing applications to manage cyber risks. This approach is part of the core business goals of product development, which is to secure the main systems and data. Secure-by-Default products are secure out of the box, requiring no additional configuration or cost, thus safeguarding users from common threats.
Secure Hosting
API security is achieved through strong authentication, input validation, and encryption, all of which should be regularly reviewed for vulnerabilities. To enhance API security, consider the following best practices:
– Always use an API Gateway
-Encrypt client-server connections
– Implement rigid authentication and authorisation, aiming for centralised authorisation management
– Utilise secure transport protocols such as HTTPS, SSL, or TLS
– Always validate and sanitise all inputs and outputs
– Monitor APIs and collect necessary audit logs
Secure Usage
Adopt Zero Trust Architecture
Implementing a Zero Trust model involves constantly verifying user identities and device access, ensuring that trust is not implicit within our network. Zero Trust is a proactive, integrated approach to security that emphasises understanding which business assets and processes are most critical to protect, thereby minimising the risk of data breaches. This can be achieved by adopting the following strategies:
Use Multifactor Authentication (MFA) to validate identities
Multifactor authentication should be implemented across all user accounts, including employees and third-party providers, to reduce credential-based attacks. MFA enhances security by making it more difficult for unauthorised users to access accounts, even if a device or password is compromised. Adaptive authentication solutions leveraging artificial intelligence (AI) and machine learning (ML) can analyse trends and identify suspicious activity during system access. These solutions monitor user activity over time, establish baseline profiles, and detect unusual behaviour.
Manage and validate devices as healthy
– Utilise telemetry to understand the current security state
– Enforce the principle of least privilege (POLP) access
– Implement software-defined micro-segmentation to protect data, workflows, and services
– Continuously monitor and analyse network traffic
– Regularly update security policies and procedures
Secure Business-as-usual
Secure Business-as-usual’ integrates security into everyday operations as part of business activities without disrupting workflows. This approach involves embedding security measures into product development, data handling, and system maintenance while ensuring productivity.
Key strategies for implementing Secure Business-as-usual include:
– Strengthening ransomware defences
– Comprehensive patch management
– Monitoring insider threats
– Data encryption
– Vendor risk management
– Incident response plan (IRP)
– Regular penetration testing
– Backup and disaster recovery
– Data minimisation and retention policies
– Phishing and social engineering awareness
– Continuous monitoring and threat intelligence
The time to prepare is now. Data breaches and cyber-attacks are among the most significant risks insurers face as they serve billions of customers. With the increasing integration of advanced technologies in the insurance sector, companies must shift their focus from reactive to proactive security measures. By adopting the strategies discussed above, insurance companies can safeguard sensitive data, maintain consumer trust, and ensure business continuity in an ever-evolving digital landscape.
