Cyber-attacks are a major concern to insurers following the recent Petya-Wannacry ransomware that crippled parts of the NHS and a number of major companies across the world.
Nearer home, Saint Gobain and its subsidiary Glass Solutions, a major supplier to the insurance industry, suffered information downtime, supply chain disruption and a negative 220 million-Euro effect on first-half year sales as a result of a cyber-attack. It is reasonable to suppose that insurers undertook robust enquiries into the IT security of all their approved suppliers.
In a recently published article, just two per cent of UK businesses think that a large-scale attack will affect their operations for more than 10 days. In reality, a separate report reveals that actual recovery time could take months or years. One of the main problems highlighted is that companies are using older versions of systems that are either not supported or not regularly updated with patches to secure against vulnerabilities that have been identified. It is these vulnerabilities that the criminal’s malware exploits in company’s systems, which it could be argued have been caused by a lack of resource and investment in IT.
In view of the complexities of the insurance industry’s requirements, new IT platforms are a significant multi-million pound investment which involve many years of planning to implement. Hence, insurers are justifiably starting to lose sleep over an issue which will simply not go away. Many insurers have a long way to catch up with their supplier. At Auger, we recognised this some time ago, and as one of the insurance industry’s leading drainage and water claims specialists, we have ensured we are at the cutting edge of IT security. Migrating to a private Cloud-based platform that is centrally managed vastly reduces the risk of falling victim to attacks such as Petya. Utilising desktop terminals which simply connect to a network and don’t even have an operating system, eliminates the need to maintain the security on a PC, allowing the focus to be primarily on the network. Centrally managed networks enable IT service providers to deploy updates in a simple and efficient manner and remove the risk of individual devices being overlooked. Having robust systems with regular backups, honeytraps and penetration tests is only one part of the solution.
It is essential to look at non-technical points of failure as well. What processes are in place to install updates, do you have clearly defined roles and responsibilities for testing and launching enhancements? Does every member of staff understand their responsibility towards protecting the network? We all need to be vigilant, and we need to commit to investing not just in technology but in training for everyone. We’ve undertaken training with all of our staff to understand basic information security principles, the risk of opening emails with links and attachments from unknown senders and more recently we’ve covered phishing attacks (malicious and often targeted attacks to obtain sensitive information via electronic communication).
The idea that IT is solely responsible for cyber security is a myth. Every one of us has a role to play. The other concern for insurers is the approved supplier’s delivery model. Although many insurers and adjusters look at the governance surrounding sub-contractors, few have fully considered the implications of the IT platforms and security of smaller local or regional suppliers employed by the main contractor. Unfortunately, it is most unlikely that this is the last we will hear about cyber security in the insurance industry.
Our team of insurance-related specialists at Auger is available to help with advice. Contact our team, tel 0151 630 5886 or email firstname.lastname@example.org Neil Wilks, Head of Technology and IT, Auger ENDS.