Financial Crime World

Cybersecurity Gaps Persist in Insurance Industry: Report

======================================================

A recent report has highlighted concerns about cybersecurity practices within the insurance industry. While some companies are taking steps to protect themselves against cyber threats, others are falling short.

IT Audit Plans and Data Protection

Only 80% of insurance managers have an annual IT audit plan in place, a crucial step in identifying and addressing potential vulnerabilities. Furthermore, just 54% of insurance managers reported collecting, storing, or processing personally identifiable information (PII) on behalf of other entities, raising concerns about data protection.

Key Findings:

  • 79% of insurance managers have not classified all data, leaving them vulnerable to unauthorized access.
  • Only 84% of insurance managers encrypt critical data in transit and at rest, failing to meet regulatory requirements.
  • Just 85% of insurance managers have Data Loss Prevention (DLP) controls in place, a key measure to prevent data breaches.
  • 8% of insurance managers have not undertaken third-party security risk assessments, leaving them exposed to potential threats from vendors.

Clear Roles and Responsibilities

The report highlights the importance of clear roles and responsibilities for each line of defence:

First Line of Defence: Insurance Managers

  • Responsible for implementing cybersecurity measures, such as encrypting data and conducting regular threat intelligence reviews.

Second Line of Defence: IT Teams

  • Provide technical expertise and oversight to ensure that cybersecurity controls are in place and functioning correctly.

Third Line of Defence: Independent Auditors

  • Conduct regular assessments to identify vulnerabilities and ensure compliance with regulatory requirements.

Conclusion

While some insurance companies are taking steps to improve their cybersecurity posture, there is still much work to be done. The industry must prioritize the implementation of clear roles and responsibilities for each line of defence to ensure effective protection against cyber threats.

Recommendations:

  • Establish an annual IT audit plan to identify vulnerabilities and assess compliance with regulatory requirements.
  • Implement Data Loss Prevention (DLP) controls to prevent data breaches.
  • Conduct regular threat intelligence reviews and vulnerability assessments.
  • Develop a change management process to ensure authorized changes to systems and data.
  • Review and update the cyber risk policy annually.

By implementing these recommendations, insurance companies can reduce their risk of cyber attacks and protect sensitive customer information.