North American insurance companies are taking risks from cyberattacks very seriously these days and include them among the top board-level priorities, according to a recent survey conducted by Moody’s Investors Service.
Property and casualty, reinsurance, life and health insurance firms are significantly ramping up their governance, oversight and investments in cybersecurity, including “…more formalized reporting to executive management and their boards,” the ratings agency said. “Among survey respondents, essentially all maintain incident response plans for multiple cyberintrusion scenarios, and most insurers test their vulnerability to these annually," Moody's Senior Vice President Alan Murray said. “Cyberattacks can have serious tangible consequences for insurers, exposing them to legal actions, regulatory scrutiny, fines and other expenses," he said. "In addition, an insurer's reputation is at stake."
(See NACM’s eNews on a recent report from financial messaging provider SWIFT about how to mitigate the fraud risk associated with suspicious financial transactions.)
The insurers’ cybersecurity plans often list responses to attacks that will minimize damages while most firms also conduct security testing by having people attempt to breach their systems at potential weak points, Moody’s said. The insurance companies surveyed also said they use threat intelligence services and tools to both prevent and deter attacks.
The companies have increased their cybersecurity staffing by almost 30% during the past three years, as they’ve also increased their outsourcing efforts to rein in costs and keep up with the latest in cybersecurity tools and methods, the ratings agency said. About two-thirds of those polled said they increased outsourcing and employed a median of 10 cybersecurity vendors that provide a wide variety of services.
“However, vendor reliance also has potential risks,” Moody’s said. “For instance, a vendor may not provide flexibility and responsiveness in all scenarios, and/or products and services of vendors may not align with an insurer's particular business models.”
– Nicholas Stern, editorial associate