Other parts of this series:
In my previous blog, I looked at the details from Accenture’s 2019 “Cost of Cybercrime” report from a banking and capital markets perspective. Now let’s do the same from the standpoint of the insurance industry.
The insurance story is somewhat more complex. On the upside, insurers are confident in their cyber controls. On the other hand:
- Cyberattack costs have risen. On average, cyberattacks are costly for insurers to address: $15.76 million—up 4.7% from last year—and higher than the cross-industry average of $13 million.
- It takes too long to recover. In relative terms, insurers struggle more than banks in trying to reduce the days needed to resolve a typical attack. For example, a malicious insider attack (though less common than attacks like malware and web-based incidents) takes the longest to resolve at 58.4 days, followed by malicious code (48.5 days). (See Figure 1.)
- Spending on recovery is low. Only 12% of insurers’ internal cybersecurity budget is being allocated to recovery activities. The largest category of spend (35%) is on containment. While it’s certainly a good thing to limit damage from a breach, it’s also important to return to normal operations as quickly as possible.
Figure 1: Malicious insider and malicious code attacks take the longest to resolve
Value at risk? Bigger than you might think
Based upon an economic model developed for the Accenture study, we have identified the economic value (expected cost savings and additional revenue opportunities) over the next five years that is at risk to cyberattacks. In the insurance sector, the average revenue opportunity at risk is $949 million, behind only high-tech, health and the life sciences. That would represent a total of $4.7 billion at risk over five years.
This “value at risk” assessment is new to this year’s report and we’ll be interested in tracking trendlines in the coming years to put those value numbers in a larger context.
Although insurers are confident in their cyber defense capabilities, our research found that they are actually in a more vulnerable position than their banking and capital markets counterparts in the long term. Cybercriminals have worked out how to monetize the data they access through encryption and extortion. They no longer need to focus on stealing money—e.g., from a bank—or even extracting the data. They just need to hold the data ransom. Our study reveals some cracks in insurance firms’ security efforts, and cyber attackers should inevitably focus on the weaker targets.
Seizing the technology opportunity
The number and sophistication of cyberattacks are increasing and are likely to get worse. Advanced technologies are likely to play important roles in the future of both cyberattacks and cyber resilience in insurance. For example, almost all insurers surveyed (98%) deploy security intelligence technologies such as threat intelligence from FS-ISAC (Financial Services Information Sharing and Analysis Center) or vulnerability scores to help prioritize patching. Yet, only 27% of insurers are investing in automation, artificial intelligence (AI) and machine learning. Just 29% are investing in cyber analytics and user behavior analytics (UBA). (See Figure 2.)
Why is this the case? In part because these advanced technologies are earlier in the typical innovation adoption lifecycle. Many companies are reluctant to be innovators or early adopters and are more content to follow only when the solutions are more proven.
Another factor, however, is that advanced solutions should be built on a solid foundation of the basics—perimeter control, strong authentication, asset management and patching, security operations and monitoring, incident response, recovery, etc. By analogy, you don’t want to install an expensive, state-of-the-art steel door on your house if criminals can just break in through poorly secured windows.
Insurers ultimately have little choice, however, except to pursue greater sophistication in automation and AI. These are similar to the technologies used by cyber criminals to perpetrate threats like Distributed Denial of Service (DDOS) attacks at scale. If insurance companies don’t keep up with the latest tools, then they’ll be more vulnerable to cyber risks and attacks.
Figure 2: Relatively small percentages of insurers are investing in advanced technologies such as AI and cyber analytics
Be guided by the potential rate of return of your technology investments
A paradox at the heart of technology spending is that insurers are often underinvesting in technologies with high rates of return (ROI). For example, according to our estimates, automation, AI and machine learning have a 17.9% ROI, while cyber analytics and UBA return 14.4%.
Insurers should improve their deployment of those kinds of high-ROI technologies, and manage their spending on technologies like advanced perimeter control (72% deployment with an ROI of just 11.3%) and the extensive use of data loss prevention (58% deployment with an ROI of 12.7%). In many cases, investments are being misdirected to security capabilities that deliver less because companies have to deal with the basics before they can reap greater benefits.
Conclusion: Renewing your defenses
It is critical that insurance companies build a solid base and then make investments in applying breakthrough technologies that are increasingly being used by cyber criminals. For example, automated orchestration capabilities allow security teams to respond in near-real-time, and advanced machine learning algorithms are replacing manual reviews to finally allow the cleanup of access management.
It is also important to remember that none of these approaches is valid unless you pressure-test your cyber defenses by mimicking the actions of attackers. Enhance conventional red team attacks and blue team defense testing through things like coached incident simulation, threat intelligence and experienced player-coaches.
About Accenture’s “Cost of Cybercrime” study
Accenture’s “Cost of Cybercrime” study, conducted by the Ponemon Institute, LLC on behalf of Accenture, analyzes a variety of costs associated with cyberattacks to IT infrastructure, economic cyber espionage, business disruption, ex-filtration of intellectual property and revenue losses. Data was collected from 2,647 interviews conducted over a seven-month period from a benchmark sample of 355 organizations in 11 countries. The financial services industry data was collected from 537 interviews from a benchmark sample of 72 financial services companies in Australia, Brazil, Canada, France, Germany, Italy, Japan, Singapore, Spain, the UK and the U.S.