How Insurance Carriers Must Secure Their Digital Ecosystems

Cyber threats are constantly evolving, so it’s vital for insurers and their partners to monitor new threats and work together to mitigate ecosystem cybersecurity risks.

(Image credit: Shutterstock.)

The complex networks of stakeholders called digital ecosystems are an essential part of the insurance landscape today. Some 84 percent of insurance executives say ecosystems are critical to their strategy, and McKinsey forecasts ecosystems will account for 30 percent of global insurance revenues by 2025.

While ecosystems provide insurers with tremendous opportunities for growth, they pose thorny cybersecurity risks.

With 123 billion active IoT device endpoints in the world today, evolving cyberattacks, pose a severe threat to the insurance industry’s digital ecosystems. Gartner predicts that by the end of 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.

Common cybersecurity challenges in a digital ecosystem include:

  • Lack of control and visibility across assets stored in the cloud and application components.
  • Digital ecosystems, particularly microservices, expose new entry points to internal and external actors.
  • Data generated in microservices architectures moves, changes, and is constantly interacted with. As a result, data breaches can occur regardless of the communication channel’s exposure, and cybercriminals can take advantage of vulnerabilities.

Here’s how insurers can secure their digital ecosystems:

Ecosystem Partners Must Rethink Security, Work as Team

The most successful cybercriminals work together, and insurers need to do the same with their partners, third-party vendors, and competitors. To be resilient, organizations must rethink their approaches to security in a way that defends not just themselves but their entire ecosystems, including partners. Open-source security is enabled by the voluntary collaboration of software developers and security teams. Multiple parties need to keep track of data on threats and other cybersecurity events they’ve witnessed. Insurers must then be transparent with each other and share the knowledge they’ve obtained to identify threats.

Additionally, insurers and their vendors can open-source security tools to receive feedback from their partners and make their in-house protections available to others. With cooperation, they can create a universal cybersecurity defense for their ecosystems.

Invest in Early Detection

Early detection of cybersecurity breaches is crucial in an open-source digital ecosystem. Otherwise, a cyber-attack can sit undetected for weeks. Efficient and quick detection and response will help determine the source of the attack, the systems targeted, its extent, and cause. Then, the threat can be neutralized before damage is done.

Security information event management (SIEM) software can help companies detect potential security threats across a company’s network before impacting business operations.

Data from applications, cloud environments, and networks can be gathered and analyzed as soon as it’s captured. This allows security and IT teams to automatically manage their network’s event logs and network flow data in one location.

Assume Everyone’s a Threat: Zero-Trust Security

Zero-trust architecture is a broad framework that protects an organization’s most valuable assets. It assumes that every connection and endpoint is considered a threat.  It helps secure the protected surface of an organization’s data, assets, applications, and services. The framework protects against these threats, whether external or internal, even for those connections already inside.

Today, 60 percent of organizations in North America are currently working on zero-trust projects, and roughly 50% of insurance and finance companies say zero-trust security models are a top priority for their business.

Additionally, a zero-trust security model examines if the connection adheres to the organization’s security policies and practices. Access restrictions enable users to obtain only the information they need and nothing more.

Insurers that still use legacy systems may struggle to implement and sustain a zero-trust security model. This model must control user access and allow constant dynamic verification and authentication at all times. Older applications may not provide this level of validation, authentication, and continuous surveillance, making it impossible to implement this type of security model.

Invest in Thorough Authentication Protocols

Insurance companies looking to implement a zero-trust security model need to continually invest in technology that limits opportunities for potential attackers. Tactical solutions such as Privileged Access Management (PAM) SaaS can help insurers restrict the number of attack surfaces cybercriminals can exploit. In addition, it can also prevent the harm caused by external or insider attacks.

Credentials must be validated before a privileged user can enter a system, and policies are often made to limit the user’s actions. In addition, its security tools use powerful automation and user-friendly features to create privileged access programs and zero-trust security frameworks.

Segment Data

Data segmentation is imperative. It ensures that customer and company data and other resources cannot be accessed by default and users can only obtain the data briefly, in the proper context.

Segmenting individuals and their time on network servers effectively increases visibility and security in a digital ecosystem.

Implementing distributed resource protection mechanisms (DRPM) is an effective approach. DPRM obtains client or partner profiles and provides capability tokens if deemed eligible.

It’s critical to enable time limits and short-life capability tokens to limit how long a user can access resources. Additionally, as trust between users and resource providers increases over time, resource providers can grant select users longer timestamp validity.

Stress Test Frequently

A stress test subjects an application, system, or software to severe conditions to determine where vulnerabilities in your defenses lie.  You can then plug the gaps before cybercriminals can access your company’s or partner’s network.

A study by IBM says organizations that formed incident response (IR) teams and stress-tested their IR plans saw their data breaches cost $2.46 million less than organizations without an IR team or tested IR plan.

There are many ways insurers can do a stress test.

For instance, some companies hire outside investigators to try and break in or expose vulnerabilities in their computer systems and networks. For example, First American Bank pays outside investigators roughly $10,000 a year to try to hack into their network systems.

The most effective way to pressure-test security is a real-world simulation. It will show how your team would react when faced with a significant cyber threat.

Vet Ecosystem Partners Upfront

Accenture finds that 97 percent of insurers believe they have what it takes to be an attractive ecosystem partner. However, only 26 percent of insurers believe that their ecosystem partners are working as diligently as they are to improve their security resilience.

Insurers must conduct a security review or audit of potential partners before embedding them into their ecosystem.

As insurance companies grow their digital ecosystems with third-party vendors (e.g., software-as-a-service, cloud service providers), they must choose service providers with strict data-handling procedures and strong cybersecurity credentials.

Look for Service Organization Control 2 Certification

Developed by the American Institute of CPAs (AICPA), SOC 2 certification is an industry-standard auditing procedure and internal controls report that ensures service providers uphold specific standards when handling customer data.

To obtain a SOC 2 certification, a vendor must pass a strict audit to show it complies with IT security compliance requirements.   The auditors examine the effectiveness of policies and systems on data security, processing integrity, confidentiality, and customer information privacy.

Act Now!

Despite the risks associated with trusting vendors with customer data, transaction information, and other assets within a digital ecosystem, the benefits of these systems ensure they are here to stay.

Cyber threats are constantly evolving—it’s essential for insurers and their partners to monitor new threats and work together to mitigate ecosystem cybersecurity risks.  The time to start is now.

The Big Bets MassMutual Has Made to Disrupt Life Insurance Distribution


Michael J. de Waal //

Mike de Waal, SVP at Majesco and Founder of Global IQX , is an award-winning, results-driven, and experienced leader with a passion for innovation, technology, and the employee benefits industry.

Leave a Comment