Insurers Must Learn “Self-Defense”
Studies have shown that cybercriminals have moved from targeting individuals to businesses, as the data these organisations possess are more valuable.
Studies have shown that cybercriminals have moved from targeting individuals to businesses, as the data these organisations possess are more valuable. While cyber insurance is one way to react to the problem, insurers must be adequately protected themselves in order to serve their clients.
In the wake of the recent WannaCry malware that infected hundreds of thousands of computers worldwide, even insurers are not spared from attacks.
Insurance Business spoke with Eyal Wachsman, CEO of Israel-based cyber security firm Cymulate. Founded in 2016 by former Israeli Defense Forces intelligence officers and experienced cyber researchers, the firm has developed a cyber breach and attack simulation platform that can benefit insurers by screening the cybersecurity status of organisations that approach them for cyber cover, as well as assessing the insurer’s own cyber security defences.
Wachsman said: “The value from such technology is that insurers are able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting insurers at risk, and how much in premiums to charge based on an accepted risk score provided after the assessment.”
According to Wachsman, insurers rely mostly on self-reported questionnaires and third-party onsite inspections, which are costly and time-consuming. He also noted the lack of specialised and qualified personnel to perform cyber risk assessments for applicants.
He shared the case of Clal Insurance, a leading provider of life and non-life insurance in Israel. Clal has over 4,000 employees and 2,000 agents, giving cyber criminals numerous points of entry for phishing scams and malware. In May 2017, as WannaCry struck numerous systems across 150 countries, Clal was mostly spared from the attack. The Cymulate platform was able to assess its technology infrastructure and, within 24 hours, senior management was made aware that the insurer was “immune” to WannaCry.
“First of all, understand the risks relevant to your organisation and secure the organisation by utilising leading security solutions; recruiting security professionals to manage and monitor; and testing their security posture constantly,” advised Wachsman.
He placed importance on email security, as this is one of the more common ways an unwitting employee could fall for a phishing scam, opening the gates to a massive data breach or malware infection that could wreak havoc in the company’s network.
“We see a rise in the use of ransomware attacks specifically in the email vector – sometimes there are new types and sometimes variants of ones previously used,” Wachsman said. “These attacks will aim for specific targets and a sporadic large number of worldwide targets.”