Insurance Industry. Strengthen Cyber Resilience Now!

Cyber Risk as a Business Risk
4 min read


The recent cyberattack on an Australian health insurer’s patient data has made global headlines. The release of personal data including names, addresses, dates of birth, phone numbers, and email addresses and the treatment they received for personal health issues, on a dark web forum has once again brought the spotlight on the cyber vulnerabilities in the sector. However, this is not an isolated incident. The number of cyberattacks on insurers in the past couple of years has increased significantly. A survey conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC) among financial institutions, found that insurers are among the top affected sectors.

Digitization, Data, and More—Insurance Faces Unique Cyber Challenges

Companies in the insurance industry are moving toward greater digitization in an effort to create seamless customer relationships. Like the rest of the financial services industry, insurance consumers demand services 24/7/365 via smartphone apps. To provide this real-time experience, companies are increasing investments in IT systems and platforms that can provide myriad services from online policy applications to web- and mobile-based apps for filing claims. However, these new digital capabilities bring new cyber risks that companies are often not equipped to deal with.

Insurance companies collect massive amounts of both structured and unstructured data. It’s necessary for coverage, to analyze fraud, and more. The huge volumes of data generated by the insurance industry have however made the industry attractive to cybercriminals. Insurance companies store highly sensitive personal data including Personally Identifiable Information (PII) such as Social Security Numbers (SSN), bank account or digital wallet details, health records, phone numbers, and addresses. In the case of health insurance companies, Personal Health Information (PHI) is also at stake. And they are more likely to pay the ransom if attacked, as seen in numerous cases in the past.

Cyber attacks and breaches can result in an insurance company facing significant and far-reaching damages--from material damages such as fines, legal costs, and fraud monitoring costs which add to the ‘cost per record’ to loss of customer trust, operational disruption, and devaluation of brand name which contributes to the hidden ‘below the surface costs’. Loss of reputation can be especially damaging when it comes to insurance as the entire business is based on trust.

Making Cyber Resilience a Priority

When it comes to risk, the insurance industry is best placed to understand risk better than any other industry. In fact, risk-averse enterprises across all markets transfer a portion of their cyber risks to insurance companies to minimize their exposure in the case of a significant cyberattack.

This deep understanding of risk within this sector should be channeled by insurance companies to make informed decisions about how much cyber risk to avoid, mitigate, transfer to another insurance company, or simply accept. For example, cyber risk management should include both technology and policy. Leaving a database exposed in the cloud because of an unclear policy will undermine any sophisticated access control or perimeter protection technology. Similarly, user training is equally critical. Most importantly, cybersecurity must be embedded in new software and applications when launched, as the common practice of choosing to patch up legacy systems opens up cyber vulnerabilities.

Manage and Mitigate Cyber Risk with MetricStream

To combat the unique challenges, insurance companies will need to move from manual, point-in-time cyber risk assessments to a robust cyber risk program that leverages technologies such as AI and automation which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because the ability to work all the time and identify and flag anomalies.

MetricStream’s ConnectedGRC provides insurance companies with an integrated solution on a single platform. Purpose-built to manage, measure, and monitor cyber, risk, and compliance demands for the insurance industry in real-time, the platform is powered by AI, enabling the capture, assessment, and processing of diverse, complex, and voluminous risk and data at scale across your entire organization. This enables you to:

  • Gain a single view of your risks with a centralized library of risks, controls, regulations, policies, and issue management to drive risk intelligence and actionability
  • Actively monitor and adapt to applicable regulatory changes from around the world
  • Map policies to regulations, and ensure employee and third-party attestation

Proactively manage cyber risk and build cyber resilience with MetricStream CyberGRC by:

  • Reducing the risk of breaches with active risk management
  • Prioritizing cyber risks and measuring risk exposure with quantification
  • Leveraging automation for greater efficiency
  • Continuously monitoring controls and processes for improved compliance and security
  • Gaining a single view of your cyber risk

Want to learn more about how MetricStream can help your insurance company build resilience by leveraging award-winning AI, analytics, and automation technologies? Request a demo now.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.