Rising Threats & Risk Management Challenges Impacting the Financial Services Industry
In 2022, the insurance and finance industries were the second-most targeted sector in terms of the total number of cyberattacks. Nearly 20% of all cyberattacks were focused on these industries– that’s a lot of malicious cyber activity!
Given the volume of high-value transactions handled by insurance companies and financial firms, it's no surprise that malicious actors are stepping up their attacks. If hackers can circumvent security on first-party networks or compromise third-party services to facilitate these transactions, there’s a lucrative pot at the end of their malicious rainbow. However, financial organizations stand to lose not only revenue but reputation too, both of which they can ill-afford as market competition expands across digital services.
As a result, it's not enough for financial and insurance companies to rely on existing security tools and legacy risk management tactics and hope for the best. Instead, to stay ahead of the rapidly changing threat environment, it requires a proactive approach to managing both first- and third-party risks.
Risky Business: Current Challenges for Insurance and Financial Services
Why did infamous bank robber Willie Sutton target banks? "Because that's where the money is."
While the quote is likely made up, it's no less true: Financial and insurance companies are under attack because they deal with substantial sums of money and data. Suppose attackers can make their way into protected networks. In that case, they can exfiltrate and sell financial data online or initiate the transfer of large cash amounts in currencies such as Bitcoin that are difficult to track and virtually impossible to recover.
For finance, ransomware remains a top challenge. Ransomware rates have been steadily rising in the financial sector. In 2020, 34% of finance firms were attacked. In 2021, that number rose to 55%. Rates of ransom payments have also increased as the value of stolen data has seen a commensurate increase. Consider that in 2020, just 25% of companies paid ransomware actors to release their data. A year later, 52% of organizations were paying up, although there’s no guarantee you’ll recover your data. Even more worrisome? The data lacked encryption. Just 54% of financial firms encrypted their data, compared to the worldwide average of 65%.
Insurance companies are also at increased risk of cyberattacks. According to the Insurance Trends and 2023 Outlook Report from TransUnion, while the move to digital services can help improve the customer experience, it also creates greater opportunities for attackers — as the number of potential access points grows, it becomes harder for insurance companies to ensure data security. And with 43% of customers willing to abandon insurance applications and services they believe to be unsafe, risk management is a top priority for organizations.
Dig deeper into how to protect your financial organization: How the Financial Services Industry is Leveraging Cyber Risk Intelligence to Combat Third-Party Vulnerabilities
Fostering First-Party Protection
When defending financial and insurance data, companies must consider both first- and third-party risks.
First-party risks stem from services and solutions that are hosted and maintained by organizations in-house. For example, many financial firms still rely on legacy software tools purpose-built to handle specific processes. The problem? Many of these tools were never designed to integrate with Internet-facing IoT services or mobile applications. While it's possible for companies to build bridges between new and existing tools, these connections naturally create weak points that may be exploited by attackers.
On the insurance side, meanwhile, the storage of client policy, premium, and coverage data is often handled on-site to reduce the risk of potential compromise via third-party services. While this affords more direct control over data, it also comes with a potential problem: If attackers compromise storage systems without being detected, companies could find entire data stores copied and moved or discover that critical data has been locked down for ransom.
As a result, financial and insurance firms can't assume that just because data is stored on-site that it's safer. Instead, first-party risk management requires ongoing oversight to determine where companies are at risk, along with applying consistent cyber hygiene best practices, such as robust data encryption, regular password updates, and multi-factor authentication (MFA) to defend critical assets.
It's also important for companies to codify these first-party approaches. By creating consistent security documentation that applies to all staff — from front-line workers to managers and members of the C-suite — businesses can significantly reduce their first-party risk. For example, by creating policies requiring staff to report suspected phishing attacks immediately, companies can begin to eliminate the social advantage of these efforts. Why? Because attackers rely on the human compulsion to be helpful, especially if emails seemingly come from legitimate senders. By making incident reports non-negotiable, staff can dodge social engineering hooks that can lead to network compromise.
Navigating Third-Party Risks
The growing use of third-party services such as cloud providers, digitally-connected suppliers, and even managed security solutions opens the door to increased risk.
For example, 2022 saw the compromise of 2 million Aflac life insurance and Zurich auto insurance records after a US subcontractor was breached. In the case of Aflac, the personal data of 1.3 million policyholders was leaked online, while over 750,000 current and former Zurich customers had their personal, policy, and vehicle data exposed.
Or consider the February 2022 attack on IRA Financial Trust, which saw the theft of $36 million in cryptocurrency assets after a third-party holding service — the Gemini Trust Company cryptocurrency exchange — was breached. While IRA sued Gemini, authorities never recovered clients' crypto assets.
The result is a landscape that sees financial and insurance companies relying on third-party apps and services to navigate growing digital landscapes while putting themselves at risk, given the nature of these apps. As noted by a recent Veracode report, 97% of a typical Java application is now made up of third-party, open-source libraries. In 70% of cases, however, these applications contain an exploitable flaw.
This creates an opportunity for attackers. When companies use open-source options to help reduce development time and get applications up and running ASAP, it opens the door to a plethora of compromise points— and in many cases, companies may struggle to detect, identify, and contain a breach.
The increasing risk of third-party breaches also makes it more difficult for insurance and finance firms to obtain cyber insurance. In 2021, the cost of cyber insurance premiums rose 91%, and while the rate increases slowed in 2022, there was still a 62% price jump. Cyber insurers are also taking the time to thoroughly review current security best practices — if companies aren't addressing first- or third-party threats, they may be denied coverage.
Investing in Effective Third-Party Defense
To better defend against third-party problems, insurance and financial firms need an effective third-party risk management (TPRM) strategy.
The challenge? While many companies know TPRM's role in mitigating threats, they cannot effectively evaluate and respond to emerging threats. Here's why: Traditional threat management approaches rely on historical data and point-in-time solutions. Together, these approaches provide insight into what's already happened but offer little value when navigating new threats.
To address this issue, companies need TPRM tools capable of doing more than simply collecting data and providing descriptive analysis. Security teams need tools capable of proactively identifying which third parties represent the most significant threats based on their current security practices and offering actionable insight to help address security concerns before they become compromises.
In practice, this means investing in effective defense and finding a TPRM solution provider with the expertise and experience to help you shore up third-party defenses and arm you with the data you need to make confident risk decisions.
On the Money: How Insurance and Financial Services Companies Can Reduce Total Risk
Given the sheer volume and variety of data now handled by finance and insurance firms, eliminating all risk isn't an achievable (or practical) goal.
With the right approach, however, it is possible to reduce your third-party risk. By leveraging a risk management platform that helps pinpoint where control gaps exist and how threat actors are most likely to attack, you can embrace the benefits of digital transformation without putting client or company data at risk.
Time to invest in a more effective approach to TPRM? Book a demo with CyberGRX today.