Connect with us

Technology

Why insurers must be on the lookout for ever-opportunistic cyber attackers

Published

on

The future of Big data

By Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company

 

The insurance industry has long been a staple for cyber attacks. Criminals go where the money is, and the sector represents one of the most direct ways to access key personal and financial data that can be used to net an illicit profit.

More recently, insurers have faced even greater risk exposure due to their provision of cyber insurance coverage, particularly when it comes to ransomware. The sector has also seen increased attention from state-sponsored actors seeking personal data to fuel other campaigns.

 

Why is the insurance sector such a popular target for cyber crime?

Threat actors regard the insurance industry as a valuable source of personally identifiable information (PII) which can be used for a variety of crimes, including identity theft, other types of fraud, and further cyber attacks.

Alongside insurance documentation itself, firms will also have digital copies of items such as passports, driver’s licenses and bank statements that have been used to verify the policy holder’s identity and address. Birth dates are also particularly valuable to criminals, alongside National Insurance numbers, Social Security numbers, and their various international equivalents.

In one prominent example, U.S. insurer Ryan Specialty Group had its employee email accounts breached in April 2021. Customer names, Social Security numbers, driver’s license and passport details, and financial account details were believed to be exposed as a result.

The depth of information held by insurers on behalf of policyholders is also useful to state-sponsored threat actors, providing a large amount of data for human intelligence (HUMINT) operations or signals intelligence (SIGINT) operations.

Insurers that provide cyber insurance also face an elevated threat level. Attackers may seek to compromise their network to unearth policy details and security standards as a way of creating more effective targeted attacks.

 

The rising threat of ransomware

In addition to data theft, insurers are also targets for ransomware attacks. Ransomware has swiftly risen to become one of the primary cyber threats for businesses in all industries today as an infection can rapidly cripple the organisation by encrypting key files and systems. Criminals are also increasingly coupling ransom demands with data theft, often threatening to leak sensitive information unless additional payment demands are met.

However, insurers that provide cyber policies may again face increased risk from organised cyber criminal gangs and state-backed actors. In one prominent example, the Asian component of global cyber insurer AXA was struck by the Avaddon ransomware last year very shortly after announcing that it would stop reimbursing new French customers that chose to pay ransom demands.

The group responsible may have been seeking to make an example of AXA, as its previous policy of covering ransom payments would make it more likely for victims to pay up to criminals.

 

Why most stolen data is destined for the dark web

Stolen data is a commodity item in the shadow economy maintained by cyber criminals. Datasets are readily bought and sold on hidden forums and marketplaces on the dark web, with individuals and groups often specialising in selling data rather than using it themselves.

In one example discovered by IntSights security researchers, a Chinese-speaking criminal going by “Rebecca” was selling access to records from Chinese auto insurance companies for $3 each. These records included PII such as names, addresses, and driver’s license numbers.

Threat actors will commonly purchase PII sets from different sources to help facilitate further data theft and fraud. The insurance sector is a favourite target here as automated quote tools can potentially be exploited into revealing more information about customers. Farmers Insurance Group, for example, revealed that in early 2021, attackers attempted to use previously stolen customer names, dates of birth, and street addresses to trick its automated car insurance tool into providing driver’s license numbers.

Criminal groups now often include the threat of data disclosure as part of ransomware attacks. Defiant organisations that refuse to pay up will be punished by having their data sold on the dark web, or sometimes dumped on publicly available open web platforms. The threat aims to pile additional pressure on the victim by creating a high-profile breach that will damage customer trust and attract the attention of compliance regulators.

 

How can insurance firms protect themselves and their customers?

All firms operating in the insurance sector should be aware that they represent a high priority target to threat actors ranging from opportunistic criminals to highly organised gangs and even state-sponsored groups. Securing the customer data in their care should be a top priority for all insurance firms.

Insurers need to consider the context of their data and how best to protect it. B2C security measures will be significantly different from B2B equivalents, for example, and different subsectors such as auto and health insurance will also have their own security threats and priorities.

Threat intelligence is the most important asset for attempting to understand and mitigate these risks. Having access to a range of data from open and closed web sources will help insurers to build a picture of threats arrayed against them and prioritise their security strategies accordingly.

This includes insight into general trends, such as new attack tactics, malware variants, and software vulnerabilities, and can also reveal direct threats to the organisation. For example, threat intelligence might uncover discussions in a dark web forum about targeting a specific insurer because of their ransomware pay-out policy, or due to an exploit in their automated customer service system.

Effective threat intelligence can also alert insurers to the fact they have been breached by discovering criminals arranging the sale of stolen data. While the firm will still suffer reputational and financial damage, this warning can give them a chance to get ahead of the crisis.

The cyber threat landscape has become increasingly hostile for the insurance sector in recent years. In order to have the best chance of protecting both themselves and their customers, insurance providers should look to implement threat intelligence to understand the context of their data and mitigate threats accordingly.

 

Business

When it comes to innovation, ignore your CEO and listen to your customer

Published

on

By

 By Alex Hammond, Partner, Airwalk

 

At its core, the 2008 financial crisis was a result of banks incorrectly managing risk, alongside regulators who were largely asleep at the wheel. As a result, regulators today are far more alert and apt to police industry developments. Likewise, bank leaders, wary of public perception and the fear of failure, are taking a cue from their risk, security and compliance teams and avoiding risk at all costs.

This environment has inadvertently slowed down the progress of innovation with financial service providers (FSPs) using risk and regulation as an excuse to not innovate. In reality, regulation merely provides oversight and ensures guard rails are in place to protect the bank and its consumers. Halting innovation is therefore more likely to have the opposite effect; causing regulation headlines down the line as banks will not be able to provide data transparency when an inevitable failure occurs.

FSP IT leaders are generally aware of this risk, but with more hoops to jump through and added complexity, many opt to only pursue major digital transformations or ‘big-bang’ opportunities. In some ways this is a hangover from the era of premise-era technology, when it was safer and more cost effective to upgrade systems every five (or even 10!) years than to continually innovate.

This is what makes cloud technology, data process automation and product-led innovation such game-changers.

Alex Hammond

Cloud-enabled continuous innovation

When it comes to implementing a programme of on-going innovation, cloud has completely transformed the process. For example, cloud service providers have off-the-shelf SaaS offerings that FSPs can use on a consumption model, test and see what happens. This eliminates the need to go out to market and procure a product or invest heavily in building their own. Utilising these services lets banks try new innovations at a significantly lower cost, at a smaller scale and allows them to throw things away with no regrets – something that is very difficult to do by themselves.

Furthermore, with access to cutting-edge technology and services, banks are no longer restricted to what they are capable of building internally. Continuous experiments and improvements are the gateway to innovation.

Technology to remove risk

Process automation also has an important role to play as it can remove a lot of risk in the innovation process. With automated processes and code there is much less room for manual error – the main culprit causing systems to fall over in the first place. By becoming technology-led and automating processes, delivery and operation, risk can be largely eliminated.

Establishing this baseline of components and processes in a stable and secure position puts you in a much better place to innovate and try new things. Without this foundation, the process of securing and testing will need to be repeated at the beginning and at every phase of any innovation process, making each iteration more complex and expensive.

A product-led proof of concept approach

FSPs must resolve their obsession with big-bang innovation to become more agile and iterative. Many organisations claim to do this, but their iterative development takes place internally prior to a large final release with no ongoing development. This may take months or years to bring to market – at which point the need may no longer even exist.

A clear opportunity to utilise proof of concepts and minimum viable products is being missed but this is just not in FSP’s psyche. The concept of generating the smallest possible development, testing it with the smallest number of customers and then scaling from there is just not the way these organisations currently operate. Yet, introducing incremental innovations to a limited population, allows banks to prove that it is something that people want. If not, it can be killed off before it eats up too much investment.

Instead, FSPs must become more product-led where success is based upon customer outcomes. This means being more customer focused, understanding their problems and desires and then delivering solutions to these. These organisations rarely leverage customer inputs and developments are assumption-based. There is no emphasis on validating things before they are done. Ultimately, these organisations must focus on their customer rather their senior executives, or their opinions.

FSPs, like every other industry player, need to evolve and keep pace with consumer expectations as digital services evolve in other areas of their lives. Unfortunately, technology progress generally does not move forward as quickly in financial services.  But by becoming cloud enabled, automated and product-led, banks can focus on incremental developments. In doing so, they become more agile and better able to drive forward innovation that is accepted by regulators and genuinely valued by customers.

Continue Reading

Banking

Why traditional banks need to embrace the agility of fintech competitors

Published

on

By

Paul Higgins, EMEA Banking Lead, Mendix

 

Tech has long played a role in the finance space. The legacy applications running on mainframes at banks hold upwards of 50 years of business process and regulatory compliance evolution – that represents enormous complexity but also significant value in a highly regulated industry. However, that advantage of experience and stability is being outweighed by the faster innovation cycles and lower costs that cloud-native fintechs and neo banks enjoy.

Admittedly, fintechs have been hit hard in the current macroeconomic climate, with some valuations declining dramatically. But the long-term outlook is that fintechs in Europe continue to gain relevance. According to a McKinsey paper, at least one fintech ranks among the top five banking institutions in each of the seven largest European economies, as measured by GDP.

Given the accelerated demand for innovative business solutions geared to the digital-first economy, traditional banks cannot afford to lag behind the emerging crop of challenger banks and new fintech players. In addition, the standardization of services that we are seeing in the sector means that banks must find new ways to differentiate themselves from competitors.

What can the traditional finance players do to survive and thrive in this new world? The key lies in embracing the agility of their fintech competitors.

Fintech vs traditional banks

Fintechs often home in on a single-use case, adopting the latest technology to create a focused, best-of-breed product for customers. This innovation and laser-focus has led to the emergence of fintechs with multi-billion valuations, like Stripe, Klarna, and Revolut. Although offering different products, they share a common goal of providing a great experience to their customers and users – Stripe for merchants, Klarna for online retailers and their customers, and Revolut for retail banking – with no sign of a paper process anywhere. And they iterate and bring improvements to market at a rapid pace.

That poses a major challenge for traditional banks. The legacy applications they operate come from a bygone era where yearly release cycles were the norm – compared to the monthly, fortnightly, or even weekly release cycles common now. The business lines at traditional banks identify the trends and opportunities, but simply cannot react fast enough to capture the potential.

There is a real risk that without the agility to quickly bring new products to market, banks will continue losing customers, especially younger generations, to fintechs. An approach is clearly needed, that provides flexibility across the business and application landscape, enabling them to integrate innovative technologies and match the pace of change we are witnessing.

Low-code application development increases agility

Adopting low-code across the enterprise has emerged as a crucial solution to meet the challenges posed by the digital-first economy. Low-code breaks down traditional silos of business and IT functions through its first and most important principle: model-driven development. Using a visual model to build an application gives both technical and business professionals a common language to discuss their goals and needs. As a result, cross-functional or fusion teams develop solutions that are relevant and powerful. Low code also helps automate much of the application development, thus reducing errors and accelerating time-to-market and ROI.

Low-code application development unburdens IT

In full-code application landscapes, up to 7 of every 10 employees in IT are focused on tasks to “keep the lights on.” Whether that’s incident and problem management, making small upgrades to applications, or rolling out patches and other bug-fixes. Which leaves precious few developers to tackle the growing backlog of requests from the business lines.

By comparison, low-code drastically reduces the number of people required to maintain and operate applications. A major factor here is the model-driven development already mentioned.  The combination of freeing up developers to actually work on building applications, and having those developers collaborate closely with business experts has a significant compounding effect – resulting in higher business value in a shorter amount of time.

For instance, in the case of Rabobank, whose direct savings bank served more than 500,000 people, customers were not happy with the interface, leading them to leave the platform.

The IT landscape was complex, with different systems per country, and meeting shifting regulatory and compliance requirements was not easy. So, any upgrade would be a challenge.  Using the Mendix low-code development platform, Rabobank reduced their IT costs for the direct bank by 50% while delivering a far superior customer experience. They streamlined their customer onboarding process and created web and native mobile versions of their savings portal, leading to fantastic scores in customer satisfaction and increased business.

Low-code application development provides a bright digital future

For years the banking and finance sector has been dominated by well-known brands. But according to a recent EY report, 37% of consumers now say that a fintech is their most-trusted financial services brand, compared with 33% who name a bank. Looking at younger generations, 51% of Gen Z and 49% of millennials named a fintech as their most-trusted financial brand – a sign of incumbent brands’ struggle for relevance with younger audiences. Players in the banking space who leverage new technologies, making their products, strategies, and services relevant to customers’ needs will lead the competition.

As the sector continues to evolve, allocating resources to increase innovation, agility, and efficiency should be a priority for banks. Low-code presents financial institutions the opportunity to combine the strengths of an incumbent – the experience and expertise, and a user base most fintechs can only dream of – together with the agility of a start-up.

 

https://www.merriam-webster.com/words-at-play/home-in-or-hone-in

Continue Reading

Magazine

Trending

Business24 seconds ago

When it comes to innovation, ignore your CEO and listen to your customer

 By Alex Hammond, Partner, Airwalk   At its core, the 2008 financial crisis was a result of banks incorrectly managing...

Business10 mins ago

Netflix-style ransomware makes your organisation’s data the prize in a dark subscription economy

By John Davis, UK & Ireland Director, SANS Institute. Today’s subscription economy makes accessing nearly any service as easy as hitting enter....

Banking25 mins ago

BANKING FOR BETTER 

By Alex Kwiatkowski, Director of Global Financial Services, SAS. From shifting market dynamics and mounting geopolitical tensions, to skyrocketing cyber threats...

Banking29 mins ago

Why traditional banks need to embrace the agility of fintech competitors

Paul Higgins, EMEA Banking Lead, Mendix   Tech has long played a role in the finance space. The legacy applications running...

Technology36 mins ago

SaaS Procurement’s Silver Bullet – How Automation is Changing the Game

Sven Lackinger, Co-Founder, Sastrify   Sven Lackinger is Co-Founder at Sastrify, the digital procurement platform for Software-as-a-Service products. Founded in...

News2 hours ago

Tata Motors partners with IndusInd Bank to offer exclusive Electric Vehicle Dealer Financing

Key Highlights:   One-of-its kind Electric Vehicle Inventory Financing program for Tata Motors’ dealers  Limits extended towards EVs will be over...

Finance2 hours ago

astrantiaPay Selects SaaScada to Enrich Swiss Landscape of Business Payments and Fill Market Gap

Swiss financial firm, astrantiaPay, to use SaaScada’s cloud-native core banking engine to simplify cross-border payments for SMEs and facilitate international...

Business15 hours ago

How Big Data is Transforming Bilateral Trading

By Stuart Smith, Co-Head Business Development – Data & Risk   Since its inception, Big Data has been an important...

Banking16 hours ago

Three tips to help banks profit from the rise of managed services

By Chris Mills, Global Head of Managed Services Sales, Finastra Research from IDC finds that only 29% of banks claim...

Banking16 hours ago

How Biometric Payments Are Tackling Financial Exclusion

By Catharina Eklof, CCO, IDEX Biometrics We are moving closer to a cashless society: 89% of payments in the UK...

Banking2 days ago

Poor software testing puts banks at high risk of IT failures

 Sune Engsig, VP Product at Leapwork   IT failures have plagued the banking industry for several years. From the TSB computer...

Finance2 days ago

The Importance of Experienced Customer Service Advisors in Finance

If there is one thing which can be said about the finance sector, it would be that as a customer-facing...

Business4 days ago

Financial Services Makes Gains In Employee Engagement

By Phil Chambers, GM Workday Peakon Employee Voice    A new report shows that the financial services industry improved in...

Business4 days ago

The FTX collapse: Lessons learnt for the CFO

Hartmut Wagner ,CEO of Serrala   ‘A complete absence of trustworthy financial information’ were the words used to describe the...

Business5 days ago

Black Friday, Cyber Monday and beyond: The inevitable shift to mcommerce

Arunabh Madhur, Regional VP & Head Business EMEA at SHAREit Group   Last year, we saw explosive growth in Black...

Business5 days ago

Keeping your options open and flexible: How to manage cloud migration for Financial Services Organisations

By Rachel Mcelroy, Marketing Director at Cloud Gateway   Financial Services Organisations, such as banks, insurance firms, and accounting firms,...

Business5 days ago

What makes a good entrepreneur?

By Emma Lewis, Myriad Associates Ireland   Many of us have dreamed of coming up with the next big thing...

Finance5 days ago

Things To Think About Before Starting Your Cryptocurrency Investment Journey

Making the decision to start investing can be an exciting time. Knowing that you’re going to be taking a more...

Banking5 days ago

How banks can increase customer acquisition and user engagement with sustainability

By Karolina Szweda, Head of Growth Marketing at Connect Earth Young people are demanding more innovation from traditional financial institutions,...

Banking5 days ago

The new blueprint for Open Finance? – A look inside the new Saudi Open Banking Framework

Chris Michael, Co-Founder & CEO, Ozone API   It has been a genuine privilege for all of us at Ozone...

Trending