While the benchmarking study verified that the insurance industry is one of the most mature in implementing the National Institute of Standards and Technology at the U.S. Department of Commerce framework, now is the time to implement risk-based strategies to strengthen security posture that extends beyond meeting minimum-security requirements and adhering to compliance regulations.
2021 saw the most vulnerabilities ever reported in a single year as the threat landscape continued to expand and evolve, impacting various industries and sectors. Insurance organizations are a desirable target for threat actors as they possess substantial amounts of confidential policyholder data, especially as they continue to embrace innovation and digital transformation.
To keep up with the rapid evolution of the threat landscape, insurance companies must adopt a risk-based approach to their cybersecurity strategy to identify their exposure to potential cyberattacks and make informed decisions about proactively mitigating risks. By adopting a modern risk-based approach, insurance companies can understand their actual exposure to a cyberattack and focus remediation efforts accordingly, saving valuable resources by accurately identifying the most dangerous vulnerabilities.
Risk management pros
The insurance industry is no stranger to risk management. With many major firms now providing cyber insurance, these organizations should be acutely in tune with the implications of cyberattacks and data breaches and understand the importance of proactive approaches to handling risk.
The insurance industry prioritizes the safety of its customers’ data through standards like the Payment Card Industry Data Security Standard (PCI DSS), a set of security guidelines aimed at securing credit and debit card transactions against data theft and fraud. While compliance with standards such as PCI DSS is critical to insurance organizations, given that they store personal identifiable information for millions of customers, it does not equate to being low risk when it comes to cyber threats.
A recent survey found that only 25% of insurance organizations said quantitative analysis is crucial for setting cybersecurity plans, indicating many institutions still follow a check-the-box compliance mentality. Insurance organizations must move beyond compliance to decrease the likelihood of breaches by identifying where true exposure and business risk hide.
Moving toward a risk-based approach
Today’s threat landscape demands insurance organizations adopt risk-based strategies that ensure the success of vulnerability management and compliance. Organizations can identify, measure, prioritize, and manage all risks through this approach while adhering to regulatory requirements.
While there are many components to a risk-based cybersecurity strategy, insurance organizations should prioritize three essential aspects for successful implementation:
- Risk scoring and quantification: Cyber risk scoring provides an objective measurement for evaluating security posture that considers a wide range of risk factors, including the financial impact of a critical asset going offline. Through risk scoring, organizations can quantify how much it could cost the business per day if adversaries compromise their systems.
- Vulnerability prioritization: To prevent breaches, vulnerability prioritization automatically considers threat intelligence, asset context, and attack path analysis. Organizations with complex environments and limited resources can target their effort where it matters by prioritizing and mitigating vulnerabilities that pose the most significant risk.
- Exposure Analysis: Exposure analysis identifies exploitable vulnerabilities and correlates data with an organization’s network configurations and security controls to determine if a system is vulnerable to cyberattacks. This strategy determines which attack vectors or network paths could be used to access vulnerable systems.
By embracing a risk-based approach to cybersecurity that works alongside compliance, insurance organizations can ensure customers are protected from threat actors looking to gain access to sensitive information. Interestingly, 48% of organizations with no breaches in 2021 took a risk-based approach to their security programs. This approach to risk management, in tandem with compliance, allows security teams to focus efforts on vulnerabilities that expose the organizations to potential data breaches.
