Actions to improve cyber resilience in finance and insurance sector

Aon outlines that cyber threats are ever evolving and a critical area of focus for regulators, customers, shareholders and boards of directors in the finance and insurance industry.

Governments, businesses and customers look to financial institutions as the backbone of the global economy. Because of the vital role it plays, the industry’s security is highly regulated and scrutinised.

Emphasising the need for cyber resilience, the US Securities and Exchange Commission recently introduced a proposal that would require all market entities to implement policies and procedures that are designed to address their cybersecurity risks.

On top of this, financial and insurance organisations will need to, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures – including whether they reflect changes in cybersecurity risk over the time period covered by the review. In the European Union, financial institutions have two years to manage operational resilience and comply with the Digital Operation Resilience Act.

New risks and vulnerabilities are detected daily, and finance and insurance industry leaders ranked the threat of a cyber attack or data breach as the top risk in Aon’s most recent Global Risk Management Survey.

The sector faces a complex, globally interconnected risk landscape and leaders should make decisions that demand rapid analysis and execution. Emerging technologies and new business models continually alter the terrain. For example, mobile wallets are one fundamental development. Offline or online payments conducted with a mobile device, smartphone, or wearable are commonplace, and fintech is snowballing.

This new sector, fintech, exponentially expands the attack footprint and introduces even more third-party vulnerability to larger financial institutions that connect to these smaller, less-sophisticated companies. While Asia leads in prominence of fintech companies by revenue, North America has the most fintech start-ups, with statistics pointing to 8,775 currently operating. Europe, the Middle East and Africa boast 7,385 fintech start-ups, while Asia Pacific hosts 4,765.

Changes in cyber liability insurance have also been significant over the past two years. Incidents such as the 2021 ransomware attack on a US pipeline system altered the marketplace, and insurers realised the tremendous risk of business interruption and interconnectivity. Carriers now require financial institutions to demonstrate cyber resilience to secure an affordable – or any – policy. During renewal discussions, some carriers bring independent technology professionals to question a financial institution’s chief information security officer.

This demonstrates the opportunity to use the insurance renewal process as a means to show the controls and systems they have in place. Such an approach helps ensure that the process becomes a complement to their risk management process.

Aon clients report: Finance and insurance industry and cyber risk

Aggregated data results from Aon’s Cyber Quotient (CyQu) show that clients reported overall risk score improvement from 2.7 to 2.9 (approaching “managed”) in 2022 across all finance and insurance companies.

Small and medium-sized entities said their risk profile improved from “basic” to “managed”, and 64 percent reported risk scores of more than 2.5. This strong growth in maturity will likely continue as insurers retain their focus on these emerging organisations that are critical to the financial services ecosystem.

The median percentage of the IT budget spent on security also rose globally, with finance and insurance companies dedicating 8 percent of the IT budget to security in 2022.

We are currently seeing a resurgence of aggressive threat actor groups targeting financial services companies. And those attacks are succeeding in a majority of cases. Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023, even though revenue bands reported steady improvement in overall cyber risk profiles.

Finance and insurance companies improved implementation of IT controls between 2021 and 2022 and emphasised strengthening multi-factor authentication (MFA) controls. US companies reported significant improvement in MFA critical controls, with 80 percent deploying them versus 65 percent in 2021. However, even with this improvement, Aon notes that many may have not yet deployed these solutions thoroughly, which may factor into the rise we are currently experiencing.

Looking to the US, finance and insurance companies reported steady improvement in IT controls readiness between 2021 and 2022. Aon’s Ransomware Supplemental Applications red flag controls data shows that the most significant improvement was in MFA, with a 15 percent improvement, and business resilience, with an 8 percent improvement in implementing essential underwriting controls.

Compared to the healthcare and manufacturing sectors, the financial services industry appears to be much more mature regarding business resilience. However, backup security continues to be seen as an area of vulnerability, with organisations still reporting a need for almost 40 percent of IT controls. This control domain should be an area of focus moving throughout 2023 as ransomware threats again escalate.

While trend data is not yet available for the UK, in 2022, the country’s finance and insurance organisations reported the strongest maturity in access management, email security and patch management, registering 20 percent or fewer gaps in each control area. Clients reported significant software management gaps and network and data security controls. Like their counterparts in the US, backup protection also appears to need attention.