As insurance and pension providers and government agencies send their employees home to avoid contact with the Coronavirus, many cyber-security teams are facing the unenviable challenge of securing sprawling, vulnerable networks.
Every time an employee connects to their corporate network from home, they’re creating possible access points for hackers to exploit. When this happens 1,000 times on a single network almost overnight, as it has amid orders for regional lockdowns, it’s difficult to ensure every connection is secure.
The specific security challenges are wide ranging. While those using company-provided laptops are likely to be protected by internal safety measures, they could still be vulnerable if their security software isn’t updated or their remote network connection isn’t perfectly configured. A bigger problem is employees using their own equipment that security teams can’t monitor for malicious traffic. For all they know, these devices may already be infected with malware.
The challenge can overwhelm security personnel, especially for those companies that have previously discouraged employees from working from home.
Pivoting from desktops in the office to laptops at home are projects that security teams at large companies execute over months. Instead, the shift to working at home has happened in days. And with so much emphasis placed on simply making sure company operations don’t grind to a halt, network security can be an afterthought.
The huge numbers of people working at home has expanded the places that hackers can exploit. As companies across Europe come to grips with this new normal, hackers are tweaking their attacks, sending phishing emails that claim to be about the Coronavirus or purport to be from a trusted health agency to leverage fear of the global pandemic.
Cyber is a major challenge for any organisation: legislation, such as GDPR, and the potential for brand damage raise the stakes. Digital transformation initiatives bring countless benefits but also creates security risks.
The Covid-19 pandemic has exacerbated the tension between keeping insurers, pension providers and their systems and data secure while adopting wholesale new ways of working. These organisations must remain vigilant to malicious Covid-19-related cyber activity.
Malicious actors are using the intense focus placed on the virus and the fear and panic that it creates. Security researchers have already observed phishing emails posing as alerts regarding Covid-19. These emails will typically contain attachments that purport to offer information or safety updates. And when people are stressed and hungry for information, they’re less committed to security best practices than usual.
Service providers are helping insurance and pensions clients with everything from standing up new collaboration systems and providing critical connectivity to delivering AI-based tools for communicating with customers. As one of the UK’s largest providers of technology and professional and managed services, Capita has been leading the charge with massive efforts to move to remote operations, so that insurance companies can accelerate larger transformations.
We have been working in a different way through the Covid-19 outbreak, and helping our customers to maintain stable and continuous operations. We shifted to an almost entirely remote workforce before most countries began issuing stay at home orders, has and we have aligned our Covid-19 work with the major business and technology challenges that our clients are facing during the outbreak.
The Association of British Insurers was warning people in early April to be on their guard against scammers looking to cash in on the financial hardship that Coronavirus is causing for many families and firms. Fraudsters would offer bogus insurance products and high-risk investment and pension products. Threats that consumers and businesses need to be aware of include:
- Robocalls or automated texts that falsely claim to be from legitimate, mainstream insurance companies. They may claim that, for a fee, they can help to recover losses by submitting a claim, for the cost of a holiday or event such as a wedding cancelled due to Coronavirus.
- Pension and investment scams, which might claim that they will guarantee you higher returns than your current savings.
- Cold calls about your pension - It is illegal for firms to contact you out of the blue about your pension, and you should hang up if they do. The caller may offer to help you to access your pension before the age of 55, or offer you a “free pensions review”.
- Phishing emails - These try to trick people into opening malicious attachments or reveal personal or financial information.
- Ghost brokers - Fraudsters may attempt to use an insurer’s branding to promote and sell fake or invalid insurance products, including products such as travel and business interruption that may claim to offer Covid-19 protection.
- False insurance cancellation - Callers will say your insurance has been cancelled and they promise to reinstate it if you pay an additional fee over the phone.
Insurance customers are being urged to:
- be suspicious of offers that seem too good to be true
- not feel pressured to agree to offers or deals on insurance, pensions or investments
- check the credentials of the person they are dealing with by getting a name and contact details. You can check the Financial Services Register to make sure that you’re dealing with a regulated company. Hang up and call them back on details that you can verify
- never give out personal details such as an insurance or pensions policy numbers or other account details
- always use contact details on documents provided by your insurer or pension company
- never assume that all online sites are genuine.
Mark Allen, ABI’s Manager, Fraud and Financial Crime, at Capita, said: “Criminals are experts at exploiting situations for their own gain and the Coronavirus is a perfect opportunity for them, so people need to be on their guard. Consumer scams can leave people seriously out of pocket. If someone offers you a deal that looks too good to be true, it probably is. If you are unsure, check the Fnancial Conduct Authority’s Financial Services Register to make sure that you are dealing with someone genuine.”
Stephen continues: “Fraudsters may also exploit the situation to make fraudulent claims. IFB investigators and intelligence analysts are actively working alongside the insurance industry and the police to identify them and to protect genuine policyholders and claimants. If anyone has suspicions about insurance fraud, they can help our investigations by reporting their evidence to our confidential Cheatline service on our website."
Charlotte Jackson, Head of Pensions Operations and Consumer Protection at the Money and Pensions Service, said: “This is a very worrying time for everyone, and the impact of the Coronavirus on financial markets is adding to the stress. Difficult as it is, the most important thing is not to panic or rush into making any decisions about your pension now. We know scammers will try to take advantage of the situation so you should be suspicious of any unexpected approach. Before you do anything, it’s worth getting independent guidance or advice. Our pension specialists are offering a full service, for free, via 0800 011 3797, or you can make an appointment with Pension Wise online.”
Detective Chief Inspector Andy Fyfe, head of the City of London Police’s Insurance Fraud Enforcement Department (IFED), said: “Fraudsters are heartless and selfish criminals, who have no qualms about using tragic events, including the Covid-19 pandemic, to make money. Several of IFED’s past cases have involved fraudsters who exploited other human tragedies, such as the Grenfell Tower Fire, the London Bridge terror attack, and the Manchester Arena Bombing.
“So it’s vital that members of the public remain vigilant and aware that fraudsters will stop at nothing to try to steal their money.
"Insurance fraud is a serious crime and is treated as such by IFED, the insurance industry and the criminal courts. We want fraudsters, and indeed anyone thinking of making a false claim related to Covid-19, to be in no doubt: if you commit insurance fraud, we will catch you and you will be brought to justice.”
Consumers have been alerted that if they have been a victim or know of someone who has been a victim of a scam you can report the scam to Action Fraud.
For the insurance industry as a whole, keeping data secure matters, whether it’s your own information or anything that your clients trust you with. If a hacker targets your business, there’s an IT failure or you (or someone in your business) have accidentally shared something you’re not supposed to, it takes time and money to fix. Having a cyber and data risks insurance policy is a good risk mitigation measure.
Insurance will probably be one of the sectors to be hardest hit by cyber crime during the current pandemic and it is important for insurers and their agents to take steps to protect vital customer data.
In fact, just one successful attempt to hack an insurance company’s database is enough to make the entire industry lose billions of pounds in a day. And in the long run, they will lose their brokers’ and customers’ trust and business.
If you are in the insurance industry and you aren’t doing anything to proactively manage the threat of cyber incursion, you’re at serious risk of losing your customers’ confidence and your good reputation, as well as facing fines by the Information Commissioner.
For any insurance broker or agent to get leads that will turn into loyal clients, you must assure them that you’ve implemented strategies to prevent a cyber-attack and that the personal information they’ve shared with your company is safe.
Current security challenges for insurers
There is a well-documented shortage of cyber skills. Finding, training and retaining the right people is a time-consuming activity, and requires agility in cyber security’s fast-moving domain. User and human error remain one of the largest threats to any organisation's security. Ensuring that you find the right people and train them regularly to keep them up to date with cyber trends and instilling an effective but supportive security culture is a major part of any cyber defence strategy.
2. New behavioural risks
Prolonged stress may increase people’s anxiety and impulsivity, impair their judgement and lead them to become negative, and distort their experiences. In times of crisis, people can begin to feel desperate, resulting in erratic behaviour and potentially increasing the risk of insider events. For example, an unprecedented rate of separations, whether by redundancy or furlough, and a decrease in the value of the financial markets has left many in precarious financial situations. For those hurting financially, normally unthinkable acts such as fraud could begin to seem like an option.
3. Managing the legislative and regulatory landscape
The insurance industry is bound with many regulations by different official bodies. Regulations such as European initiatives like the Insurance Distribution Directive and the General Data Protection Regulation need to be monitored and adhered to.
The Information Commissioner’s Office is the UK’s independent authority for upholding information rights in the public interest. It promotes openness by public bodies and data privacy for individuals; italso keeps track of data breaches. It can issue fines over and above the substantial fines and penalties mandated by GDPR for non-compliance.
There are two tiers of fines: up to £10m or 2% of annual global turnover (revenue) for the previous year, whichever is greater, and up to £20m or 4% of annual global turnover, whichever is greater. Breaches of data subjects’ rights are expected to result in the higher-level fine, although many factors will help to determine the actual amount, including the duration and gravity of the infringement and the types of personal data affected. The organisation’s co-operation and behaviour will also influence the size of the fine.
Government regulations have become a big challenge for the insurance sector and its customers, invariably increasing the cost of providing insurance through its restriction of underwriting practices and encouragement of a third-party payer system.
In addition, regulations that work in the car insurance sector don’t work in the health insurance sector, and the same applies to life and travel insurance companies.
The cyber market is awash with new products. Building business cases for investment and finding the most appropriate solutions takes time and making poor decisions may cost organisations in the long run.
An insurer’s digital business must be secure. But strict security can frustrate their customers, leading to slow digital growth and low adoption. Using big data technologies, machine learning, AI and IoT seamlessly in the background fundamentally challenges traditional technology platforms.
Being able to authenticate customers in a non-intrusive way is essential. Without cognitive security, insurance organisations cannot keep up with constant security threats. Automated threat detection and empowering security teams to intelligently respond to cyber threats is essential in the face of the heightened risk facing insurers during this pandemic.
6. Customer relationship management
Getting customers is easy. Managing them beyond the transactional level into the relational level, where they become loyal customers and a mouthpiece for your insurance company, is harder. Insurers will have nothing to do with you and are more likely to give your company a negative review if your customer service is poor.
With the rising number of insurance companies in the UK, it’s important that you think of effective ways to attract new insurers, retain old ones and grow your relationship with them. Identify customer relationship management tools that you can use to grow your business.
Cybercrime is on the rise- more than three out of five firms reported a cyber-attack in the last 12 months - and it can lead to lost revenue, a damaged reputation and even fines. Anyone who uses computers or the internet at work holds data about customers, suppliers or employees, carries out online transactions or just uses social media, should think very carefully about security.
The Capita approach
Combining technological capabilities with a consultative approach and extensive market experience, Capita can help public and private sector organisations to reach their cyber goals by providing an end-to-end security service.
With extensive experience of working with insurers in the cyber security industry, and with access to experts and our partner network, Capita is very well positioned to help you to solve your cyber security challenges:
- Independent – we are vendor agnostic and promote the best solution for our clients
- Grounded – our cyber security services build on our own cyber experiences
- Holistic – we believe that effective cyber security requires focus on the right blend of people, process and technology
- Trusted – we are already trusted by Government to deliver data-rich services securely
- Scale – as a company, we are used to building and running large-scale solutions.