Forty percent of major insurers have experienced one or more security breaches in the past 12 months, according to a global survey of chief security or information security officers at 46 major insurance organizations by Deloitte.
That's compared to one-quarter of financial institutions, which suffered a security breach in 2011.
"I think, from an overall perspective, the insurance market is not really as focused on this area" as other financial services, said Vikram Bhat, a principal at Deloitte's financial services security and privacy team in New York.
Historically, he said, banking and other financial services have come under more cyber risk pressure, but due to a combination of a changing regulatory climate and "the bad guys figuring out there is an opportunity," the insurance industry is being hit more often. In addition, he said, information security programs in the insurance industry are generally not as mature as in other financial sectors.
"As a broad statement, it's lower but it's changing and people are starting to invest and react to the incidents that are happening," Bhat said.
Lack of budget and/or resources was cited as the top barrier for an "effective information security program" for insurers, according to the survey. The next most common barrier cited was "lack of visibility and influence within the organization."
Adding to the complexity is the rampant use of mobile devices in the insurance industry -- cited by respondents as resulting in 45 percent of the breaches. About four in five insurers support employee-owned or corporate-owned mobile devices, according to the respondents.
According to Deloitte's "2012 Global Financial Services Industry Security Survey: Breaking Barriers," two out of five financial services respondents felt "very confident" their organization was protected from an external attack, compared to the 21 percent who felt "very confident" protecting assets against an internal attack.
Bhat said risk managers need to work with IT and senior leaders to define their organization's "real critical assets and new threats and what you need to focus on because ... resources are limited," he said.
--By Anne Freedman
November 1, 2012
Copyright 2012© LRP Publications