Insurers turn to outsourcing to shore up data security
Two-thirds of insurers have increased the amount of outsourcing they use to combat cyber threats in the past two years, as the number of threats rises, according to a Moody's survey of 50 insurance carriers.
Leveraging third parties that specialize in security to assist means that insurers are protected against turnover among their in-house security staff, and can be generally assured that the latest risks and solutions are at their disposal, Moody's says. The typical insurer employs about 10 different cybersecurity vendors, according to the survey.
"The increasing trend toward outsourcing is driven by a combination of factors, the most important of which involve the need for round-the-clock and globally-integrated coverage of cybersecurity needs, access to up-to-date specialty expertise across an array of disciplines, and challenges to hiring additional internal specialized staffing due to pent-up market demand," Moody's writes.
Insurers, however, are still aggressively hiring data security experts, Moody's says, with carrier-side cybersecurity staffs growing by about 30% per year since 2012. Those resources are typically focused on managing those vendor relationships.
"Outside experts may not fully understand the particulars of insurers' business models and priorities," Moody's notes.
Another trend in insurance cybersecurity is increased reporting frequency, especially to boards of directors. Three-quarters of insurers surveyed make at least monthly reports to upper executive management, and just more than half go to the board of directors quarterly.
All this activity is happening across a backdrop of increased threats to insurers' networks. Incidents requiring a response or other escalation increased about 25% from 2014 to 2015, Moody's found.
"Nearly all insurers today maintain detailed incident response plans, and conduct various types of testing to ensure business continuity in the event of a cyber-attack or data breach," the company says. "For the most threatening attacks, our surveyed insurers reported that C-level executives (CEO, CFO, COO, and CIO) were involved in scenario-and-response protocols."