Why securing APIs is a business priority for insurers

APIs are at the core of today's digital services. Insurance companies worldwide are developing, deploying and modifying APIs at a pace we have never seen before. These businesses rely heavily on APIs as the foundation for their online services and transformative applications as they allow insurance companies to share vital data with partners, customers and employees. 

However, as with anything that experiences rapid growth, it does not come without its challenges. The growth of APIs opens the doors to a plethora of new security challenges by expanding the attack surface to malicious actors. These bad actors are tenacious and are always on the hunt to find new and unexpected ways to attack organizations. In the past, organizations believed that proper authentication to interact with an API was enough of a deterrent to send attackers elsewhere. According to Salt Labs data, however, findings show that 84% of attacks came from seemingly legitimate users, but were actually attackers who either exploited existing mechanisms to generate their own valid credentials for accessing the API or acquired credentials in a malicious manner.

Despite the fact that the API ecosystem has grown rapidly across every industry globally, the insurance industry is at more risk than others, putting it at the top alongside financial services and retail industries. This piece will explore the rise in API attacks within the insurance industry and further iterate the work software and security industries have to do in this area as bad actors are constantly hard at work taking advantage of the current lack of security.  

Times have changed and gone are the days of calling insurance brokers to set up policies. Today, consumers have different expectations and expect to buy, set up, renew and claim on their insurance all in one place - online. Similar to the financial services industry, the insurance industry relies heavily on APIs to supply services and move the dial on business innovation. While the adoption of microservice based architectures and use of APIs has propelled the industry to the modern ages, it is not without its challenges. 

In order to keep up with customer demands, insurance companies must process and share sensitive customer data with a myriad of third parties all while ensuring their customers have the ability to access, change and submit their information instantaneously through websites and their mobile applications. This new landscape has placed APIs at the heart of insurance, poses new security challenges and shines a spotlight visible to malicious actors looking to exploit. In fact, according to survey respondents from Salt Security's State of API Security for Financial Services and Insurance, 92% had experienced at least one significant security issue with their production APIs over the past year, an alarming figure. Further, as a result of Covid, there has been a spike in the number of insurance providers globally that have adopted state of the art, API driven, AI-based automation technology to provide services, process customer claims, as well as support the underwriting process. In fact, according to McKinsey & Company, AI is poised to reshape the insurance industry by 2030. Insurance business leaders are now being forced to address the compounded emerging challenges in security, requiring them to augment, update, or replace existing security defenses swiftly and effectively.

Malicious actors are hard at work and increasingly targeting insurance APIs and findings from  Salt Security's State of API Security for Financial Services and Insurance, reveal a staggering 244% increase in unique attackers in the first and second halves of last year.. Whatsmore, a shocking 27% of respondents admitted that they had recently experienced a sensitive data exposure or privacy incident, and 17% had experienced an API sourced security breach. 

The transformation to API-first architectures and workflows is helping insurance organizations stay competitive and innovate at an extraordinary pace. .While this is advantageous for the industry, it unfortunately provides hackers with a more easily accessible attack surface, presenting a low barrier to breach in most cases. This expanded attack surface enables threat actors to compromise insurance claims, access and steal account information, engage in fraudulent activities or transactions, and ultimately disrupt services. In addition, and similar to financial services organizations, insurers face the same compliance and regulatory obligations. An API attack can not only result in hefty fines, but reputational damage as well which can cost them the trust of their customers.

Given the rise in attacks, and the costs associated with API security breaches ( i.e., fines, loss of customer trust and reputational damage), securing APIs to protect digital services has become a business priority. Insurance has entered  a crucial stage in its digital innovation journey, and  APIs play a huge part in supporting new insurance services. The time is now for business leaders to consider and implement proven API risk reduction strategies, leveraging dedicated AI-based API security defenses, which will allow insurers to safely embrace the power of APIs and  stay competitive in this rapidly changing landscape while ensuring customer loyalty, compliance and overall.