Supervisors warn of serious hacker attacks on insurers

Munich It was only seven words, but the sentence was enough to put an industry on alert: “Insurers are a popular target for cyber attacks,” said Frank Grund, executive director for insurance supervision at Bafin, recently at an event organized by the Bonn authority.

The insurers, who have chosen the cyber policy and thus the protection of their customers against attacks from the Internet as one of their most important future products, could themselves become the preferred victims of criminal attacks from the Internet. The pandemic and the Ukraine war had recently massively increased the danger.

Above all, it is the large number of sensitive customer data that insurers have to fear in extreme cases. One of the most threatening scenarios is the theft of health records from health insurance customers because of their large amount of personal data.

But the company’s own business secrets, such as the mathematically highly complex pricing of individual insurance tariffs, are also a neuralgic point of attack. With a successful attack, the hackers would penetrate the innermost security zone of an insurer.

Top jobs of the day

Find the best jobs now and
be notified by email.

“Even if we have happily noticed hardly any attacks on the German financial sector since the beginning of the war, it is still important that we are even more vigilant than before,” warns Grund. After the effects of the low-interest phase or the processing of the flood disaster in the Ahr Valley, IT security is now the next major project that the Bonn supervisors have undertaken for the insurers.

>> Read also: These cybersecurity jobs promise some of the best salaries

In the industry itself, people are therefore sensitized. Efforts are being made everywhere to install new security standards and make existing systems more resistant to attacks. Gothaer Versicherung in Cologne, for example, allows itself to be repeatedly attacked by specialists in order to identify weak points in its own system. Fictitious hacker attacks are carried out in so-called Red Team Assessments.

This is intended to build up cyber resilience in a targeted manner, i.e. to strengthen resistance to professional hacker attacks. The aim is to ensure that business processes are not impaired in the event of a cyber attack. Christian Swoboda, the company’s Chief Information Security Officer, is in no doubt that Gothaer could also fall victim to a hacker attack at some point: “The question is not whether we will be affected, but when.”

Insurers are going silent

With his open statements, Swoboda is one of the exceptions in the industry. Most insurers quickly turn silent when asked about the ever-growing threat of a major hacker attack. So does the market leader Allianz. ACDC has nothing to do with the Australian rock band there, but stands for Allianz Cyber ​​Defense Center.

The special unit is known to have existed for years. Cyber ​​attacks are simulated, employees are trained, phishing exercises are carried out and awareness of the new forms of attacks is raised. However, the group is silent about the details of ACDC’s work. Officially, the topic is too sensitive to want to talk about it in public.

However, there is another way of approaching the magnitude that the information technology (IT) complex in general and cyber protection in particular is now taking on at Europe’s largest insurer. The entire IT budget of the group was 4.2 billion euros last year. A number that has been rising steadily for years. Around 12,000 employees at the Allianz Technology subsidiary and around 4,500 so-called outsourcing partners monitor the systems, their security and resilience around the clock.

Barbara Karuth cell

The Allianz board member is responsible for the IT area at Allianz.

(Photo: Alliance)

A key point here is outsourcing to the cloud. Around two thirds of the IT infrastructure had already gone to the cloud last year, as the responsible Allianz board member Barbara Karuth-Zelle announced at the presentation of the new corporate strategy at the end of last year. The number of the group’s own data centers has fallen from 144 in 2018 to just six.

Supervisors take a critical view of outsourcing to the cloud

This strategy, which the entire industry is pursuing in a similar way, is not only approved by the Bafin supervisors. From Bafin’s point of view, the fact that more and more insurers are outsourcing activities and functions to cloud providers exacerbates the cyber threats due to new dependencies and concentration risks that arise when several financial companies use the same large cloud service provider.

“The more IT services companies have outsourced – and the more activities the service providers have then outsourced themselves – the more difficult it is to control the fragmented value chains,” warns Bafin Director Grund.

Until recently, only two competitors, Amazon Web Services (AWS) and Microsoft Azure, dominated the market. In the meantime, the Google Cloud Platform has been added. Local providers such as Deutsche Telekom also offer their services.

“But if one of these multi-client service providers fails, this can affect parts of the industry or even the stability of the financial system,” Grund fears. He therefore demands that insurers come up with a plan B for outsourcing to cloud providers in the event of an emergency – with corresponding exit scenarios.

Insurers face stricter rules

For the industry, this means more regulatory requirements in the future. A newly created department of the Bafin will in future create a so-called spin-off map, where the main spin-offs of the insurers will be collected and summarized. Even so, the Bonn-based company will not be able to slow down the trend towards increased use of cloud solutions.

Eight out of ten insurers want to rely on the cloud by 2030, according to a survey by the consulting firm Sollers last year. The insurers surveyed were aware that this could lead to the aforementioned compliance problems. Nevertheless, they want to continue on the path they have taken. “In theory, the cloud is vulnerable to cyber threats, but in fact it offers better security at a lower price,” says Sollers expert Dominik Kaminski.

The growing danger of hacker attacks on insurers should motivate the supervisors to check the IT of the groups even more intensively. The tests conducted so far show that this is urgently needed. Since 2018, there has been a trend that there is a great need for improvement. “There is still a lot of room for improvement here,” said Renate Essler, head of the IT audit department at Bafin. The results were often sobering.

More: Weak economy and high inflation dampen demand for life insurance

source site-13