RESEARCH REPORT

In brief

In brief

  • Insurers reported success in our 2018 survey, but the latest State of Cyber Resilience in Insurance report suggests they were simply buying time.
  • While some aspects of cybersecurity improved for insurers, including a decline in successful breaches, new challenges present new concerns.
  • A group of elite insurance leaders can pave the way for other providers to shore up their cybersecurity strategy.

Since our last cyber resilience survey in 2018, cyberattacks on insurers have more than doubled (from 240 to 519 attacks, on average), illustrating the current cyber climate for insurers: It’s volatile.

Accenture’s State of Cyber Resilience for Insurance report presents both good and bad news amid the volatility, and reinforces our concern that, in 2018, insurers’ cybersecurity efforts were often “buying time” against threats that now are rising.

The good news? Breaches against insurers are down 42 percent since our last survey. Our survey finds some of the “nuisance” attacks—those resulting when cyber attackers commoditize their attack toolsets—are less effective as insurers have learned to fend these off via increasing password complexity requirements and two-factor authentication strategies.

Insurers have had some successes in strengthening their cyber resilience.

42%

Successful breaches dropped by 42 percent, from 52 breaches on average in 2018 to 30 breaches now.

32%

Previously, only 9 percent of insurers could detect a security breach within 24 hours. That number now is 32 percent.

72%

Our 2018 study found only 33 percent of insurers could remediate a breach in 30 days or less. Today that number is 72 percent.

The less-rosy picture

With attacks on the rise and coming from new directions, insurers face a handful of challenges that stretch their ability to respond:

  • Indirect attacks are increasing. Insurers should extend security measures beyond their four walls, as our survey finds 40 percent of attacks coming indirectly, from a third party connected to the business’s network. This challenge is made even more complex when companies rely on a remote workforce.
  • Recovery time is lengthening. While insurance providers may have improved their ability to fend off breaches, they are detecting them at rates lower (56 percent) than cross-industry cyber resilience leaders (83 percent). Insurance companies lag cross-industry leaders in resolving breaches quickly and are exposing more of their customers—our report found 44 percent of insurers had exposed more than 500,000 customer records last year, compared to only 15 percent for cross-industry leaders.
  • Insurers are investing but fear they can’t maintain the pace. Our survey finds firms increasing their cybersecurity investment. More insurers are investing at least a fifth of their cybersecurity budget on advanced technologies (89 percent, compared to 68 percent from our previous study). But they worry the cost is high and rising. Among those surveyed, 72 percent say staying ahead of attackers is a constant battle, one with an ultimately unsustainable cost.

Standouts achieve more

These challenges may seem daunting. But our Cyber Resilience Survey identified a group of elite, best-in-class insurance leaders who are demonstrating significantly greater effectiveness at cybersecurity and cyber resilience than their peers. Emulating these leaders can help insurers improve their overall effectiveness. Best-in-class insurers identified by our survey can:

  • Stop more attacks
  • Find breaches faster
  • Fix breaches faster
  • Reduce breach impact

Elite cyber resilience insurers perform better.

8%

Among insurers surveyed, 8 percent fit the “elite” category, while 83 percent fell into the non-leader or average performer category.

3%

For elite insurers, only 3 percent of breaches are successful. That number rises to 14 percent for non-leading insurers.

88%

Eighty-eight percent of elite insurers detect breaches in less than a day, versus only 26 percent for non-leaders.

97%

An overwhelming 97 percent of elite insurers fix breaches in 15 or fewer days. Only 37 percent of non-leaders can say the same.

53%

Elite insurers report 53 percent of breaches have no impact on their organization. That number dips to 37 percent for non-leading insurers.

Follow the leader

Would it cost even more—in terms of time, money, resources—for insurers to match the performance of “best-in-class” leaders? It might be better to view these top-notch providers as “leading the way.” They offer a path forward that may not be the costliest or most complicated. The key to their cyber resilience success is in investing wisely and efficiently in their cybersecurity efforts.

Elite cyber resilient insurance firms suggest adhering to these guidelines:

Prioritize speed

Speed, measured by how quickly they can detect, respond and return to normal after a breach, is a priority for leading insurers.

Scale more

Leaders seek to scale investments, moving tools from pilot to full deployment. Those who succeed perform four times better than average.

Train more

Training underpins speed. A majority (59 percent) of top performing insurers offer training about security tools to more than half of users.

Collaborate more

Organizations that collaborate within and outside their walls have a breach ratio of 6 percent versus an average of 13 percent for the rest.

View All

Ready to begin?

Following the trail blazed by insurance leaders can help all firms improve their cybersecurity game.

Insurers also can pursue immediate steps toward improvement. For example, they can shore up defenses against indirect attacks. The solution sounds simple enough: It’s about establishing policies, governance and enforcement such that third parties connected to your network follow the same high security standards you do. Pulling this off—and maintaining it over the long haul—would take some effort.

Fortunately, help is available. We can work with you, wherever you are in your cybersecurity journey. Read our report to see how Accenture can help your insurance firm become a cybersecurity leader.

Chris Thompson

Senior Managing Director – Security, Financial Services Lead

Valerie Abend

Managing Director – Accenture Security, Global Financial Services Security Lead

Andrea Agnosti

Managing Director – Accenture Security

MORE ON THIS TOPIC

Lessons from leaders to master cybersecurity execution

Accenture Security

Lessons from leaders to master cybersecurity execution

Defining the risk function’s sphere of control

Financial Services

Defining the risk function’s sphere of control

Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter
Subscribe