Connect with us

Technology

Why insurers must be on the lookout for ever-opportunistic cyber attackers

Source: Finance Derivative

By Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company

The insurance industry has long been a staple for cyber attacks. Criminals go where the money is, and the sector represents one of the most direct ways to access key personal and financial data that can be used to net an illicit profit.

More recently, insurers have faced even greater risk exposure due to their provision of cyber insurance coverage, particularly when it comes to ransomware. The sector has also seen increased attention from state-sponsored actors seeking personal data to fuel other campaigns.

Why is the insurance sector such a popular target for cyber crime?

Threat actors regard the insurance industry as a valuable source of personally identifiable information (PII) which can be used for a variety of crimes, including identity theft, other types of fraud, and further cyber attacks.

Alongside insurance documentation itself, firms will also have digital copies of items such as passports, driver’s licenses and bank statements that have been used to verify the policy holder’s identity and address. Birth dates are also particularly valuable to criminals, alongside National Insurance numbers, Social Security numbers, and their various international equivalents.

In one prominent example, U.S. insurer Ryan Specialty Group had its employee email accounts breached in April 2021. Customer names, Social Security numbers, driver’s license and passport details, and financial account details were believed to be exposed as a result.

The depth of information held by insurers on behalf of policyholders is also useful to state-sponsored threat actors, providing a large amount of data for human intelligence (HUMINT) operations or signals intelligence (SIGINT) operations.

Insurers that provide cyber insurance also face an elevated threat level. Attackers may seek to compromise their network to unearth policy details and security standards as a way of creating more effective targeted attacks.

The rising threat of ransomware

In addition to data theft, insurers are also targets for ransomware attacks. Ransomware has swiftly risen to become one of the primary cyber threats for businesses in all industries today as an infection can rapidly cripple the organisation by encrypting key files and systems. Criminals are also increasingly coupling ransom demands with data theft, often threatening to leak sensitive information unless additional payment demands are met.

However, insurers that provide cyber policies may again face increased risk from organised cyber criminal gangs and state-backed actors. In one prominent example, the Asian component of global cyber insurer AXA was struck by the Avaddon ransomware last year very shortly after announcing that it would stop reimbursing new French customers that chose to pay ransom demands.

The group responsible may have been seeking to make an example of AXA, as its previous policy of covering ransom payments would make it more likely for victims to pay up to criminals.

Why most stolen data is destined for the dark web

Stolen data is a commodity item in the shadow economy maintained by cyber criminals. Datasets are readily bought and sold on hidden forums and marketplaces on the dark web, with individuals and groups often specialising in selling data rather than using it themselves.

In one example discovered by IntSights security researchers, a Chinese-speaking criminal going by “Rebecca” was selling access to records from Chinese auto insurance companies for $3 each. These records included PII such as names, addresses, and driver’s license numbers.

Threat actors will commonly purchase PII sets from different sources to help facilitate further data theft and fraud. The insurance sector is a favourite target here as automated quote tools can potentially be exploited into revealing more information about customers. Farmers Insurance Group, for example, revealed that in early 2021, attackers attempted to use previously stolen customer names, dates of birth, and street addresses to trick its automated car insurance tool into providing driver’s license numbers.

Criminal groups now often include the threat of data disclosure as part of ransomware attacks. Defiant organisations that refuse to pay up will be punished by having their data sold on the dark web, or sometimes dumped on publicly available open web platforms. The threat aims to pile additional pressure on the victim by creating a high-profile breach that will damage customer trust and attract the attention of compliance regulators.

How can insurance firms protect themselves and their customers?

All firms operating in the insurance sector should be aware that they represent a high priority target to threat actors ranging from opportunistic criminals to highly organised gangs and even state-sponsored groups. Securing the customer data in their care should be a top priority for all insurance firms.

Insurers need to consider the context of their data and how best to protect it. B2C security measures will be significantly different from B2B equivalents, for example, and different subsectors such as auto and health insurance will also have their own security threats and priorities.

Threat intelligence is the most important asset for attempting to understand and mitigate these risks. Having access to a range of data from open and closed web sources will help insurers to build a picture of threats arrayed against them and prioritise their security strategies accordingly.

This includes insight into general trends, such as new attack tactics, malware variants, and software vulnerabilities, and can also reveal direct threats to the organisation. For example, threat intelligence might uncover discussions in a dark web forum about targeting a specific insurer because of their ransomware pay-out policy, or due to an exploit in their automated customer service system.

Effective threat intelligence can also alert insurers to the fact they have been breached by discovering criminals arranging the sale of stolen data. While the firm will still suffer reputational and financial damage, this warning can give them a chance to get ahead of the crisis.

The cyber threat landscape has become increasingly hostile for the insurance sector in recent years. In order to have the best chance of protecting both themselves and their customers, insurance providers should look to implement threat intelligence to understand the context of their data and mitigate threats accordingly.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Resilient technology is the most important factor for successful online banking services

Source: Finance Derivative

By James McCarthy, Director of Solutions Engineering, NS1

More than 90 percent of people in the UK use online banking, according to Statista and of these, over a quarter have opened an account with a digital-only bank. It makes sense. Digital services, along with security, are critical features that consumers now expect from their banks as a way to support their busy on-the-go lifestyles.

The frequency of cash transactions is dropping as contactless and card payments rise and the key to this is convenience. It is faster and easier for customers to use digitally-enabled services than traditional over-the-counter facilities, cheques, and cash. The Covid pandemic, which encouraged people to abandon cash, only accelerated a trend that was already picking up speed in the UK.

But as bank branches close—4865 by April of 2022 and a further 226 scheduled to close by the end of the year, Which research found—banks are under pressure to ensure their online and mobile services are always available. Not only does this keep customers satisfied and loyal, but it is also vital for compliance and regulatory purposes.

Unfortunately, their ability to keep services online is often compromised. In June and July of this year alone, major banks including Barclays, Halifax, Lloyds, TSB, Nationwide, Santander, Nationwide, and Monzo, at various times, locked customers out of their accounts due to outages, leaving them unable to access their mobile banking apps, transfer funds, or view their balances. According to The Mirror, Downdetector,  a website which tracks outages, showed over 1500 service failures were reported in one day as a result of problems at NatWest.

These incidents do not go unnoticed. Customers are quick to amplify their criticism on social media, drawing negative attention for the bank involved, and eroding not just consumer trust, but the trust of other stakeholders in the business. Trading banks leave themselves open to significant losses in transactions if their systems go down due to an outage, even for a few seconds.

There are a multitude of reasons for banking services to fail. The majority of internet-based banking outages occur because the bank’s own internal systems fail. This can be as a result of transferring customer data from legacy platforms which might involve switching off parts of the network. It can also be because they rely on cloud providers to deliver their services and the provider experiences an outage. The Bank of England has said that a quarter of major banks and a third of payment activity is hosted on the public cloud.

There are, however, steps that banks and other financial institutions can take to prevent outages and ensure as close to 100% uptime as possible for banking services.

Building resiliency strategies

If we assume that outages are inevitable, which all banks should, the best solution to managing risk is to embrace infrastructure resiliency strategies. One method is to adopt a multi-cloud and multi-CDN (content delivery platform) approach, which means utilising services from a variety of providers. This will ensure that if one fails, another one can be deployed, eliminating the single point-of-failure that renders systems and services out of action. If the financial institution uses a secondary provider—such as when international banking services are being provided across multiple locations—the agreement must include an assurance that the bank’s applications will operate if the primary provider goes down.

This process of building resiliency in layers, is further strengthened if banks have observability of application delivery performance, and it is beneficial for them to invest in tools that allow them to quickly transfer from one cloud service provider or CDN if it fails to perform against expectations.

Automating against human error

Banks that are further down the digital transformation route should consider the impact of human error on outage incidents and opt for network automation. This will enable systems to communicate seamlessly, giving banks operational agility and stability across the entire IT environment. They can start with a single network source of truth, which allows automation tools to gather all the data they need to optimise resource usage and puts banks in full control of their networks. In addition it will signal to regulators that the bank is taking its provisioning of infrastructure very seriously.

Dynamic steering 

Despite evidence to the contrary, downtime in banking should never be acceptable, and IT teams can make use of specialist tools that allow them to dynamically steer their online traffic more easily. It is not unusual for a DNS failure (domain name system) to be the root cause of an outage, given its importance in the tech stack, so putting in place a secondary DNS network, or multiple DNS systems with separate infrastructures will allow for rerouting of traffic. Teams will then have the power to establish steering policies and change capacity thresholds, so that an influx of activity, or a resource failure, will not affect the smooth-running of their online services. If they utilise monitoring and observability features, they will have the data they need to make decisions based on the real time experiences of end users and identify repeated issues that can be rectified.

Banks are some way into their transformation journeys, and building reputations based on the digital services that they offer. It is essential that they deploy resilient technology that allows them to scale and deliver, regardless of whether the cloud providers they use experience outages, or an internal human error is made, or the online demands of customers suddenly and simultaneously peak. Modern technology will not only speed up the services they provide, but it will also arm them with the resilience they need to compare favourably in the competition stakes.

Continue Reading

Business

Digital Banking – a hedge against uncertainty?

Source: Finance Derivative

Ankit Shah, Head of Digital Banking, Apex Group

The story of the 2020’s thus far is one of crisis. First the world was plunged into a global pandemic which saw the locking down of people and economies across the world. Now we deal with the inevitable economic consequences as currencies devalue and inflation bites. This has been compounded by Russia’s invasion of Ukraine and subsequent energy politics.

And the outlook remains uncertain. Tensions continue to build between China and Taiwan and inflationary conditions are forecast to continue well into 2023. This uncertainty is impacting everyone, and every sector. And finance is no exception with effects being felt everywhere from commodity and FX markets to global supply chains.

But it’s not all doom and gloom. Rollercoaster markets and an ever-evolving geopolitical situation have made 2022 a tricky year far, but, despite the challenges, digital banking has proven resilient. In fact, the adoption of digital banking services has continued to grow over the last few years, and is predicted to continue.

So, what are the forces driving this resilience?

In an increasingly digital world and economy, digital banking comes with some advantages baked in, which have seen the sector continue to succeed despite the tumult in the wider world. In fact, the crises which have shaped the decade so far may even have been to the advantage of digital banking. Just as during the pandemic, technologies which could facilitate remote working saw a huge uptick in users, so to digital banking is well suited to a world where both people, and institutions demand the convenience that online banking services offer.

And while uptake of digital banking services is widespread amongst retail consumers, a trend likely to continue as digital first generations like Gen Z become an ever-greater proportion of the consumer market, uptake amongst corporate and institutional customers has been slower. This is largely down to a lack of fintech businesses serving the more complex needs of the institutional market, but, in a post-Covid world of hybrid working business, corporate clients are looking for the same ease of use and geographic freedom in their banking that is enjoyed by retail consumers.

This is not just a pipe dream – with the recent roll out of Apex Group’s Digital Banking services, institutions can enjoy the kind of multi-currency, cloud-based banking solutions, with 24/7 account access that many of us take for granted when it comes to our personal banking.

Staying compliant

One significant difference between retail and business accounts however, for banking service providers, is the relative levels of compliance which are needed. While compliance is crucial in the delivery of all financial services, running compliance on multi-million pound transactions between international businesses brings with it a level of complexity that an individual buying goods and services online doesn’t.

For digital banking services providers, this situation is further compounded by guidance earlier this year from HM Treasury – against the backdrop of the Russia-Ukraine conflict- requiring enhanced levels of compliance and due diligence when it comes to doing business with “a high-risk third country or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country or with a sanctioned individual.”

So, can digital banks meet these standards while also providing institutions with the kind of easily accessible, mobile service which retail customers enjoy?

The answer is yes and again, once initial hurdles are overcome, digital banking brings with it features which give it the edge over traditional banking services. Paperless processes, for example, mean greater transparency and allow for better and more efficient use of data. This means AI can be employed to search documents, as well as provide verification. It also means compliance processes, often notoriously complicated, become easier to track. Indeed, digitising time intensive manual process means the risk of human error in the compliance process is reduced.

Digital banking can also better integrate transaction monitoring tools, helping businesses identify fraud and irregularity more quickly. This can be hugely important, especially in the times of heightened risk we find ourselves in, where falling foul of a sanctions regime could have significant legal, financial and reputational consequences.

Cross-border business

Our world is increasingly globalised, and so is business. For corporate and institutional banking customers, being able to operate seamlessly across borders is key to the operation of their business.

This brings with it challenges, which are again compounded by difficult geopolitical and economic circumstances. In recent weeks for example, we’ve seen significant flux on FX markets which can have real consequences for businesses or institutional investors who are buying and selling assets in multiple currencies and jurisdictions. The ability to move quickly then, and transact in a currency of choice, is vital. Advanced digital banking platforms can help – offering automated money market fund sweeps in multiple core currencies to help their clients optimise their investment returns and effectively manage liquidity.

Control admin uncertainty

In times of uncertainty, digital banking can provide additional comfort via customisable multi-level payment approvals to enhance control of what is being paid out of business accounts, with custom limits available for different users or members of a team. Transparency and accountability are also essential, with corporate clients requiring fully integrated digital reporting and statements and instant visibility with transaction cost and  balances updated in real-time.

Outlook

For some, the perception remains that digital banking is the upstart industry trying to offer the services that the traditional banking industry has built itself upon. Increasingly however, the reality is that the pressure is on traditional banks to try and stake a claim to some of the territory being taken by digital first financial services.

With a whole range of features built in which make them well suited to business in a digital world, digital banking is on a growth trajectory. Until now, much of the focus has been upon the roll-out of services to retail consumers, but with features such as automated compliance, effortless international transactions and powerful AI coming as standard for many digital banks, the digital offering to the corporate world looks increasingly attractive.

Continue Reading

Business

Anyone Can Become an R&D Tax Expert with the Right Foundations

Source: Finance Derivative

Ian Cashin is a Customer Success Manager at Fintech company and R&D tax software provider WhisperClaims

For accounting firms, R&D tax credits offer a substantial opportunity to boost revenue and strengthen client relationships. According to Ian Cashin, Customer Success Manager at WhisperClaims, perceived complexities can be overcome with the right approach and support. Indeed, by embracing a few simple practices, any company can become an expert in R&D tax.

Building Confidence

Growing revenue through new business is far more challenging than unlocking revenue from an existing client base. However, a significant number of accounting firms are losing out on value-added opportunities as a result of their lack of confidence or knowledge in R&D tax relief.

Yet, advisors who follow best practice are now in an ideal position to use their extensive client knowledge to mitigate their clients’ risk of and potential exposure to interrogation over fraudulent claims, ahead of HMRC’s introduction of more stringent R&D tax processes in April 2023.

So why are firms reluctant? There is no doubt that the R&D tax credit procedure is different. Compared to other areas of tax regulation, it leaves greater room for interpretation. But it is readily understandable by a qualified accountant – even an unqualified trainee. Understanding what HMRC considers to fall under the scope of research and development is key. Astrophysicists and Formula 1 manufacturers are not the only people who employ science and technology to overcome business challenges. Every day, UK firms of all sizes engage in R&D activities, from civil engineers to food manufacturers, yet far too many have not yet filed claims, losing out on critical cash.

The most important thing to keep in mind is that, as an accountant, you already have a far deeper relationship with your client compared to any other service provider. Once you have raised your level of understanding, you are in the perfect position to optimise this.

Leveraging  Insight

Accountants already have a unique understanding of their clients’ operations –  insight which,  as professional advisors, will help to highlight companies most likely to qualify for an R&D tax rebate. Furthermore, with access to tools like R&D tax claim preparation technology, developed by R&D tax professionals, they are able to significantly speed up the process. This technology enables accountants to easily determine the top targets within their client base, indicating where to focus the efforts of their emerging R&D tax service.

Using this priority list in conjunction with their understanding of the criteria HMRC stipulates, an accountant can leverage their client knowledge and relationship to engage in a conversation regarding daily R&D activities and unlock potential tax relief opportunities.

Moreover, facilitated by a specialist R&D tax claims preparation platform, accountants can be assured of a structured process that prompts the right questions to ask clients during these conversations, and highlights answers that are either in sync with, or fall outside of, the HMRC parameters. For instance, ca restaurant owner adding vegan alternatives to the menu is not on the same level as a food producer starting the development and manufacturing of a fully plant-based product line. The latter will undoubtedly be eligible for R&D tax assistance, but not the former. Accountants should use their position as “professional advisors” in this situation to push back against clients, especially those who may have previously been unwittingly misled.

Best Practices

For the last twenty years, since the introduction of R&D tax rebates in 2001, best practice has been the provision of a detailed report, complementary to the CT600 form, to mitigate the chance of HMRC asking supplementary questions. The technical purpose of the claim as well as the business context must be covered in this report, e.g. the challenges faced; how science and technology were used to overcome these; and the professionals employed who overcame them. Simply put, if the challenges weren’t difficult to solve, it wasn’t R&D.

It’s also critical to keep in mind that R&D claims cannot simply be copied and pasted from year to year. R&D is not necessarily a constant; demand for it changes in line with the evolution of the business’ activity or stage of development. as businesses change and go to the next stage of development.

The accountant’s already solid client relationship and interpersonal abilities come into their own in such situations. Particularly if the appropriate course of action is to suggest that the client should not submit an R&D claim, an accountant must feel comfortable advising the client accordingly. The claim belongs to the client; if it is contested, the client will be the one facing an HMRC investigation. An advisor must be self-assured enough to refuse to input erroneous claims without endangering the client relationship.

Conclusion

Recent years have seen accountancy firms strengthen their position as dependable, trusted business advisors. Discussions regarding a business owner’s long-term objectives, succession and exit plans, as well as pensions and investments, have become commonplace. It should be natural to include R&D tax into these conversations . Asking a customer about their investment in R&D should be a common practice – business as usual –  just as it is to inquire about investment in infrastructure or buildings.

The only thing preventing accountants from successfully adding R&D tax to their suite of services  is a lack of confidence. Yet, any reservations can be addressed with a straightforward ‘back to basics’ R&D training course, as well as using technology to gain access to a completely new revenue stream with their current clientele. Now that HMRC is openly calling for a much more rigorous, trusted, and evidence-based approach to R&D tax from 2023, accountants hold all the cards they need to gain confidence and give clients the trusted service they desire.

Continue Reading

Copyright © 2021 Futures Parity.