Insurers gear up to make cyber security a priority

The country's non-life insurers are gearing up to make cyber security a priority in their journey to full digitalization.

More than 200 executives from the Philippine Insurers and Reinsurers Association (PIRA) attended a two-day webinar on the topic, "Closing the Gap -- Cybersecurity and the Insurance Industry" organized by PIRA in partnership with the Insurance Institute for Asia and the Pacific (IIAP) and IPV Network, a local cyber security company with ties from global specialists in this field.

Mr. Ramon Dimacali, former chairman of PIRA and former president of IIAP, said insurance companies have much catching up to do when it comes to cyber security. "The banking sector embraced cyber security much ahead of us," he said. "I have talked with presidents of insurance companies and their main concern is they do not understand it. Hence this webinar."

Mr. Miguel Ramos, president of IPV Network, said he is honored to bring the best cybersecurity companies from other countries to the Philippines and offer their services to industries such as insurance.

IPV Network particularly mentioned CyberInt, a world-cybersecurity company that offers cutting-edge cyber security solutions. As the head cyber consultant to the Bank of Israel, CyberInt is the only company of its kind that offers a holistic approach to protection beyond the perimeter.

A senior cyber threat analyst of CyberInt based in the United Kingdom presented an intelligence report on the state of cyber threats in the Philippines. The analyst, who requested anonymity for security reasons, said insurance companies are the next best target of cyberattacks after healthcare and finance.

"You are a slow-moving target," the cyber threat analyst said. "In recent months, insurance companies in the US have experienced major breaches in cyber security and we expect such incidents to become more frequent as more and more people transition their business online."

Meanwhile, Mr. Ivan Ivan Jude Busgano, Product Marketing Manager of IPV Network, noted that most companies in the Philippines seldom take cybersecurity seriously.

"They leave it completely to their IT department and they think it is just for compliance. Oftentimes, the Cyber Security Team is a one-man team. This has to change. You cannot protect what you don't know. You cannot manage what you don't understand," he said.

Mr. Nir Greenberg, Senior Engineer of Illusive Networks, another Israeli company, talked about "Evaluating Risks and Implementing Controls," noted that companies are now more vulnerable because their employees are working from home.

"Servers are now being accessed via computers from employees' homes. Your vulnerability increases as you consider that even your supply chain is being accessed by people outside of your company. You can't know for sure where the attack will come from," he said.

Mr. Greenberg pointed out that 60 percent of attacks in companies that he has seen so far are internal. "This kind of attack is actually the most devastating because they involve people you know and trust," he said.

He went on to explain that the

usual insider attacks are perpetrated by disgruntled employees, or those who do not fit the organization's culture and refuse to be managed. And the work-from-home setup has made it easier for such employees to mount an attack on their company's systems.

"When people are at home with their computer, no one is watching their back. Now they can do whatever they want," Greenberg said.

How to Avoid Insider Attacks

CyberInt offered the following tips to insurance companies to prevent insider attacks:

1. Assume that there can be serious insider threats inside your organization, not just elsewhere.

2. Do not assume that background checks will catch all insider threats.

3. Accept that we will not catch all red flags.

4. Consider that insider conspiracies are possible, i.e. multiple insiders conniving to achieve a joint goal.

5. Establish multi-layered protection measures.

6. Recognize the role of organizational culture and employee disgruntlement.

7. Assume that insiders know about your security policies and how to work around them.

8. Know that your established security protocols are sometimes bent.

9. Focus on non-malicious sources of insecurity as well as malicious.

10. Don't just focus on prevention, and strengthen mitigation steps as well

IIAP President Ms. Herminia Jacinto stressed that the insurance industry does not have a choice but to confront the cyber security challenge in front of them.

"We have to face up to the challenge. The problems are already here," she said.

For more information, visit