How to Maintain Your Insurance Firm’s Cyber Resilience Whilst Remote Working

If your insurance firm is maintaining an agile, hybrid workforce, you should consider the implications this will have on your cyber resilience capability. Addressing these six areas will enable you to maintain your cyber resilience whilst remote working.

Many of us will look back on 2020 as the year that everything changed. The ongoing coronavirus pandemic has brought many organisations’ operational strategies forward at pace, necessitating changes that would have otherwise been executed over months and years to take place over literally days and weeks.

In the world of insurance, many firms will be transitioning over the coming quarter to a ‘new normal’ hybrid working culture, where office-based work will be complemented by increased remote working. This transition from short-term ‘keep the lights on’ actions to longer-term strategic decisions will not be without its challenges, especially with regards to cyber resilience.

Meeting the Demands of the PRA’s CQUEST Questionnaire

Insurance firms hold highly sensitive information that requires high levels of security. Recognising this, the Prudential Regulation Authority (PRA) has developed the CQUEST questionnaire for assessing firms’ cyber resilience capability.

Your firm will need to demonstrate to the PRA that it maintains high levels of cyber resilience whilst maintaining an agile, hybrid workforce. And technology alone is not enough to achieve comprehensive cyber resilience capabilities.

In this new hybrid working operating landscape, many rules will be broken/bent/generously interpreted not for malicious reasons but simply to get things done. This may work in the short-term, but the ‘new normal’ will require a reassessment of these rules to ensure they remain fit for purpose. In this blog we will provide guidance around how your insurance firm can demonstrate to the PRA that it maintains appropriate cyber resilience capabilities whilst remote working.

Maintain Your Firm’s Cyber Resilience Whilst Remote Working

When you expand your insurance firm’s operating footprint, you introduce threat vectors through which cyber criminals can target you whilst simultaneously increasing the risk of accidental data breach. This is bad news if you’re responding to the PRA’s CQUEST questionnaire, which seeks to assess, at a high level, a firm’s cyber resilience capability.

However, there are steps your firm can take to maintain its cyber resilience whilst remote working. We’ll take you through six of the key steps one at a time.

• Implement multi-factor authentication. Properly configured multi-factor authentication (MFA) is the first line of defence against a compromised account. In an ideal world, all accounts should have MFA enabled. However, we appreciate this may not always be a practical solution. You may want to look at alternatives like risk-based authentication, which we describe below.
• Consider risk-based authentication. Risk-based authentication is a good option for insurance firms looking to enhance cyber security without adversely affecting user experience. Built around a set of rules such as first sign-in from a new location, device, or a user’s risk score which is based on their behaviour. Think about Verified by Visa – if you’re logging into a website you’ve purchased from before, from your home laptop, you’ll be allowed through. If you’re on an unfamiliar website, perhaps on a new device or from a different location, you will be challenged with MFA or even denied. The same principles apply here.
• Use location services. Do you know where your users are? IP addresses are geo-locatable, which is extremely useful when it comes to monitoring and alerting on suspicious activity. Impossible travel alerts, triggered by the likes of a login from a UK location immediately followed by a login from a US location from the same IP address, are an early indicator of a compromised account. And even better, this functionality is included in Microsoft 365 and Azure.
• Train your people in cyber security best practices. Remote working impacts on employees, clients and IT teams. The simple fact is that where you introduce people, you introduce risk. Minimise this risk by providing continual training around cyber security best practices. People are less likely to follow these best practices when working from home, so it’s important that you target this training to make sure they remain educated and alert.
• Review your data management processes. Confidential, commercially sensitive information should be controlled. Your insurance firm should have processes in place to maintain the confidentiality, integrity and availability of data. However, many processes have been broken by COVID-19. If your people have sensitive documents stored locally, you need to get them under control. You should scan remote devices for potential compromises before reintroducing them to the corporate environment. And at the same time, you should check local document stores for any legally privileged information stored there that shouldn’t be – bring it back under central control.
• Optimise your technology. Whether it’s hardware access, connectivity, access to sites/systems, cyber security tools, or even something as seemingly simple as printing privileges, technology has the potential to go a long way towards solving many of the cyber resilience challenges your insurance firm faces. Productivity tools such as Microsoft 365 have all the cyber security features you will need. However, you need to invest time in configuring your Microsoft 365 tenancy to ensure the most appropriate levels of security, agility and performance.

Adapt to Thrive in the New Normal

By taking the appropriate steps, your insurance firm can implement people, process and technology measures that will enable your people to be brilliant at what they do. At the same time, these steps will enable you to demonstrate your cyber resilience capability to the PRA.

If you would like support in completing the CQUEST questionnaire and enhancing your firm’s cyber resilience capability, Six Degrees can provide this with our consultancy and managed cyber security services. Learn more about our cyber resilience support capabilities.