Securing the insurance ecosystem – a zero trust approach to enterprise resilience

By Ho Chee Keong, Senior Vice President, Technology Solutions - Cybersecurity, MSIG Asia
Published by Enterprise Security Magazine APAC

Trust as the foundation and the weakness

In insurance, trust is not an abstract concept. It is the foundation on which policies are written, claims are assessed, and partnerships with brokers, reinsurers, and clients are built. As insurers, we handle a significant volume of sensitive information. These can range from personal identifiers and financial records to claims documentation and exposure data. Protecting such information is critical to maintaining customer confidence and ensuring the integrity of our operations.

Cybersecurity in this context is a cornerstone of our operational resilience. It reflects how well an organisation can safeguard stakeholder interests and maintain continuity in an increasingly complex digital and threat landscape.

Yet the very trust that underpins our industry also creates an expanded attack surface. Threat actors are exploiting established business relationships and familiar communication channels to bypass technical controls. Sophisticated social engineering campaigns, business email compromise, and credential stuffing attacks are increasingly launched through compromised third-party domains or trusted cloud-based platforms, allowing attackers to blend into legitimate traffic and conceal their activity.

What zero trust means in practice

Zero Trust is a security approach that assumes no user, device, or network can be trusted by default. Every interaction must be continuously validated based on identity, context, behaviour, and risk.

In an industry that operates across jurisdictions and relies on complex third-party integrations, this approach is particularly relevant. It requires verifying user identity and device posture before granting access, isolating systems to contain breaches and acknowledging that even longstanding partners can be compromised. Done right, it enhances our ability to protect sensitive data, meet regulatory expectations, and maintain operational resilience.

Insurance as an interconnected ecosystem

The insurance ecosystem is highly interconnected. Core platforms interface with claims, CRM, and finance systems. Adjusters, legal counsel, and outsourced service providers work alongside internal teams. Brokers and reinsurers rely on timely data flows and shared access to systems.

Traditional perimeter-based models cannot adequately secure this environment. A single breach, whether internal or external, can propagate rapidly without segmentation and continuous verification. Zero Trust addresses this risk by treating every identity, API calls, and data flow as untrusted until proven otherwise. Enforcing strict verification and real-time monitoring limits exposure and helps sustain operations even during incidents.

Aligning the enterprise

Implementing Zero Trust is not simply a technology project. It requires alignment across governance, operations, and culture.

Security teams must design for breach containment through measures such as micro-segmentation, adaptive access controls and behavioural and risk analysis. Business units need to understand that vendor relationships do not equate to ongoing security assurance.

Equally important is user awareness. Employees remain a key target for attackers, particularly in business email compromise and impersonation scenarios. Zero Trust cannot succeed if users are unaware of how trust can be exploited. Structured, ongoing education on phishing detection, safe handling of sensitive data, and clear escalation channels for reporting anomalies is essential. Embedding these practices into daily workflows turns employees from passive risk points into active participants in organisational defence.

Developers also play a critical role. Security by design should be standard practice, incorporating contextual identity verification, encryption, and least privilege models. Legacy practices such as static whitelisting, hardcoded credentials, and unauthenticated APIs must be phased out.

Legal and compliance teams support this effort by translating contractual obligations into enforceable controls and obligations. This strengthens alignment with most Technology Risk Management guidelines and ensures audit readiness.

Calling out the human layer in zero trust

Technology alone cannot deliver Zero Trust. Regular awareness programme, scenario based phishing simulations, and clear reporting pathways empower employees to recognise and disrupt attacks before they escalate. The threat landscape continues to evolve, and building cybersecurity capabilities is an ongoing effort. Business email compromise has evolved beyond phishing. Generative AI now enables attackers to craft highly convincing messages, simulate executive voices, and even produce synthetic video content.

In the insurance sector, where partner communication is constant and often needs to be timely, these tactics pose real operational risks. A deep fake video instructing a payment change or a spoofed broker email requesting sensitive data can cause significant harm.

This challenge is amplified by the implicit trust often placed in cloud-based platforms. Incident investigations and triage have shown that spoofed emails can evade even advanced filtering when sent from compromised or seemingly trusted cloud tenants.

This risk is highly relevant in Microsoft 365 environments, which many organisations depend on for business communication and workforce collaboration through services such as Outlook and Teams. Misconfigured cross tenant trust settings and inadequate DMARC policies, relying on assumption of default can allow malicious content to bypass protections and reach users across both email and collaboration channels. These developments reinforce a core principle: modern threats do not only exploit technical vulnerabilities; they exploit assumptions.

Building a resilient posture

A mature Zero Trust strategy includes continuous identity verification, context aware access controls, least privilege principles, micro-segmentation, and behavioural analytics. Together, these measures create a layered defence that limits the impact of compromises and prevents lateral movement within systems. Zero Trust is more than a cybersecurity framework. It is an enterprise wide strategy for resilience. In a complex and interdependent insurance ecosystem, it enables organisations to operate confidently, adapt to evolving risks and recover from incidents with minimal disruption.

To protect the trust that defines our industry, we must move beyond assumptions. Trust must be verified, revalidated, and embedded into every process. This is not simply a technical necessity; it is a leadership responsibility. For insurers, it is also part of our broader commitment to integrity, professionalism, and customer first thinking, contributing to a vibrant society and a sound future for the communities we serve.

Finally, even with the strongest preventive measures, no organisation is completely immune to cyber incidents. This is why cyber insurance has become a vital component of a comprehensive risk management strategy, offering financial protection, incident response support, and helping ensure business continuity in the face of increasingly sophisticated threats.