Combating rising cyber threats and fraud in insurance sector

India's digital insurance trajectory means: Big growth, and bigger risks! 

India’s life insurance industry is undergoing a rapid digital transformation, unlocking massive potential for financial inclusion, operational agility, and customer-centric innovation. As per a report by the Confederation of Indian Industry, India is projected to become the sixth-largest insurance market globally by 2034, growing at a CAGR of 32–34%. This growth is being propelled by digitisation across the value chain, from onboarding and claims to customer servicing.

However, with this progress comes risk: the rapidly expanding cyber threat landscape. As digitisation deepens, attacks from malicious actors have also increased. Insurers today are custodians of not just financial capital, but also sensitive health, identity and behavioural data, making them attractive targets.

In 2023, CERT-In recorded over 1.6 million cybersecurity incidents, underscoring the need to embed cyber resilience within digital strategies. To fully realise the benefits of digital expansion, insurers must ensure that cyber readiness evolves in the lockstep with innovation.

Cyber risk as a business imperative
Cybercrime has outpaced conventional business threats, now ranked as the top global risk. According to the World Economic Forum, scammers siphoned off over $1 trillion globally last year, with some countries incurring losses exceeding 3% of their GDP. The BFSI sector including insurance sector is facing a new reality: sophistication of threat vector evolving at a speed significantly higher than mitigation measures.

Furthermore, the mitigation measures continue to be primarily reactive compared to sophistication seen for these threat vectors. In India, where digital infrastructure continues to develop and regulatory frameworks are evolving, the risk is compounded.

This requires a mindset shift across boardrooms and business units. CIOs, CISOs and Chief Risk Officers must move beyond reactive compliance to adopt a proactive, intelligence-driven approach to threat mitigation. Investments must span beyond perimeter defences—towards embedding cybersecurity into organisational culture, data strategy, and governance frameworks. 

Vulnerabilities in a digital era
Life insurers have adopted technologies like AI-driven underwriting, digital KYC, mobile-first servicing, video pre-issuance validations and paperless claims. But, these innovations bring new vulnerabilities. Cybercriminals are using GenAI tools to run sophisticated scams, from voice clones to deepfakes.

According to a Deloitte survey, around 60% of Indian insurers observed a significant rise in fraud post-digitisation. This coincides with a more complex threat landscape, where traditional fraud detection is no longer enough.

To tackle the increasing cyber threat and to protect customer’s sensitive information, the government introduced the Digital Personal Data Protection Act (DPDPA), a progressive step to enhance transparency, accountability, and consumer trust. The Act encourages stronger internal controls and data governance aligned with digital innovation.

The high cost of complacency
Recent high-profile breaches across the industry, ranging from database leaks to social engineering attacks, demonstrate that insurance data, rich in KYC details, financial records, customer profile and health data, is among the most coveted by threat actors.

While technical vulnerabilities can be exploited, it is often lapses in operational oversight and delayed detection that cause the most damage. With customer trust on the line, insurers must consider breach readiness as fundamental as solvency.

Policyholders at risk
The threat doesn’t end at the enterprise level. Policyholders are being directly targeted through increasingly creative scams:
•    Spurious calls impersonating insurers or IRDAI officials
•    Fraudulent websites and mobile apps mimicking legitimate services
•    Misuse of leaked data for identity theft or bogus claims.

In this context, customer-facing security measures, such as secure self-service portals, proactive communication, and public awareness initiatives, are just as critical as internal firewalls. These measures serve a dual purpose: protecting customers from harm while also reinforcing the insurer’s credibility and commitment to safeguarding their data.

Data analytics: A silent sentinel for risk mitigation
A vital enabler in combating fraud and cyber risk is the strategic application of data analytics. Life insurers sit on vast repositories of structured and unstructured data, and with the right tools and governance, these datasets can uncover anomalies, predict risks, and personalise safeguards.

Data analytics has significantly enhanced performance across fraud detection, customer experience, product design, and distribution. With AI/ML layered on top, analytics can now detect deviations in behaviour patterns, automate red flags, and inform more intelligent underwriting in real time.

Moreover, it also streamlines operations, eliminates redundancies, and strengthens channel oversight - especially vital across varied distribution models.

From compliance to capability: Building cyber resilience
The industry must adopt a layered defence strategy, one that includes technology, training, and testing. Recommended approaches include:
•    AI and behavioural analytics to detect fraud at the source
•    Biometric and liveness verification to counter deepfake-based identity fraud
•    Tabletop cyber drills and red team exercises to prepare teams for real-world threats.

Insurers must treat their workforce as the first line of defence. Regular training and awareness campaigns can significantly reduce phishing incidents and social engineering attacks. According to an IBM report, organisations with well-trained employees experienced nearly 19% lower average breach costs compared to those with limited training investment. In a high-risk digital environment, investing in cyber awareness is a cost-effective strategy that strengthens organisational resilience.

Looking ahead: A strategic imperative
As India’s insurance sector accelerates towards digital maturity and sophistication, the cyber threat landscape will only become more complex. Resilience must become a strategic differentiator -- encompassing risk identification, real-time response, and vigilance across the value chain.

Ultimately, a secure insurer is not just one that prevents attacks, but one that earns and sustains trust with every digital interaction.

-- Gaurav Banka, Chief Risk Officer (CRO), Aviva India