This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.
The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.
I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.
Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.
Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.
The following key is used for the secure status:
| Yes | The site is secure, loaded via https |
| Dual | The site can be loaded via http, or via https. |
| Invalid | The site loads via https, but the security certificate is invalid and thus the site is insecure. |
| Partial | The site loads via https, but loads some parts of the page without https. The site is insecure. |
| No | The site is loaded via http, not via https. |
| Fixed | The site is loaded via https, but at the time of first writing it was loaded via http. |
| ?? | We could not find a website to evaluate. |
We tested 23 insurance companies. We found 7 insurance companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 30% of UK insurance companies have security vulnerabilities.
| Insurance Company | Secure | Home Page |
|---|---|---|
| AEGON UK | Yes | https://www.aegon.co.uk/index.html |
| AXA | Yes | https://www.axa.co.uk/home.aspx |
| Allianz SE | Yes | https://www.allianz.com/en/ |
| Aviva | Yes | https://www.aviva.co.uk/ |
| Direct Line Insurance | Yes | https://www.directline.com/ |
| FM Global | Yes | https://www.fmglobal.com/ |
| Hiscox | Yes | https://www.hiscox.co.uk/ |
| Legal & General | Yes | https://www.legalandgeneral.com/insurance/ |
| NFU Mutual | Yes | https://www.nfumutual.co.uk/ |
| Old Mutual | No | http://www.oldmutualplc.com/ |
| Phoenix | No | http://www.phoenixlife.co.uk/ |
| Prudential | No | http://www.prudential.co.uk/ |
| QBE Insurance | Yes | https://www.group.qbe.com/ |
| Royal London Asset Management | Yes | https://www.rlam.co.uk/ |
| Royal London Group | Yes | https://www.royallondon.com/ |
| RSA Insurance Group | Yes | https://www.rsagroup.com/ |
| Standard Life | Yes | https://www.standardlife.com/dotcom/index.page |
| Southern Rock Insurance | No | http://www.sricl.com/ |
| XL Group | No | http://xlgroup.com/ |
| Zurich Insurance | Yes | https://www.zurich.co.uk/ |
Guest posts
No, we’re not interested in having a guest post about finance related topics. These articles are about security, not finance.
Original post
This post was originally published 15 Dec 2017 on the softwareverify.com blog. We moved these posts to this dedicated domain 27 March 2025.