CNA Financial is probably a name you’ve heard recently. It’s the sixth-largest commercial insurance company in the USA and is also an established cyber insurance provider. It made the news on the 21st of March, 2021 when an official statement claimed that they had been a victim of a “sophisticated cybersecurity attack”.
Ransomware called Phoenix CryptoLocker affected fifteen thousand devices, disrupted their network, and impacted corporate mail and other systems. The amount of classified information that the attackers got their hands on is still unknown, but such a data breach in insurance can often start small and go undetected for long.
Why are cybercriminals targeting insurers?
Insurance companies have often found themselves in the crosshairs of cyberattacks, especially after banks implemented highly secure networks that make them harder to breach. As with any industry, reaping the benefits of big data, AI, and the internet of things (IoT), comes the risk of cyberattacks.
Insurance agencies possess databases full of personally identifiable information (PII). That includes personal data, social security numbers, income details, property information, and much more. They also store data on businesses and have an overview of their assets. This information in the wrong hands could be used to commit a number of frauds. For an insurance company, this means lawsuits, large settlements, fines for breaching regulations, reputational damage and even paying ransoms to cybercriminals.
With businesses taking to remote working due to the COVID-19 pandemic, cyber attacks have been on the rise. Without the safeguards of office cybersecurity systems, employees and organizations have been more vulnerable to cyber-attacks. This new vulnerability saw Phishing emails spike over 600% between February and March of 2020.
Red flags that insurers should worry about
There are different types of cybersecurity threats that are common across industries but the insurance industry is often at a higher risk.
Lack of cybersecurity training
Employees are the most susceptible to malware attacks and phishing attempts. Insurers are at greater risk since they receive numerous files, links, and emails in a day. Not investing time and money in cybersecurity training could see an employee clicking on a suspicious link that could house malware.
Not identifying social engineering ploys in time could have disastrous effects. Social engineering is a tactic that cybercriminals use to trick victims into providing sensitive data. They often pose as company officials to establish a line of trust and use an urgent tone to lure the victim into bypassing security protocols in order to save time. Insurers have to communicate with clients and third-party businesses all the time and this exposes them to phishing calls, messages and emails.
Companies must realize the value of vigilant employees and invest in periodic cybersecurity training. It can help employees be aware of new social engineering and phishing methods while also training them to identify breaches.
An Accenture survey found that up to 98% of security breaches that went undetected by a firm’s security team were discovered by employees.
Using outdated cybersecurity software
Malware and ransomware evolve every day as cybercriminals look to exploit newfound vulnerabilities. Software updates are important to protect systems. Not installing the latest security patches leaves the door wide open for cybercriminals. Hackers can use known and tested vulnerabilities to compromise a system.
Many argue the role of security solutions as they seem to stay a step behind constantly evolving threats. Most antivirus and cybersecurity software detects only recognized malware and may allow newer variants to slip through. However, they are still the first line of defense, and failing to update them risks exposure to various types of cybersecurity threats.
Ransomware attacks are growing in the insurance sector as proven by the attack on CNA a few weeks ago. They encrypt data and lock a company out of their systems. Attackers threaten to leak stolen data if a ransom is not paid. In CNA’s case, it was a new, advanced strain of ransomware that got past their security. Had they been using outdated cybersecurity software they would have been a victim of more commonly used ransomware.
Investing in a comprehensive cybersecurity solution is key. Regular monitoring and updating software can fortify an insurer’s systems. Cybersecurity software can offer a number of features like
- Identity and access management
- Endpoint protection, detection, and response
- Firewalls and VPNs
- Intrusion prevention and detection
- Encryption tools
- Vulnerability scanners
- Data loss prevention
- Security information and event management (SIEM) capabilities
Improper cloud and application security practices
Insurers are adopting cloud services rapidly. While it stores all data under one roof, simplifying access, it’s also something that hackers love to target. Misconfigured storage, insecure APIs, and unauthorized access are common ways that hackers can breach security.
Inadequate security measures and practices could put a cloud system at risk. For example, a DDoS attack could cripple cloud services and steal PII and other policyholder data in the background.
The importance of cybersecurity should be at the forefront when creating applications, cloud networks, and websites. Security, when built into these systems right at the start, can prove to be cost-effective rather than adding it later on. Following industry standards for secure coding can also prevent applications from processing malicious input.
Mismanagement of confidential data
Sensitive data can be disclosed inadvertently due to sheer negligence. Whether it is as simple as forgetting to shred important documents, serious security lapses also occur when using personal email accounts to access classified files or just posting a picture of your workplace on social media, they could all potentially leak sensitive information.
Websites aren’t safe either. Flawed designs can leak personal and financial information without hackers trying too hard. First American Financial Corp. - a leading title insurance company inadvertently disclosed sensitive data on their website in May 2019. Anyone with a URL to a valid document could get unauthorized access to other documents by simply changing a few digits in the link. Approximately 885 million files full of mortgage data, tax records, social security numbers, bank account numbers, and statements were made public due to mismanagement of sensitive data.
Inadvertent disclosure can be avoided by enforcing strict cybersecurity protocols regarding handling documents, using unauthorized devices, and accessing personal emails and social media. Limiting authorization to specific personnel can help too. Logging access history can help identify where data was compromised and the employee or customer responsible. Insurers must follow guidelines and compliances when dealing with third-party vendors as they also provide an avenue for data leaks.
No contingency plan
Who would understand the need for a contingency plan better than an insurer? Not having a comprehensive incident response plan (IRP) in place can render insurance companies powerless during cybersecurity breaches. IRPs have strategies that cover preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.
Cybersecurity teams must subject IRPs to periodic drills. This helps detect breaches, isolate compromised devices, and secure backed-up data quickly. Regular backups stored in secure locations can limit data loss and keep operations afloat in the event of a cyber attack.
How an insurer chooses to act during a data breach could prevent large-scale data theft and save the company from class-action lawsuits and severe reputational damage.
Trust is what keeps the insurance business running which is why the importance of cybersecurity is not lost on insurance players. Machine learning and artificial intelligence are not only pushing the insurtech business, it’s changing how insurers adopt cybersecurity measures. While they might not be foolproof, their ability to analyze large volumes of data enables them to protect systems against malware, ransomware, and advanced persistent threats.
Insurtech companies like SimpleSolve offer multi-line insurance platforms with a number of cybersecurity features built-in and PII compliant.
Insurers must constantly assess where their cybersecurity strategies stand and understand the risks they face. Insurance companies like CNA Financial and Chubb are known for their understanding of cybersecurity and cyber insurance. If they can be breached one can only imagine the security implications it can have on companies that do not have highly advanced cybersecurity systems.