Cyber Threats to the Insurance Industry - Are You at Risk?

In 2023, the cyber risks for insurance companies reared their head in the form of the MOVEit File Transfer cyberattack. Multiple insurance companies, including Sun Life, Prudential Insurance, New York Life Insurance Company, and Genworth Financial, were targeted in insurance company cyber attacks between May and June. A significant number of customer accounts were compromised because of a vulnerability that was identified by unauthenticated attackers, allowing them to do an SQL injection that got access to the MOVEit Transfer’s database that moves and stores sensitive customer information. For instance,  Genworth Financial faced a cyber threat that impacted up to 2.7 million individual accounts. These incidents only emphasized that cyber threats to the insurance industry can come from anywhere. 

Why insurance company cyberattacks are increasing

Insurance companies have often found themselves in the crosshairs of cyberattacks, especially after banks implemented highly secure networks that make them harder to breach. As with any industry, reaping the benefits of big data, AI, and the Internet of Things (IoT), comes the risk of cyberattacks. 

Insurance agencies possess databases full of personally identifiable information (PII). That includes personal data, social security numbers, income details, property information, and much more. They also store data on businesses and have an overview of their assets. This information in the wrong hands could be used to commit several fraudulent activities. For an insurance company, this means lawsuits, large settlements, fines for breaching regulations, reputational damage and even paying ransoms to cybercriminals. 

However, it is not only PII information that cybercriminals are interested in. The information in insurance applications, particularly for corporate commercial insurance, contains information that provides hackers with insights that could extend their nefarious activities.

Some of the commercial insurance information that cybercriminals consider invaluable:

• The amount of insurance a company wants to purchase in their cyber-risk applications is just what cybercriminals want to know. They know exactly what to ask in a ransom demand. 

• Insurance industry cybersecurity applications will also show deep insights into a company’s technology such as software patches or legacy systems. It will also detail the deficiencies identified in a company’s network security.

• Insurance companies also have their corporate data to protect. Then, they are specialized insurance products like errors and omissions policies or directors and officers policies containing valuable insights into trade secrets, private information concerning key company executives, and data related to potential business transactions. 

  Cybersecurity for insurance strategies should include encryption of data or the use of incorruptible blockchain technology to keep information secure and reduce the increasing cyberattacks the insurance industry is facing.

Also Read: Authorization and Authentication Process: 5 Ways to Fix Security Gaps

Strategies to reduce insurance company cyber risks

Different types of cybersecurity threats are common across industries but the insurance industry is often at a higher risk. Insurance companies need to up their game when it comes to due diligence. These are the red flags that need to be recognized and strategies put in place.

Lack of cybersecurity training

Employees are the most susceptible to malware attacks and phishing attempts. Insurers are at greater risk since they receive numerous files, links, and emails in a day. Not investing time and money in cybersecurity training could see an employee clicking on a suspicious link that could house malware. 

Not identifying social engineering ploys in time could have disastrous effects. Social engineering is a tactic that cybercriminals use to trick victims into providing sensitive data. They often pose as company officials to establish a line of trust and use an urgent tone to lure the victim into bypassing security protocols to save time.. Insurers have to communicate with clients and third-party businesses all the time and this exposes them to phishing calls, messages and emails. 

Companies must realize the value of vigilant employees and invest in periodic cybersecurity training. It can help employees be aware of new social engineering and phishing methods while also training them to identify breaches. 

An Accenture survey found that up to 98% of security breaches that went undetected by a firm’s security team were discovered by employees. 

Using outdated cybersecurity software 

Malware and ransomware evolve every day as cybercriminals look to exploit newfound vulnerabilities. Software updates are important to protect systems.  Not installing the latest security patches leaves the door wide open for cybercriminals. Hackers can use known and tested vulnerabilities to compromise a system.  

Many argue the role of security solutions as they seem to stay a step behind constantly evolving threats. Most antivirus and cybersecurity software detects only recognized malware and may allow newer variants to slip through. However, they are still the first line of defense, and failing to update them risks exposure to various types of cybersecurity threats. 

Ransomware attacks are growing in the insurance sector as proven by the attack on CNA a few weeks ago. They encrypt data and lock a company out of their systems. Attackers threaten to leak stolen data if a ransom is not paid. In CNA’s case, it was a new, advanced strain of ransomware that got past their security. Had they been using outdated cybersecurity software they would have been a victim of more commonly used ransomware. 

Investing in a comprehensive cybersecurity solution is key. Regular monitoring and updating software can fortify an insurer’s systems. 

Cybersecurity for the insurance industry needs an investment in software that  offers several features:

• Identity and access management
• Endpoint protection, detection, and response
• Firewalls and VPNs
• Intrusion prevention and detection 
• Antimalware/Antivirus
• Encryption tools
• Vulnerability scanners
• Data loss prevention
• Security information and event management (SIEM) capabilities
• AI and Automation for cybersecurity to reduce and alert breach risks

Improper cloud and application security practices

Insurers are adopting cloud services rapidly. While it stores all data under one roof, simplifying access, it’s also something that hackers love to target. Misconfigured storage, insecure APIs, and unauthorized access are common ways that hackers can breach security. 

Inadequate security measures and practices could put a cloud system at risk. For example, a DDoS attack could cripple cloud services and steal PII and other policyholder data in the background. 

The importance of cybersecurity should be at the forefront when creating applications, cloud networks, and websites. Security, when built into these systems right at the start, can prove to be cost-effective rather than adding it later on. Following industry standards for secure coding can also prevent applications from processing malicious input. 

Not using AI and Automation to fortify defenses

Enhancing cybersecurity within the insurance industry requires a strategic approach beyond human-scale capabilities. Embedding artificial intelligence into security tools and logging systems proves instrumental in fortifying defenses. These AI-driven technologies not only facilitate real-time monitoring of potential cyber threats but also offer valuable insights for effective response strategies. The adaptive nature of AI-based tools allows continuous learning from identified vulnerabilities or past attacks, reinforcing the overall cybersecurity framework over time Embracing such advanced technologies becomes pivotal for insurers aiming to stay resilient in the face of evolving cyber challenges.  Get more insights into 

Mismanagement of confidential data

Sensitive data can be disclosed inadvertently due to sheer negligence. Whether it is as simple as forgetting to shred important documents, serious security lapses also occur when using personal email accounts to access classified files or just posting a picture of your workplace on social media, they could all potentially leak sensitive information. 

Websites aren’t safe either. Flawed designs can leak personal and financial information without hackers trying too hard. First American Financial Corp. - a leading title insurance company inadvertently disclosed sensitive data on their website in May 2019. Anyone with a URL to a valid document could get unauthorized access to other documents by simply changing a few digits in the link. Approximately 885 million files full of mortgage data, tax records, social security numbers, bank account numbers, and statements were made public due to mismanagement of sensitive data. 

Inadvertent disclosure can be avoided by enforcing strict cybersecurity protocols regarding handling documents, using unauthorized devices, and accessing personal emails and social media. Limiting authorization to specific personnel can help too. Logging access history can help identify where data was compromised and the employee or customer responsible. Insurers must follow guidelines and compliances when dealing with third-party vendors as they also provide an avenue for data leaks. 

No contingency plan

Who would understand the need for a contingency plan better than an insurer? Not having a comprehensive incident response plan (IRP) in place can render insurance companies powerless during cybersecurity breaches. IRPs have strategies that cover preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. 

Cybersecurity teams must subject IRPs to periodic drills. This helps detect breaches, isolate compromised devices, and secure backed-up data quickly. Regular backups stored in secure locations can limit data loss and keep operations afloat in the event of a cyber attack. 

How an insurer chooses to act during a data breach could prevent large-scale data theft and save the company from class-action lawsuits and severe reputational damage. 

Also Read: Why Implementations Often Cost Millions and Take 18 Months or More?

Trust is what keeps the insurance business running which is why customers must be confident of cybersecurity in insurance industry dealings. Machine learning and artificial intelligence are not only pushing the insurtech business, it’s changing how insurers adopt cybersecurity measures. While they might not be foolproof, their ability to analyze large volumes of data enables them to protect systems against malware, ransomware, and advanced persistent threats.

Insurtech companies like SimpleSolve offer multi-line insurance platforms with several cybersecurity features built-in and PII compliant. 

Insurers must constantly assess where their cybersecurity strategies stand and understand the risks they face. Insurance companies like CNA Financial and Chubb are known for their understanding of cybersecurity and cyber insurance. If they can be breached one can only imagine the security implications it can have on companies that do not have highly advanced cybersecurity systems.