In January 2020, citing recent court filings in the U.K., CBC reported that a Canadian insurance company, through its British reinsurer, had paid US$950,000 in response to a ransomware attack the previous year. This story highlights the very real risk that insurers could fall victim to costly, time-consuming cyber attacks.
How can business leaders in the insurance industry maintain robust protections, and what is the best way to handle insurance cyber security issues if they do emerge?
Cyber Security in the Insurance Industry: Threats Facing the Sector
An article from Deloitte outlined several scenarios in which insurance companies experienced greater cyber risk due to digital transformation initiatives.
“As insurers find new and innovative ways to analyze data, they must also find ways to secure the data from cyber-attacks,” the report noted.
The threats outlined in this article included:
- Large-scale data breaches targeting personal information from customers.
- The vulnerabilities of internal systems to further financial fraud objectives.
As we saw in the recent example involving Canadian and British companies, ransomware is also an important threat facing insurers.
Insurance company data breaches and credential-stuffing attacks
Insurance companies have access to large amounts of valuable data related to their customers, making these businesses a prime target for data breaches.
The capabilities of customer portals that are available on insurance company websites may also make them a target for broad credential-stuffing attacks, which is what happened to the American business State Farm, as reported by ZDNet in 2019.
Compromising internal systems
By leveraging a combination of malware and social engineering, which are sometimes executed through targeted spear-phishing campaigns, cyber criminals may be able to gain a foothold within internal systems that belong to insurance companies.
Business email compromise can be used for espionage purposes or to direct fraudulent payments into accounts operated by illegitimate parties.
Ransomware and insurers
These attacks frequently involve the use of malware to encrypt or otherwise restrict access to data within large enterprises. Health care organisations, government agencies and educational institutions may be victimised, since they often can’t afford to lose access to critical tech services. Financial companies, including insurers, are also considered to be valuable targets. This is because they manage large flows of money, they’re well aware of the potential costs they could incur due to the attack, and their operations demand uninterrupted access to data.
Steps Insurance Companies Can Take To Mitigate Cyber Risk
With such an expansive threat landscape, it’s of vital importance that insurers develop a multipronged approach to cyber security. Here are some powerful strategies for reducing your risk profile.
Restrict access, require authentication and conduct data inventories
Criminals can’t find data if you’re not holding onto it. Make sure to only retain data as necessary for optimal business operations and compliance purposes. In addition, leverage encryption to protect customer data, and limit access to the smallest group of individuals possible. Verify that even these individuals must be authenticated before accessing sensitive information.
Monitor for new and emerging threats, and regularly educate your employees
The threat landscape is constantly changing, so insurance cyber security must always take a proactive approach. Do not underestimate the potential for innovative social engineering techniques to succeed even against the savviest individuals.
Preventing and responding to ransomware
Today, an important question plagues cyber security in the insurance industry: Should you pay the ransom?
Guidance from the National Cyber Security Centre (NCSC) says no. Why? According to the government agency, paying up means you’ll be more likely to be victimised in the future. Additionally, the criminal groups that perpetrate these operations shouldn’t be considered particularly trustworthy. Who’s to say paying the ransom will work? Even if access is temporarily restored, this action doesn’t solve the problem. Unauthorised parties may still have access to your systems.
To prevent and effectively respond to this type of threat, the NCSC recommends frequent, robust backups, including offline options, and following a defence-in-depth strategy to contain the incursion before it can spread throughout the network. As a strategy for insurance cyber security, defence in depth assumes that your organisation will be impacted at some point. By employing multiple security precautions across the organisation, you can more quickly detect the threat, neutralise it and repair any damages you’ve experienced.
Cyber security in the insurance industry is an important concern. Recent high-profile examples illustrate that threats are real, varied, damaging and costly. Because of the wealth of customer data available from insurance companies and due to the financial resources at their disposal, these businesses will always be subject to attempted cyber attacks. If you’re ready to take additional steps that can help your business mitigate risk and recover quickly, contact the experts at Saphisle today to learn how we can support your initiatives.