Insurance companies are among the businesses more reliant than ever on technology and information systems for daily processes. Insurance technology, or insurtech, improves the efficiency of the insurance industry but can also increase attack surfaces, making the data insurers collect more vulnerable to theft.
As more companies seek cyber insurance to protect themselves from the financial fallout of a data breach, insurers themselves are among the firms heavily impacted by the increasing scope and frequency of cybercrime.
After the COVID-19 pandemic, aside from the healthcare sector, the financial sector endured the most cyber events. This post looks at the impact that cybercrime has had on the insurance industry and how underwriters, who are no strangers to assessing risks, can use cybersecurity best practices to remediate and mitigate the cyber threats that affect them most.
Why Insurers Are Affected by Cybersecurity
Along with credit unions and payment institutions, insurers are among the financial institutions most affected by cybercrime. Insurers attract hackers for three main reasons:
- Sensitive data - Like other firms in the financial services sector, insurers that handle large amounts of customer data attract the attention of cybercriminals. Insurance-related data is particularly interesting to cybercriminals because of its inherent confidentiality. Often linked to policyholders, sensitive data helps insurers customize their policies, products, and prices for each client.
- Increasing attack surfaces - Insurers rely more on technology to provide up-to-date, personalized customer experiences and real-time insurance solutions. This growing reliance on technology can mean increased attack surfaces, leading to more potential vulnerabilities and potential for human error.
- Industry size - The size of the insurance industry, combined with the sensitivity and scope of the confidential data it collects, makes it a significant target for cybercriminals. In 2021, nearly 70% of the US population (about 220 million people) had private healthcare insurance.
Top Cyber Threats That Affect Insurance Companies
Cyber attacks can lead to the loss of confidential data, business, and reputation. The scope of personally identifiable information and sensitive data processed by insurers puts the industry at increased risk of social engineering and ransomware.
Business disruption through cyber incidents is also a major problem for insurance companies, which need to react quickly to fulfill their contracts and maintain the trust of their clients.
Reputational damage can be particularly difficult to recover from since trust is vitally important in the insurance sector. Bad publicity from a cyber attack can damage consumer confidence in the brand, leading to a loss of customers and revenue.
Social engineering is a significant cybersecurity threat across sectors. Cyber attackers use a variety of methods to trick unsuspecting employees or staff to give up credentials, sensitive data, or trade secrets. Social engineering attacks can also be used to carry out other types of attacks, such as phishing, ransomware, or identity fraud.
Ransomware attacks hold company data hostage until the targeted company pays a sum of money to recover the data. According to Nozomi, cybercriminals investigate companies’ cyber insurance policies so they can customize their ransom requests to match. So data breaches at insurance companies pose a significant risk to the safety of their clients, who are then more likely to be targeted for ransomware attacks.
Having cyber liability insurance is an excellent idea, but relying on it alone to deal with ransomware is a bad one. According to Sophos’s State of Ransomware 2021 report, more organizations are paying ransoms, but fewer than one in ten get all their data back. Also, there is no assurance that hackers won’t retain access to penetrated systems or copies of compromised files.
A Distributed Denial of Service (DDoS) attack is when a bad actor uses malware-infected machines to bombard a target server with requests. It is deployed for the sole purpose of business disruption to lower the confidence in the targeted company, disrupt sales and business operations, and
The result of a DDoS can be anything from slowing down webpage performance to completely disabling a business’s online presence. This can cause serious reputational damage for an underwriting firm that cannot act promptly for its clients due to a cyber attack.
How Cyber Risks Affect the Insurance Market
While it’s possible to trace cyber liability insurance back to the late 1990s, the recent proliferation and growing complexity of cyber attacks have caused massive growth in the market for cyber liability insurance.
Not only do more insurers offer cyber liability insurance than ever, but the costs of premiums have shot up, too, rising almost 100% between 2019 and 2022, largely due to the increasing threat from ransomware.
Underwriters are increasingly reluctant to pay ransoms. As cyber attacks become more sophisticated and targeted, including researching how much insurers will cover for a ransomware attack, the number of insurers paying out for ransomware attacks is declining.
Firms are much better off improving their cybersecurity than relying solely on a cyber insurance company to bail them out. At the same time, organizations can lower their cybersecurity insurance premiums by following cybersecurity best practices to improve data security.
How the Insurance Industry Can Protect Data from Cybercriminals
The insurance industry needs to collect, store, and transmit sensitive information to function. Large insurance businesses will have massive amounts of sensitive data. The solution is for insurance providers to upgrade their defenses.
This applies to smaller insurance firms, too, since cybercriminals also target small firms because:
- Small firms also use valuable, sensitive data
- They tend to have poorer security than their larger competitors
- They may provide gateways to their business partners
Nobody is under the radar when it comes to cyber risks. Whatever the size of the business, there is no reason for cyber attackers to reduce their attacks on the insurance sector for the foreseeable future. All insurance firms must use cybersecurity best practices to secure information security and avoid being easy targets.
Cyber Risk Management for Insurance Companies
Insurance companies have a deep understanding of risk, which helps them manage cyber risks. While insurance firms understand risk, this alone does not protect them from cyber attacks.
Insurance firms, especially cyber insurance firms, should use their unique abilities to perform honest, accurate cybersecurity risk assessments and then perform the recommended actions to reduce those risks.
Risk management identifies four ways to handle risk, listed here in order of priority.
- Transfer - often via insurance coverage
Underwriters will most likely know they can mitigate cybersecurity on two fronts: technology and policy. Both are required as they are more effective together.
Best Cybersecurity Solutions to Prevent Cyber Attacks
Insurance companies should practice strong cybersecurity to prevent cyber attacks from occurring. By following basic practices, they can secure themselves against the biggest cyber threats affecting insurance companies.
Anti-malware and antivirus software are essential components of any cybersecurity program to build strong network and device security. With a current database of viruses and malware, antimalware software can detect and respond to threats quickly.
Similarly, a firewall is essential to defend against cyber attacks, monitoring and filtering all traffic attempting to enter a network and everything attempting to leave. It can alert network administrators to unusual activity and, via event logging, provide forensic investigators with useful information if a data breach occurs.
Artificial Intelligence (AI) and Machine Learning (ML)
Cybercriminals are leveraging artificial intelligence (AI) and machine learning (ML), so it’s important that heavily targeted industries with a lot of sensitive data do the same. Built on massive amounts of input data, AI can spot known threats and learn to differentiate normal activity patterns from those that might be new threats.
An AI system can respond quickly to a cyber incident, making it invaluable for preventing cyber attacks and containing data breaches. This is especially the case if an organization is attacked in multiple ways, which might overwhelm a human operator alone, such as a phishing attempt, followed by a ransomware attack in the midst of a DDoS attack.
Limiting access to sensitive data can improve an insurance firm’s security posture because it limits the ways cybercriminals can access that data.
The more people that have access credentials for confidential information, the more chance those credentials could be compromised due to such factors as physical theft, negligence, accidental loss, misconfiguration, or phishing.
With end-to-end encryption, transmissions are more secure against hackers who may try to launch a man-in-the-middle attack, in which they intercept, read, and may modify transmissions without the knowledge of the sender or recipient.
A successful MITM attack compromises data but can also lead to the insertion of false data, such as false payment details.
Cybercriminals are continuously working to uncover new vulnerabilities and ways to exploit them. And they do not work 9 to 5. So continuous monitoring is essential to identify and respond to threats as they occur 24/7. With continuous monitoring, an insurance firm can be in a state of perpetual readiness regarding information security.
Threats to the insurance industry include potentially significant fines for non-compliance with cybersecurity regulations. Compliance monitoring and management systems help insurers keep track of their compliance requirements in an evolving cyber threat landscape.
Top Policy Solutions for Insurance Companies
A robust and continuous risk management process is required to keep organizations safe from evolving cyber threats. With excellent risk management policies and procedures, insurers will be able to predict cyber incidents and assess their potential impact. They can then implement policies that help prevent them or mitigate the damage if they happen.
Cybersecurity training can help limit damage from cybercrime, particularly social engineering attacks, which are a primary concern for most organizations.
Most data breaches involve human error. Often, this is because a staff member unwittingly or negligently downloaded malware to a device. With staff training, however, an insurance firm can turn a known weakness into a strong defense.
Staff training can fill knowledge gaps such as the importance of cybersecurity, password hygiene, physical security, data protection legislation, and how to identify and respond to phishing attempts.
Developing a cybersecurity culture goes further than training. It takes a long-term view and instills cybersecurity engagement in every part of an organization.
With the C-level on board, firms with mature cybersecurity cultures prioritize information security at all times at all levels. This develops over time through incentivized initiatives to build cybersecurity awareness and drive engagement with information security.
Third-Party Risk Monitoring
Insurance companies work with many vendors and third parties, which increases their cyber risks and attack surfaces. Focusing on third-party risk can help insurance firms understand the extent of their attack surfaces and improve their security postures by remediating vulnerabilities through policies, systems, and collaboration with associates.
Services such as UpGuard Vendor Risk can help companies better manage their scaling vendor lists and quickly identify their biggest third-party risks.
Backup systems or data backups can help insurance companies bounce back after a cyber incident. If business-critical data is compromised in a ransomware attack, an organization can use cloud-based backups to reboot its system — if necessary, even in a new location.
This does not solve the problem of the compromised data, of course, but it can help reduce business disruption and mitigate the reputational damage and financial cost of repairing a data breach.