Cyberattacks in the insurance sector continue to grow in scope and frequency as many insurers begin to use digital channels to create tighter relationships and offer new products in order to expand their share of customers’ financial portfolios.
To cater to this demand, many insurance companies are investing in upgrading their traditional IT systems (such as policy systems and claims systems) as well as integrating agency portals, online policy applications, and web- and mobile-based applications for filing claims.
This has the chance to help insurance companies grow their businesses, but it also introduces new risks and attack vectors to companies not traditionally used to dealing with the challenges inherent in an omnichannel environment.
To embrace big data and advanced analytics, insurers must collect and handle vast amounts of customer information. Combined with the fact that a great deal of information passes between insurance carriers and their third-party services partners, and you have a recipe for cybersecurity disaster. Many larger insurers are having difficulty getting their subcontractors and third-party vendors to accept liability for data breaches, which means they are increasingly on the hook for the security of their customers’ data even though they don’t have complete control over its entire journey.
The insurance industry as a whole has been slow to adopt disruptive new technologies, so most publicly reported breaches were short-term and small in scope. However, as insurers behave more like technology companies and utilize big data and advanced analytics for its treasure trove of customer information, long-term attacks are on the horizon.
Here are four cybersecurity use cases insurers must prepare for today:
- Hackers stealing personal data on existing and potential customers: Personally identifiable information (PII) is extremely lucrative for hackers to obtain, as they can sell it on the black market for identity fraud purposes. In this use case, cybercriminals breach a part of the IT network used by an insurer to store data from customers and sales prospects – including driver’s license and social security numbers.
- Targeted attack on company employees to steal online banking information: An attack could pinpoint company employees with emails containing malware to capture confidential data such as bank account numbers, social security numbers, user accounts, passwords, and credit card numbers. Hackers could use this to compromise servers used by employees to remotely access the affected company’s IT systems.
- Preying on companies noncompliant with the Payment Card Industry Data Security Standard: Cybercriminals seeking payment card information to sell on the black market and commit fraudulent transactions identify vulnerabilities in a company’s systems and software. These hackers then steal payment card information for tens of thousands of customers, including names, addresses, and unencrypted card security codes.
- Health insurance fraud: Hackers are targeting databases containing customers’ health insurance information to sell on the dark web to those who want to have a medical procedure done in the United States but cannot afford it. While the quality of care, medical standards, and favorable procedure outcomes may be higher in the U.S., the cost for many – Latin American nationals, illegal immigrants, and even the uninsured or underinsured in the U.S. – is prohibitive. The Federal Bureau of Investigation estimates healthcare fraud costs the U.S. $80 billion every year.
In the U.S., insurance companies are regulated on a state-by-state basis by independent insurance regulators. However, there is an overarching organization called the National Association of Insurance Commissioners (NAIC) that works with the insurance watchdogs in each state. The NAIC and state insurance regulators are ramping up efforts to tackle cybersecurity issues. In April 2015, the NAIC’s Cybersecurity Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance. This contains 12 principles for direct insurers, producers, and other regulated entities to identify risks and adopt practical solutions to protect the information that’s entrusted to them. The NAIC also developed the Roadmap for Cybersecurity Consumer Protections, a bill of rights detailing what consumers can expect from insurance companies, agents, and other businesses following a data breach.
It’s clear the insurance industry is trying to establish the right framework to mitigate data breaches. New York State commissioned a report examining insurers’ IT and governance structure for cybersecurity. Regarding the use of security technologies, 100 percent of institutions surveyed utilize anti-virus software, tools to detect malicious code, firewalls, intrusion detection tools, and encryption for data in transit. Nearly all institutions also employ data loss prevention tools, file encryption, and vulnerability scanning tools.
As hackers learn to leverage encryption and other advanced attack techniques, these traditional tools are becoming less and less effective. As a result, many insurers are misallocating their limited resources to address compliance oriented, easily recognized threats while completely overlooking far more damaging cyberthreats.
We can help. US Cyber Vault is a trusted advisor to insurance companies, helping them craft and execute the assessment, design, and enhancement of their cybersecurity posture and regulatory compliance needs. By starting with penetration testing and then either using Shield to protect the existing IT environment or Vault to move data and applications into a secure cloud, our experienced team of intelligence agents will maximize security and efficiency so you can focus on serving your lifelong clients in the moments they need you most.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.