Cyber security strategies for the Insurance sector

On August 25, 2022

The insurance sector took a huge hit during the covid-19 pandemic. Consumers were worried about payment of their auto insurance bills, car payments, mortgage payments, life insurance policy payments, homeowners/renters’ insurance etc. The unexpected increase in health risks and inadequate coverage by insurance only added to their woes. The ensuing economic slump affected both providers and consumers alike.

The cumulative effect of this caused a change in consumer behavior and subsequently caused the insurance sector to gravitate faster towards digitization. According to a recent survey, across the globe, there was a 20% increase in digitization by the insurance sector in 2020 alone. Increasingly consumers began using the digital services for claims submissions or obtaining digital policies.

Why is the insurance sector at risk from cyber-attacks?

Everyone needs insurance in one form or another, usually more than one kind. It requires surrendering contact information, financial and banking information and, depending on the type of insurance, health information as well. This sensitive information would be shared with multiple insurance companies as they look around for the best insurance policy. This leads to vast amounts of data being circulated and stored at various locations. If leaked, this can lead to disastrous outcomes; fines from regulatory authorities, lawsuits from clients, or ransom demand from companies that have unleashed ransomware attacks on the database.

Insurance industry is home to colossal amounts of sensitive data. As an element of trust in insurers retains customers and brings in new ones, it is critical for the industry to maintain its reputation. Now the data collected by insurers can be divided into structured and unstructured data. Structured data comprises name, address, contact numbers, vehicle related information, medical history, etc. This data can be easily organized into a structured format, made easily searchable, and can be made machine readable. However, unstructured data which comprises emails, reports, multimedia, photographs, social media etc. have to be collected in a human-readable format. As this data is customized it is difficult to put into a format.

Further, traditional security tools and technologies are not of use any more to prevent cyberattacks. The staff are not trained or have enough knowledge to respond effectively to a threat or an attack. It is especially difficult while handling unstructured data. Last but not least, trust is paramount in this business. Even a rumor of a cyber-attack can cause significant damage to the reputation of the insurance company. Thus, it is quite a challenge to keep business afloat whilst safeguarding customer data.

What can be done about it?

The most significant strategies that come to mind immediately are advancements in technologies and effective policies apart from user training. Good technology will work efficiently only if accompanied by good policy and vice versa. For instance, an exposed database in the cloud due to unclear policy will undermine use of any advanced technology.

Moving on to the other significant measure that is user training. Undoubtedly the majority of the attacks are in some form of social engineering. An attack in such a manner is usually the direct result of inadequate user training. Users are tricked into revealing information of relevance which when combined with other accumulated information can cause severe damage or provide enough ammunition to launch an attack.

What are the types of attacks faced by the insurance industry?

Malware such as ransomware attack and phishing attacks such as spear phishing attack are most common in the insurance industry. Ransomware blocks a company’s access to its data and systems. For instance, Emotet and Trickbot are the Trojan horse malware that are a big threat to the insurance companies. Tricking a customer / client into revealing personal details via email, phone call or other means in a fraudulent manner is a common form of phishing attack. All PII (personally identifiable information) are exposed such as names, addresses, banking information, social security numbers etc. Spear phishing is another form of social engineering that usually targets an individual. Negligence by means of inadvertently disclosing confidential information is also a threat that cannot be overlooked. It puts clients at risk and a company’s reputation in jeopardy.

Cyber security challenges in the Insurance Industry

Digitization of the insurance sector has caused the IT team to use data and advanced analytics to collect, process, and handle vast amounts of consumer information. Apart from analyzing the data, they are finding ways to secure the data as well. The insurance sector has to tackle a series of challenges even as they prepare to tighten security across their network:

  • Outdated legacy systems are a serious threat to security as they are easy targets to hack.
  • Insurers are unaware of risky business practices due to lack of transparency and knowledge.
  • Phishing is a big issue as Business Email Compromise (BEC) targets select individuals impersonating middle level executive mails, rather than mass phishing. This makes it harder to differentiate between real and fake emails.
  • Internal threat is a big challenge, now more so than ever, simply due to the remote working of many employees with no or inadequate security controls. These challenges have to be addressed sooner than later as it can result in heavy fines, legal fees, lawsuits, fraud monitoring costs etc. Most important of all, it can result in loss of trust which can cause a negative impact on the reputation of the company and be difficult to build back from.
Strategies for defending against cyber attacks

The main strategy must be to improve efficiency, increase profit, reduce costs, bring in transparency, identify niche areas, risk consulting and claims. For this to occur, it is important for insurers and brokers to understand what the data is and where the data is being held.

The focus must be to identify employees who are vulnerable to phishing attacks, especially ones who are working remotely. It is wise to invest in a good human firewall system. Using advanced and innovative technology to build a robust security posture will ensure that your company stays afloat in spite of numerous threats/hacks.

Some ways to protect against cyber threats are:

  • Conduct a risk analysis - Determine where and how sensitive data is stored. How are emails used and accessed? When and where are mobile devices accessed?

  • Develop a comprehensive security plan - It should address all vulnerable areas and develop strategies to protect against attacks or if attacked, recover from them. A plan should be designed to prevent leaks from happening by negligence. Insider threats also need to be taken care of.

  • Educate the employees / staff / clients - Incorporate a security culture in your company. Educating personnel and bringing about awareness of safe cyber security practices will go a long way in protecting sensitive information. Simulations of attacks that mimic malicious attacks also help in training employees to be aware of social engineering attacks such as phishing.

  • Partner with a cyber security vendor - An external cyber security will help develop a strong defense system. For instance, a managed EDR (Endpoint Detection & Response) system will do threat monitoring 24/7, incident response, and alert filtering. Further, it will do an in-depth analysis and validation of threats using advanced analytics data techniques, intelligence derived from threats, collection of forensic evidence, and human expertise.

How to prevent a cyber-attack?

In keeping up with the old adage “Prevention is better than cure”, it is ideal to take a proactive measure than a reactive one. That being said, it is unlikely that you will be able to prevent all attacks. So, it is prudent to design a solution that is a mix of both proactive and reactive solutions.

Some of the methods of handling risk are:

  • Avoid risks
  • Mitigate risks by introducing processes and procedures to reduce effect of risk
  • Transfer risk to another entity
  • Accept the risk

The insurance industry is still at the fledgling stage as far as cyber security is concerned, as are most industries. On the other hand, it perhaps understands risk better than anybody else. After all, they are in the business of taking risks.

What are the recent attacks / breaches against insurance firms?

The covid-19 pandemic forced companies to continue operations via remote working. Work from home (WFH) became the new norm. This led to a significant number of employees accessing data via unsecured networks, leading the banking, financial and insurance sector to become a hotspot for attacks.

  • In 2020, an insurance brokerage firm became the victim of a ransomware attack. Personal information of more than 7 lakh customers were compromised.
  • A renowned commercial insurance firm had to pay nearly $40 million in ransom to recover its data in the year 2021.
  • A property and casualty insurer suffered a breach in January 2021 where the drivers’ license numbers were stolen from the company’s database.
Solutions to tackle cyberattacks in the insurance industry

There is rapid advancement in protecting Big Data across all industries. Financial data from financial and banking institutions and data from the insurance industry are prime targets for hackers because of the sheer amount of money the data involved is worth.

Artificial Intelligence (AI) and Machine Learning (ML) help to fight malware, ransomware, and other advanced persistent threats (APT) significantly. As these new technologies are well equipped to handle voluminous amounts of data, any small deviation from the expected pattern can be brought to notice at once. They are equipped to monitor and respond effectively to threats.

Cyber security solutions must be poised to address encryption of large amounts of data, data behavior, focus on access controls, and prevent data leaks. Furthermore, real-time analysis and monitoring must be part of the solution to avoid any degradation in performance that could lead to inevitable delays in data processing.

What is the way forward for insurance companies?

Some insurance companies have begun implementing stringent cyber security measures to tackle threats/attacks heads on. Others are following suit.

Some suggested measures to be adopted by the companies are:

  1. Explore and invest in new age technologies such as Blockchain, AI & ML, Data analytics, Deep learning etc. These will help strengthen the core network whilst simultaneously identifying the loopholes in the system and rectifying them.
  2. Conduct regular assessments that periodically monitor application systems for new and emerging threats. Set up robust firewalls, and secure gateways that deal with third-party affiliations and other partner application systems.
  3. Do away with outdated legacy systems and build a roadmap that will entail modern and updated applications with provision for updating, as and when deemed necessary.
  4. Emphasize on the use of authentication methods such as MFA (multi factor authorization) and SSO (single sign-on) to access data. Develop strategies to implement role-based access control for employees to ensure there are no insider threats.
  5. Educate clients/brokers/personnel/agents etc. on social engineering attacks such as phishing, spear phishing etc. Conduct in-house training and revisit training modules to revise and update as new threats and breaches emerge. Conduct simulation exercises to bring about awareness of different forms of attacks.
  6. Devise a contingency plan in case of an attack or a breach. A response plan that will help business recover quickly from an attack to prevent further damages is vital to maintain continuity of business.

The sheer size and volume of the insurance industry puts the industry in the high-risk category for attacks from cyber criminals. Majority of the people have insurance of some kind where their PII (personally identifiable information) is stored. An attack on this can cause irreparable damage to thousands of customers and can put the insurance company out of business.

An attack that renders data inaccessible or unusable can lead to severe crises and economic losses for the insurance companies. Therefore, insurance companies are adopting cyber security measures to protect their IT network.

A system of prevention and proactive vigilance needs to be installed to provide the best defense against cyber security threats and attacks. A continuous monitoring system can prevent the exploitation of multiple entry points by cyber criminals. The best and brightest cyber security solutions are in high demand as this sector offers opportunities at all levels for security professionals.