We explore the major cybersecurity risks facing the insurance industry and discover strategies to help you mitigate insurance risks associated with cyberattacks.
The insurance industry has long been in the crosshairs of cybercriminals. Insurers hold storehouses of the exact kind of data cyber thieves are looking for. Personal data, financial records, and confidential business data often sit unprotected on company servers, computers and other devices.
As cyberattacks become more intricate and diverse, insurance companies must remain vigilant against digital attacks. This blog will help you do so.
I recently participated in a panel at Insurtech Insights about how cybersecurity is evolving in the insurance industry. Insurers play a unique role in cybersecurity because their industry is involved in covering cyber event losses — and they are also targets themselves. In this article, we’ll focus on how insurance carriers can identify and mitigate their own cybersecurity risks.
Major Cybersecurity Risks in the Insurance Industry
Insurance companies are frequently the targets of data breaches, ransomware attacks, system disruptions, insider attacks, and social engineering. By understanding how these insurance risks work, you can take steps to bolster your defenses.
Data Breaches and Theft of Sensitive Information
To execute a data breach and theft, a hacker penetrates a system and hunts sensitive information. A successful data breach can yield an impressive payload for an ambitious attacker, especially when they target insurance companies. For example, in February 2024, 33 million people in France woke up to some unfortunate news: Cyber thieves had stolen their names, dates of birth, and social security numbers.
That was all the attackers needed to execute ID fraud, victimizing millions of people.
How Data Theft Works
To execute data theft, an attacker may first check for vulnerabilities, such as:
- Ports left open to the internet or other weak points due to outdated hardware and software.
- Weak passwords that are easy to guess or already have been accessed by other bad actors.
- Human vulnerabilities, such as people who can’t recognize a phishing attack and then end up giving away access credentials.
- Third-party vendor vulnerabilities.With the increased adoption of cloud software hosted by third parties, hackers have found ways to access environments and data through third-party vendor systems.
- The rapid evolution of AI is creating new vulnerabilities as things such as chatbots and even AI models themselves can be exploited.
In some cases, a hacker will use malware, such as viruses, worms, spyware, or ransomware, or more recently, AI. These technologies enable attackers to penetrate weak system defenses, giving them a foothold in your network.
Once a hacker gains access, they can either see the data they want to steal or pursue it by escalating their privileges. For example, an attacker could pinpoint an administrator account in a database that holds account information. By entering the admin’s name and password, they can get deeper into the system they’re hacking.
Ransomware Attacks and System Disruptions
A ransomware attack involves taking control of a company’s data or system and demanding that the organization pay a ransom to regain control. The headlines have been packed with ransomware tales because criminals either extort significant sums or cause major system shutdowns.
For example, a Healthcare Insurance processing company in the U.S. had its infrastructures shut down by a ransomware group in early 2024. Therapists, hospitals, physicians, and pharmacies were either unable to bill patients or had to resort to manual data entry. People couldn’t get prescriptions filled or were forced to overpay because billing systems couldn’t communicate with their insurers.
How Ransomware and System Disruptions Work
While we’ve seen several types of ransomware attacks, they often follow a similar flow of events:
- The attacker uses phishing, malvertising, drive-by downloads via a website, or a software vulnerability to access a system.
- The hacker gets as deep into your system as they need to, then downloads ransomware onto a computer or server attached to your network.
- The ransomware then automatically encrypts files, preventing employees from using core elements of their infrastructure. The malware may also steal data and send it to the attacker.
- People in the victim’s organization see a ransom note on their screens saying they need to send money — typically crypto — to regain access to their systems. The note typically includes threats about deleting or releasing sensitive data to the public if the company doesn’t pay them by a certain time.
Insider Threats and Social Engineering
An insider threat comes from someone in your organization who already has access to credentials, making it easy for them to get inside your network. Sometimes, the “insider” may be a disgruntled employee the company recently fired or laid off, and IT hasn’t yet revoked their access privileges.
Other times, an insider threat is accidental, such as with social engineering. In these kinds of attacks, the hacker tricks someone into providing sensitive information, like a username and password, and then uses that information to infiltrate a system.
In other situations, someone in your company makes an innocent mistake, such as forgetting to log out of a session while stepping away from their computer. A hacker then swings by their workstation, gains access, and launches their attack.
You may have heard about the Cisco WebEx attack, in which a former employee used his network access to delete virtual machines. A virtual machine is a computer comprised of software instead of a physical hard drive, processor, and memory. The hack cost Cisco $1.4 million to get their systems back up and running and to compensate customers.
Even though many different risks exist, insurance companies can do a lot to bolster their cybersecurity and safeguard their digital assets.
Strategies for Mitigating Cybersecurity Risks
Mitigating cybersecurity insurance risks may be more straightforward than you think. Even though attackers have plenty of options for hacking into an insurance company’s system, you have a wide array of defensive tools at your disposal. For example, you can:
- Adopt zero trust principles. Assume no user, device, or network is inherently trustworthy. Require continuous authentication and authorization for all access requests to your critical data and systems. This critical mindset drives effective use of the rest of the tools and techniques below.
- Use next-generation firewalls. A next-generation firewall can detect threats using the behavior of malware instead of the data inside their data packets. This enables you to stop brand-new attacks, sometimes called zero-day attacks.
- Encrypt sensitive data and communications. An encryption system turns your data into a jumbled mix of nonsensical characters. Hackers will need the decryption key to read what you’ve stored or sent.
- Implement strict access controls. Don’t let people access anything they don’t need to. For example, only your sales support and marketing staff should have access to your customer relationship management (CRM) system.
- Conduct regular risk assessments and vulnerability tests. You can use penetration testing, in which you allow “ethical hackers” to try to penetrate your system. When they’ve finished testing, they give you a full vulnerability and risk assessment.
- Provide cybersecurity training to your employees. With the right training, your employees, who may be your biggest vulnerability, can become the strongest pillars of your cybersecurity program. By teaching employees what phishing attacks look like, for example, you can prevent them from divulging sensitive data via emails, phone calls, or texts.
Ensure you have cyber insurance coverage. A comprehensive cyber liability insurance policy not only protects against financial losses but also ensures coverage for incident response, legal fees, and potential damages to maintain business continuity and safeguard your reputation. For an insurance company, it should be a no-brainer. When you take a proactive stance against cyberattacks, you protect your organization and build trust with clients.
Consequences of Cyberattacks and the Importance of Preparedness
A single cyberattack can send shockwaves through a business’s balance books, customer base, and prospective investors. The WannaCry attack resulted in around $4 billion in losses. The aftershocks rumbled through big-time players like the British National Health Service (NHS). It also affected Telefonica, a Spanish mobile phone services company.
Some of the negative issues a cyberattack can cause include:
- Financial losses and regulatory fines. In addition to losses like those mentioned above, if an attack reveals that you weren’t properly protecting customer data, you could get hit with penalties.
- Reputation damage. An insurance company that fails to protect its customers’ data is like a bank that can’t safeguard people’s money. But by protecting the information people and businesses trust you with, you develop a reputation as a conscientious data steward.
- Potential legal liabilities and lawsuits. You may have a service level agreement (SLA) that includes an obligation to protect customer data. Or a lax cybersecurity system could be construed as negligence. Either way, an attack can open Pandora’s box of legal issues.
As cyber threats and their impacts evolve, insurance companies must adapt their security approach. In this way, you can prevent and mitigate more threats.
Implement Cybersecurity to Protect Your Profits, Reputation, and Customers
The sensitive information insurance companies handle makes them an ideal target for cybercriminals. However, by bolstering your cybersecurity, performing risk assessments, adopting zero trust principles and training your staff, you can protect your company and earn your clients’ confidence.
You know you need to protect your brand and financial stability by prioritizing cybersecurity. But do you know where to start? Our Cybersecurity team is ready to help you focus on everything from strategy development to penetration testing.
Let’s talk