Cybersecurity Threats to Insurance Companies
For organized cybercriminals, the insurance industry presents lucrative opportunities. Insurance companies control an immense amount of high value data, which is why we have seen so many high-profile data breaches in the insurance industry over the last few years. These attacks are predicted to rise over the coming years.
The insurance companies house an enormous volume of personally identifiable information on its customers, plus records that contain confidential information on their policies. As the industry accelerates towards the adoption of big data and AI to calculate insurance premiums, the volume of data increases. More data to analyze, more data to protect.
Five Types of Data Hackers Want from Insurance Companies.
At insurance companies, hackers are a threat to five distinct kinds of data:
PII - Personally identifiable information of the insurance provider’s customers
Customer Medical Health Records - A treasure trove of information hackers can use to commit all types of fraud.
Banking Information - Bank account details and social security numbers.
Payment Card Data - Until recently, many insurers were noncompliant with PCI DSS (Payment Card Industry Data Security Standard), making their payment card data vulnerable and easy to compromise.
Partner Databases - Hackers are targeting databases of health insurance companies to engage in mass health insurance fraud. According to the FBI, this costs the healthcare industry an average of $80 billion annually.
The Growth of Insurance Industry Cybersecurity Regulations
In the past couple of years, we have seen many new data regulations targeting the insurance industry in an effort to have them clean up their act. Multiple bills at the state level have been introduced, forcing cybersecurity standards and requirements on the industry. Many state laws dictating cybersecurity requirements for insurance providers are creating tough new challenges for organizations operating in these states.
It began with the New York Department of Financial Service (NYDFS). It issued a new cybersecurity regulation, NYCRR 500,¹ geared toward financial services companies, but specifically targeting the insurance sector. That same year, the ‘NAIC Model,’² an insurance data security model law issued by the National Association of Insurance Commissioners (NAIC), was launched.
Next, Connecticut passed cybersecurity legislation. It forces the insurance industry, including third-party administrators, health insurers, and supply chain partners, to adopt a rigorous cybersecurity program. The program includes a set of minimum requirements for protecting their (insured) customers’ personal data.
More state laws and regulations are on the horizon. For example, Ohio, Michigan, and South Carolina have all recently issued regulations based on the NAIC model, and more states are expected to follow.
High Profile Attacks in the Insurance Industry
It is no wonder that we are seeing different states and regulatory bodies imposing strict cybersecurity regulations. Insurance providers, agents, and their support organizations have seen repeated attacks against them over the last few years.
Data Breach At Anthem
Kicking off the insurance industry cybercrime spree was the Anthem incident of 2014. It was also a wakeup call for the entire insurance industry that began to improve their already-strong cybersecurity controls.
As one of the largest health insurance providers in the country, Anthem Healthcare was the target of a major cyberattack and subsequent data breach. Refreshingly, they were also credited for being honest with customers following the attack. While it isn’t always possible to prevent an attack from occurring, how an organization responds to an attack is well within their control. Anthem is held up as a textbook example of what to do when an attack is discovered.
As soon as Anthem discovered a breach, it leaped into action to remediate the issue. Anthem also immediately contacted the FBI and hired noted cybersecurity outfit Mandiant to assess the damage done to their business. Mandiant, with permission from Anthem, released a comprehensive report after a thorough evaluation. It specifically mentioned the need for the insurance industry to focus on the system access privileges that organizations gave to their employees, as these privileges were leveraged by the hackers in the attack.
It also recommended that insurance organizations closely monitor the flow of data from their IT systems to their individual components on partner sites. The Mandiant report recommendations acted as a benchmark for the rest of the industry to follow.
Data Leak at First American
In 2019, First American, a real estate and title insurance behemoth, was discovered to have exposed the confidential and hugely sensitive financial records of 885 million of its customers on its website, publicly available for anyone to access.
The exposed records included driver’s license scans, banking details, social security numbers, mortgage and tax documentation, and wire transaction receipts. It was a goldmine for any organized crime group, fraudster, or identity thief.
First American admitted that they had unwittingly exposed this information through a ‘design flaw’ on their website. They weren’t hacked but simply gave the data away to anyone who knew how to look. It was a major incident highlighting just how little effort large organizations like First American have made to secure their customer’s data.
Ransomware at Chubb
Another attack worth mentioning is the attack on a provider of cybersecurity insuranceᶟ the Chubb Group, who fell victim to a large scale ransomware attack. This attack is notable because Chubb provides insurance coverage to victims of cyberattacks, specifically those who fall victim to ransomware attacks.
Chubb denied that their networks were breached, saying that a third-party provider of theirs was the target. However, a notorious hacking group called Maze publicly announced that it had stolen a trove of customer data from Chubb, which they threatened to release if Chubb did not pay a ransom. They even released a small portion of the data as proof.
But Chubb, an insurance provider with annual revenues of $35 billion, refused to comment. This attack underlines the fact that even organizations that are aware of the financial impact of cyberattacks and cybercrime methods are not immune.
Final Thoughts
Despite insurance companies implementing new cybersecurity measures and regulators imposing new rules, insurance companies still need to focus on their employees. Given resources, an insurance business with a strong cybersecurity mandate needs to train their employees to become cyber aware and act as the first line of defense for the organization.
When an insurance business has a robust cybersecurity training program in place, its employees can spot social engineering attacks, phishing attacks, and various hacker scams designed to extract their credentials. In a rush to secure their systems, many insurance companies are tragically overlooking their employees cyber awareness training.
Over and above training, there are some solid actions that dramatically improve the robustness of your cybersecurity posture. A good place to start is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which encourages organizations to focus on the five key framework functions.
Identify - The first framework function, identify, focuses organizations on identifying the assets in their IT infrastructure with a comprehensive audit. It recommends the identification of cybersecurity policies, asset vulnerabilities, and identifying a risk management strategy.
Protect - The second framework function, protect, focuses organizations on implementing the right protections to ensure the secure delivery of critical functions. This includes protections for identity and access control, awareness training, and establishing data security protections.
Detect - This function focuses organizations on enabling the timely identification of potential cyber incidents as they occur. This includes ensuring anomalies are detected, implementing continuous security monitoring and detection, technology, and process.
Respond - The fourth framework function, respond, focuses organizations on properly responding to cybersecurity incidents, covering response planning, managing communications with stakeholders during the event, and mitigation activities to prevent the event from expanding.
Recover - Recover focuses organizations on maintaining plans for business continuity and resilience. This enables them to restore services and capabilities that were impacted by a cybersecurity incident to ensure they survive the worst-case scenario.
Of course, this is a brief summary of the five framework functions. For a more detailed view, NIST.gov has a presentation that you can download in PowerPoint format.
Contact Digital Hands
Digital Hands has extensive experience working in the financial services sector, including the insurance industry. We manage security and help companies comply with cybersecurity and privacy regulations that govern the handling of their data.
If you work in the insurance industry and have any questions about any aspect of your information security, get in touch with the Digital Hands team by calling (855) 511-5114 or emailing us at sales@digitalhands.com. We can always bring insight and experience to the table when helping our customers understand and manage the cyber risks they face.
About Digital Hands: Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats.
Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.
We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.
References:
¹New York State, Department of Financial Services. Cybersecurity Requirements for Financial Services Companies. [2017]New York State, Department of Financial Services
²National Association of Insurance Commissioners. NAIC Model Laws. 30.6.2020
ᶟRiley, Duncan, “Data allegedly stolen in ransomware attack on cybersecurity insurance provider Chubb.” Silicon Angle, 26, March 2020.