Cyber-attacks against insurance companies are growing exponentially; so is the damage they’re causing. Furthermore, because insurers contribute significantly to the global financial sector, attacks that interrupt insurance company operations also have global implications. But why are attacks increasing? Why are hackers turning their attention toward insurance companies? Today’s post explores the primary reasons that hackers target insurance companies.
A wealth of sensitive information. From a hacker’s point of view, the best companies to attack are those with the most consumer data. Companies in the insurance industry meet that requirement probably better than any other industry. They maintain vast databases of personally identifiable information (PII) like names, birthdates, social security numbers, street and email addresses, income and employment details, and health and personal property data. Once hackers possess this stolen data, they’re then able to commit identity theft and identity fraud and launch more targeted attacks, like spear phishing and ransomware, such as the 2019 ransomware attack on a Toronto-based Canadian insurance company.
In the Toronto attack, the company, which has thus far remained unnamed, paid nearly US $1 million in ransom after the attack disabled company operations for over a week. They agreed to pay the ransom fee because they needed to receive the decryption key that would allow them to resume business operations. However, even after receiving the key, it took another ten days before they were fully up and running.
Increased vulnerability. As insurance companies modernize their operations with cloud and mobile technologies and increase their reliance on big data, their exposure and susceptibility to cyber threats grow. The most common cyber incidents to affect insurers are phishing, ransomware, data exfiltration, and denial-of-service attacks and all of them are likely to cause significant business interruption and financial damage. The December 2020 attack on Canadian insurance company, Promutuel Assurance, provides a good case in point: the cyber attack left Promutuel’s critical IT systems inoperable and continued to impact operations over a month later. Although the exact nature of the attack has yet to be revealed, sources from a Canadian cybersecurity research firm suggest it was a ransomware attack. A data breach is also suspected.
Lack of effective cybersecurity measures. Other high-profile sectors, like banking, have already implemented state-of-the-art cybersecurity, which has made them far more impenetrable. As a result, hackers have started focusing their attention on insurance companies, which are more vulnerable because they have not yet implemented effective cybersecurity measures. State Farm, the largest property and casualty insurance provider in the US can certainly relate: In August of 2019, they confirmed that they had been the victim of a type of cyber attack called credential stuffing. Credential stuffing is when hackers take usernames and passwords from data breaches and use them in attempts to log in to other sites. The State Farm attack took place intermittently throughout July and compromised an unspecified amount of customer accounts. However, since State Farm serves more than 83 million customers, we can assume that the impact was extensive.
Lack of cybersecurity awareness training. Even though some research cites human error as the cause of 95% of cybersecurity breaches, many businesses treat cybersecurity-awareness training as an afterthought. Their employees, therefore, are more prone to make mistakes, like creating weak passwords, sharing passwords, or interacting with malicious emails, that leave businesses vulnerable. For example, without training and education about phishing attacks, employees are more likely to fall for phishing attempts. The April 2020 attack on Benefit Recovery Specialists demonstrates how successful phishing attempts can open the door to malware. In that particular attack, 275,000 individuals were affected.
Cybersecurity is not an IT issue; it’s a business issue
Attacks on insurance companies can result in significant financial and reputational damage. Reputational damage causes a loss of trust, which for insurance companies can be as equally ruinous to brand and market value as financial damage. Insurance companies need to step up and start treating their cybersecurity as a business issue rather than an IT issue. Fortunately, there are powerful and uncomplicated solutions that make this possible. By taking a multilayered approach to their cybersecurity that includes a state-of-the-art cybersecurity solution, strict password hygiene, and regular awareness training for employees, insurance companies can dramatically improve their cybersecurity posture.