Insurance coverage firms have an enormous goal on their proverbial backs as cyber attackers improve their deal with an business ripe with private, medical, company, and different confidential information that may be monetized after a knowledge breach.
In 2023 alone, a number of insurance coverage firms have been focused, together with Solar Life in June through an assault on its vendor Pension Advantages Data LLC; Prudential Insurance coverage in Might, wherein greater than 320,000 buyer accounts had been impacted; New York Life Insurance coverage Firm, which had 25,700 accounts affected throughout the identical days interval because the Prudential assault; and Genworth Monetary, which had as much as 2.7 million people affected. All of those insurance coverage firms had been victims of the MOVEit file switch cyberattack.
Other than MOVEit, different widespread ransomware assaults additionally focused the insurance coverage business. Point32Health, the dad or mum firm of Harvard Pilgrim Well being Care and Tufts Well being Plan, was hit by a ransomware assault in April, whereas NationsBenefits reported that it was a sufferer of the Cl0p ransomware gang. The largest US assault on an insurance coverage firm compromised 9 million sufferers of Managed Care of North America (MCNA) Dental, a sufferer of the LockBit assault.
Consulting agency Deloitte famous, “Cyber-attacks within the insurance coverage sector are rising exponentially as insurance coverage firms migrate towards digital channels in an effort to create tighter buyer relationships, provide new merchandise and increase their share of shoppers’ monetary portfolios. This shift is driving elevated funding in conventional core IT methods (e.g., coverage and claims methods) in addition to in extremely built-in enabling platforms equivalent to company portals, on-line coverage purposes and web- and mobile-based apps for submitting claims.”
The agency added, “As insurers discover new and modern methods to investigate information, they have to additionally discover methods to safe the info from cyber-attacks.”
Purposes Reveal a Lot
The explanations insurance coverage brokers and carriers are actually within the hotseat are various, as Deloitte famous, however a number of stand out as key motives. Whereas essentially the most mundane is the profitability of acquiring personally identifiable data and private well being data for resale, there are extra nefarious inducements to assault insurers. For instance, insurance coverage purposes.
The quantity of personal, company information that seems on an insurance coverage utility could possibly be a bonanza to cyber attackers, says Marc Schein, nationwide co-chair of the Cyber Threat Apply and a threat administration guide at Marsh McLennan Company, an insurance coverage dealer. Schein notes that purposes embrace an enormous array of doubtless helpful data, together with the quantity of insurance coverage an organization is buying (ransomware attackers don’t need to depart cash on the desk once they demand a ransom) in addition to a few of the deficiencies an organization may need in its community safety.
Schein factors out that different insurance coverage merchandise, equivalent to errors and omissions insurance policies or administrators and officers insurance policies, might present priceless details about commerce secrets and techniques, non-public data of key firm executives, and information about potential enterprise transactions.
Patricia Titus is chief privateness and knowledge safety officer at Markel Insurance coverage, a service that underwrites its personal assurance, specialty, and worldwide insurance policies. She agrees that purposes can present a deep understanding of an organization’s know-how profile.
Insurance coverage purposes can determine know-how debt, Titus says — unpatched software program, outdated {hardware} that could be previous the producer’s safety or software program patches, legacy methods that might signify potential safety vulnerabilities, and different deficiencies an organization may need in its community safety. These vulnerabilities could possibly be exploited by attackers.
All Sides of Insurance coverage Transactions Are Weak
It isn’t solely insurance coverage purchasers that want to judge their cybersecurity infrastructure, Titus factors out. Markel is methods it might probably higher shield its personal information, in addition to that of its purchasers.
In Markel’s case, Titus says, the corporate is applied sciences that might do a greater job of microsegmenting its networks, limiting the power of attackers to maneuver laterally by means of the community ought to they efficiently breach the company defenses. Transferring laterally, she notes, is the best benefit an assault can have if they’ll discover a gap right into a community.
Human information all the time is attention-grabbing to cyber attackers, Titus provides. Ought to the attacker be capable to entry insurance coverage purposes or accredited insurance policies, they’ll study an amazing deal about potential targets. People and corporations alike have to insure high-value luxurious gadgets, equivalent to antiques. Nonetheless, enterprises additionally insure commerce secrets and techniques (consider the recipe of Coca-Cola, for instance) that can’t be made public by means of patents, non-public information about executives and officers, and errors and omissions that may happen throughout enterprise transactions. In the end, there’s a huge array of information firms shield that may be recognized and compromised ought to their insurance coverage insurance policies or purposes be breached.
Schein recommends that firms submitting an insurance coverage utility ship encrypted information solely in order that something intercepted throughout transmission can’t be learn by the attacker.