Posted on Jul 21, 2021
The connected nature of business environments has increased the severity and frequency of cyberattacks in the insurance sector. Insurance companies face a greater threat than most industries because they deal with sensitive and valuable data stemming from numerous avenues. This has resulted in several high-profile cyberattacks on insurance providers over the past few years. A typical insurance organization faces an average of 113 targeted breach attempts every year, a third of which will be successful.
Being aware of potential cybersecurity threats puts you in a great position to adopt the correct preventative measures, saving your insurance company time and money, and protecting your reputation in the long run. Let’s take a look at the common cybersecurity vulnerabilities seen at insurance agencies and considerations for establishing an effective cybersecurity program.
Now that other high-profile sectors are becoming more secure, cybercriminals are turning their attention towards more vulnerable targets like insurance companies. Insurers typically maintain a massive database of personally identifiable information about policyholders, making them the perfect target for identity thieves. Information organizations keep about policyholders’ can include names, birthdates, social security numbers, home addresses, employment data, email addresses, payment information, and more.
Anthem Healthcare is infamous for holding the record for the biggest data breach in the history of the healthcare system. In 2015, Anthem Healthcare experienced the theft of 78.8 million records, including names, social security numbers, addresses, and birth dates. Hackers used spear-phishing to manipulate employees into handing over usernames and passwords, allowing them to access the insurer’s systems. Not only did Anthem Healthcare experience massive data loss, the insurance company also experienced significant monetary damages. Recently, Anthem had to pay almost $40 million in damages, in addition to the $115 million to settle a class-action lawsuit.
With a huge database of PII about policyholders, it’s no doubt the insurance sector is a highly attractive target for hackers. Therefore, insurance companies must start adopting security measures that efficiently protect user information sooner, rather than later.
As an insurance leader, understanding your potential vulnerabilities will help you stay secured and protected in the event of a cyberattack. Here’s a list of common cyber attacks that insurance agencies need to be aware of:
Ransomware attacks are growing more than 350% annually. Ransomware is a type of malicious software that hackers use to block you from accessing your data until a certain amount is paid. Besides the immediate losses, a ransomware attack can lead to massive financial damages due to loss of data and productivity.
According to the latest forecast from Gartner, worldwide end-user spending on public cloud services is expected to grow 23.1% in 2021. The rise of cloud usage also increases the risk of a data breach as many insurance agencies are susceptible to denial of services (DoS) and hijacking attacks. Typically, cybercriminals can access and tamper with your organization’s data while blocking your employees from accessing it.
Deception is a key aspect of social engineering attacks. Cybercriminals typically use trickery and manipulation methods to lure individuals into handing over sensitive information or bypass security measures.
Social engineering threats are at an all-time high because targets unknowingly give hackers access to the system, making it difficult to prevent these crimes with security controls. Fortunately, regular cybersecurity training initiatives can ensure your employees know how to detect and prevent social engineering attacks.
The use of third-party vendors is on the rise, especially for insurance agencies. In fact, 88% of insurers and claim leaders use a third-party provider for at least one component of their digital transformation.
However, most insurance agencies do not take the necessary precautions when engaging with third-party providers. Even though your organization may have a robust security program, hackers can still use malware to access sensitive data through your third-party providers. Therefore, it is imperative to understand each of your vendors’ cybersecurity posture and ensure they are keeping up with best practices for data protection.
Now that you understand the common cyberattacks used in the insurance industry, let’s take a look at key considerations to ensure your systems and data are protected from cyber threats.
A risk assessment identifies what data and systems need to be protected and determines the threat of exposure. A risk assessment typically covers:
Regular security awareness ensures employees will stay vigilant and motivated to protect sensitive information. A robust security awareness training has simulations that imitate social engineering approaches, such as phishing, designed to trick employees into bypassing security measures. That way, employees know what to look for and how to respond in the event of an attack.
A firewall is a program or hardware device that assesses network traffic and creates barriers to block viruses and attackers. Each employee at your company has an interface that connects them to the network. Without a firewall in place, all of those networked devices are vulnerable to attacks through the Internet. Therefore, it is important to implement firewalls at every connection to the Internet to defend against hackers looking to exploit security vulnerabilities.
A successful security plan should address any vulnerabilities and determine approaches to protect against and recover from security breaches. The security plan can protect the sensitive data of your insured customers from cybercriminals and accidental data exposure from unauthorized employees. You’ll also want to test your security plan regularly to ensure that it is working as it should.
Considering insurance companies now conduct a majority of their business online, online portals need to be monitored and regularly tested. This ensures that there are no software errors or vulnerabilities present that could put your site at risk for cyber attacks. The continuous monitoring and testing between releases ensures that your website is secure and protected from any new vulnerabilities.
Nearly every person has PII stored with one or more insurance companies. How these companies protect that information and manage overall security impacts many people. According to an Accenture report, 55% of insurers report they lack confidence in their organizations’ abilities to effectively monitor for breach activities. So, how can insurance companies ensure they are fully protecting customer information?
With SecurityScorecard’s Security Ratings, you can confidently monitor your organization’s cybersecurity posture, enabling you to drill down and prioritize remediation. With an outside-in view of your security posture, SecurityScorecard’s data collection and analytics capabilities provide your team a holistic view of your network and system vulnerabilities - all from a hacker’s perspective. Recognized as the industry standard for insurance, our security ratings can help you reduce risk and grow your business with confidence.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.