Cybersecurity in the Insurance Industry

cyber security

The number of active cyber attacks has increased significantly in just the last two years. Insurance firms are migrating to digital platforms to build sticky customer relationships, sell new products, and broaden their share of their customers’ financial portfolios, which has resulted in an unprecedented increase in attacks. Attackers are thought to have breached this sector in order to steal the personally identifiable information (PII) of over 100 million Americans.

In 2018, the insurance industry in the United States wrote $1.22 trillion in net premiums. Property/casualty insurers wrote 51 percent of those premiums, while life/annuity insurers wrote 49 percent. In that year, the United States had 5,965 insurance companies.

State Farm, Berkshire Hathaway, and Progressive Corp. were the top property/casualty insurance writers in 2019. MetLife, Prudential, and Equitable Holdings were the top life/annuity writers.

In 2019, there were 2.8 million employees employed in the insurance sector. 1.6 million of them worked for insurance firms, while 1.2 million worked for agencies, brokers, and other related businesses.

Insurance firms have a reputation for storing a lot of data about their policyholders. They are a priority for cybercriminals as a result of this activity. Attacks on the insurance sector are expected to increase in frequency and intensity in the future.

On two fronts, the insurance industry is under pressure to embrace innovation and modernise its processes and infrastructure. Insurance customers, like the rest of the financial services industry, expect services through mobile apps 24 hours a day, seven days a week. In addition, financial technology firms like Kickstarter, Patreon, GoFundMe, and others are encroaching on their traditional market room.

The latest infrastructure technologies and highly qualified staff are needed to provide real-time insurance and financial services with a smooth and frictionless customer experience. New apps and applications must have cybersecurity built in. As a result of patching legacy infrastructure, this industry is vulnerable to cyberattack.

Cybersecurity within the Insurance Industry

Because of the industry’s scale and reach, as well as the large quantities of data consumed by businesses in this field, cybersecurity is critical. We all need insurance of some kind, typically several types. To buy insurance, we must give up our contact details, financial information, and even health information. This information is often requested prior to the writing of an insurance policy, and it could be shared with various insurance providers as customers compare quotes.

Digital Guardian, a data security network provider, released the findings of a survey in January 2020. They asked 20 security professionals in the insurance industry to answer to a single question in this survey. “What are the top security considerations for insurance firms and how can they be mitigated?” was the issue.

Juliana De Groot’s blog post describing Digital Guardians’ results is instructive because it provides the unique viewpoint of those who work in the industry. It does not imply that these security experts have all of the answers to questions about the industry, but it does reveal what they believe their issues and solutions are.

Almost every answer emphasised the importance of safeguarding the vast quantities of PII and other sensitive data they keep on hand. Because of the nature of their market, the insurance industry is required to collect, store, and distribute a wide range of personal data about a large number of individuals.

Major judgments in future client cases, fines from running afoul of regulatory authorities, and ransoms extracted by those wielding malware against their company are all questions about financial liability arising from these large databases. There was no particular favourite of these situations that kept you awake at night. All of these things could happen, and they will all be catastrophic.

In the category of “what can be done about it,” or coping techniques, there were four distinct patterns. The most popular suggestion for the most successful countermeasure to a cyberattack was to develop technology and policy. These respondents seem to recognise that good technology is useless unless it is accompanied by equally successful policy. Most forms of threats can not be adequately protected by technology alone. There are far too many avenues for a strategy to diminish the importance of technology. Any advanced access management or perimeter security technology would be undermined if a database is left exposed in the cloud due to an inconsistent policy.

The respondents seemed to be evenly split on the next three mitigation steps. They are technology on its own, regulations on its own, and user training on its own. The merits of technology or policy alone do not need to be debated because, as a mitigation tactic, they are inferior to technology and policy combined. It’s likely that these respondents didn’t have enough time to express their whole perspective on mitigation and instead selected just their top choice.

User training was mentioned in many responses, which is noteworthy since it is in line with the majority of cybersecurity research. Most attacks rely on some kind of social engineering, according to study after study. Inadequate user training is almost always the cause of an effective social engineering attack, or attack feature. Cybercriminals rely on their ability to persuade users to provide information that, when combined with other gathered data, provides the keys to launch an attack.

The insurance industry’s cybersecurity is similar to that of other industries. Criminals use the same cyberattacks and tactics in search of the same types of data, which they can sell or hold for ransom. Since they consume, store, and distribute information about a large portion of the world’s population, the insurance industry is exceptional. Almost everybody has insurance, and insurance providers need a great deal of information about their clients and future customers. It’s a Big Data business, and a lot of the data is confidential personal information.

Case Study

Although insurance company data breaches may not rank among the top data breaches of the century, cybercriminals have paid close attention to this industry. Also insurance firms that are well-versed in the cyber threat landscape are susceptible to becoming victims.

Chubb may have been more prophetic than expected in their 2019 security study, Cyber Attack Inevitability. Chubb is a national supplier of insurance products covering property and casualty, accident and wellness, reinsurance, and life insurance, with headquarters in Warren, New Jersey. They are the world’s largest publicly listed property and casualty insurer and a market pioneer in cybersecurity insurance.

In an email to the news media on March 26, 2020, a threat researcher from the New Zealand-based web security company Emsisoft announced a ransomware attack against Chubb. According to Brett Callow of Emsisoft, the incident in question was caused by the so-called Maze ransomware. Maze is a particularly sophisticated strain of Windows ransomware that steals data, spreads through a network, and infects any device it comes into contact with.

According to Jeffrey Zack, a spokesperson for Chubb, there was “no indication” that the hack had affected the company’s own network, which was “completely operational,” indicating that the attack was more about data exfiltration than taking down the Chubb networks. Beyond that, Zack remained silent.

As evidence of their success, the attackers posted a listing on their website claiming to have stolen data from Chubb, according to Callow. Three senior executives’ names and email addresses were included in this data, including CEO Evan Greenberg. Chubb has not said whether a ransom was demanded or paid.

The FBI privately warned businesses in December 2019 that Maze-related ransomware incidents were on the rise.

Target filed a $74 million lawsuit against Chubb last year, alleging that the insurance carrier refused to properly compensate it for the damages incurred as a result of its 2013 data breach, which resulted in the theft of 110 million customers’ data.

Knowing the risks isn’t enough to shield you from a cyberattack. “When an employee at a charity inadvertently accessed a malicious website at work, the company’s shared server became infected with a virus that encrypted all of its files,” Chubb wrote in their 2019 “Cyber Attack Inevitability” article. The nonprofit was then approached by cybercriminals who attempted to extort money in return for the release of their stolen documents.” It’s easy to imagine something very similar to this scenario occurring during the Chubb Maze assault.
The insurance industry and risk

Ask any number of security experts regarding risk management options, and the responses would almost certainly be the same. There are four options for dealing with risk, according to security experts and risk managers from all disciplines. While the names and definitions can differ by sector, there are four widely recognised risk management methods:

Avoidance is the best strategy (stay away from risky endeavors)
Attenuation (institute processes, procedures, and systems to reduce risk)
Transfer of ownership (outsource, usually by insurance, the risk to another entity)
Acceptance is a state of mind (take the chances associated with the probability of the event occurring)

In certain ways, the insurance industry has a greater understanding of risk than any other business field. After all, these businesses specialise in taking on risks that other businesses want to outsource through insurance. To reduce their exposure to the consequences of a major cyber attack, risk-averse businesses in all industries pass a portion of their cybersecurity liabilities to insurance firms.

Actuarial Science and Cybersecurity

Actuarial science is a discipline that uses quantitative and statistical approaches to determine financial risk. The mathematics of probability and statistics are used in actuarial science to describe, evaluate, and solve the financial relationships of unknown future events. It tries to calculate the economic effect of an occurrence by using probability analysis to estimate the likelihood of it happening.

Actuarial science is a skill that many insurance firms excel at. They hire actuaries, who evaluate and handle the risks associated with financial portfolios, insurance plans, and other potentially risky endeavours. These actuaries use actuarial science tools to analyse the risks associated with cybersecurity insurance plans as well as cyberattacks.

When it comes to defending against cyberattacks, the insurance industry has yet to demonstrate that it has an advantage. Nonetheless, many insurance firms will make educated decisions about how much cyber risk to prevent, minimise, pass to another insurance provider, or simply agree because of their broad knowledge of risk in this industry.

The likelihood of being subjected to a major cyberattack varies by industry. Only healthcare must secure IoT devices that keep patients alive from cyberattacks. The financial sector alone provides adversaries with a direct attack vector to other people’s capital. In the hands of a professional actuary, the insurance industry manages massive volumes of data that can provide useful information into how risk can be reduced to actionable figures and dealt with accordingly.

What makes Cybersecurity Challenging within the Insurance Field?

The insurance industry’s unique cybersecurity problems are interconnected and stem from the enormous amount and variety of sensitive data with which it deals. Insurers must also build and maintain trusting relationships with their customers. The industry’s wellbeing depends on finding solutions to these problems.

The insurance industry’s existence necessitates the collection, processing, and analysis of vast volumes of structured and unstructured data. Structured data is well-organized and formatted so that it can be searched in relational databases quickly. It is machine-readable and programmatically right. Name, address, vehicle details, medical background, dates, and claim history are all examples of standardised data used by insurers. Unstructured data, on the other hand, lacks a predefined format or organisation, making it more difficult to use and secure.

Insurers store information in a human-readable format known as unstructured data. It can be used to fine-tune what an insurer will and won’t cover, detect fraud signs, and have a personalised customer experience. Email, written notes, images, multimedia, social media, and data analytics all contribute to this information. It may be data that needs to be kept for legal reasons, intellectual property, or personal information about customers.

Many insurance companies, especially those that manage large amounts of unstructured data, find that traditional security tools and technologies are insufficient to prevent cyberattacks. Staff in charge of data analysis at insurance companies often lack the necessary expertise to effectively respond to possible risks that might emerge from the use of various types of data.

The credibility of an insurance firm is crucial to its success. Insurance is required by almost all, but there are several insurance companies from which to choose. When it comes to choosing an insurance agent, customers place a high value on trust. They need to know that if they file a claim, the insurance provider will pay and that their private and confidential information will be protected.

A well-publicized cybersecurity breach involving consumer data can harm an insurer’s credibility and have serious business ramifications.

Solutions for Cyber-Security in the Insurance Industry

Cybersecurity research for securing Big Data in general and the insurance industry in particular is progressing quickly. Large data sets, including financial and personal information, are a tempting target for cybercriminals, so many new security technologies are focusing on protecting these properties.

Artificial intelligence (AI) and machine learning (ML) will greatly assist insurance firms in protecting themselves from malware, ransomware, and advanced persistent threats (APT). These emerging technologies are ideally suited to solutions that can detect any deviation from a planned or prescribed trend of data activity because they can easily analyse large quantities of data. They can be used to keep an eye on data workflows and react quickly to attacks.

Access controls, data behaviour, the encryption of vast data volumes, and the prevention of data leakage are all important aspects of technical cybersecurity solutions for the insurance industry. Big Data protection solutions must provide real-time analysis and monitoring, as well as be designed to avoid performance degradation and data processing delays.

Final thoughts

Because of the industry’s scale and reach, what happens in it has the potential to influence the whole US and even global economies. Almost every American has personally identifiable information (PII) stored with one or more of these insurance conglomerates. The way they safeguard the knowledge has the potential to affect an incalculable amount of people.

The insurance industry’s high levels of risk, combined with the plentiful resources of a profitable business model, create an atmosphere that attracts the best and brightest in security solution research and development. For security professionals at all levels, this industry provides numerous opportunities.

Insurance is built on the foundation of trust, which is why it is so important for the industry to prosper. The insurance industry is a great place for security practitioners who want to make a positive difference in the lives of many people.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.