Over the last few years, numerous insurance companies have adopted various digital channels to introduce new products, expand their portfolios, and strengthen customer relationships. While this has significantly helped the insurance companies grow and diversify, it has also exposed them to a myriad of cyber risks.
The troves of sensitive data stored by insurance companies have made them quite a lucrative target in the eyes of cybercriminals. Personally Identifiable Information (PII) of millions of individuals across the world has been compromised by data breaches in the insurance sector. So, let’s start off this blog with some of the major cyber risks plaguing insurance companies worldwide.
Cyber Risks Threatening Insurance Companies
Every day, new cyber threats are being discovered, each more sophisticated and harder to detect than the last. Insurance companies are being hit by cyber attacks left and right. And the only way to protect yours is by staying one step ahead of these threats. To do that, it is essential to know what exactly you are in for. So, here are some of the major cyber risks haunting insurance companies around the globe.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
#1 Social Engineering
In social engineering attacks, cybercriminals typically use manipulative approaches and trickery to lure employees into accidentally triggering data breaches and cyber attacks. This cyber risk is particularly difficult to mitigate as it cannot be managed by technical controls, no matter how sophisticated or expensive. Many insurance companies have suffered massive social engineering attacks over the years.
Cybercriminals launch ransomware attacks to hold a company’s data and computer systems hostage for a ransom. In newer attacks, attackers even threaten to leak the victim company’s data to pressurize it into surrendering to the ransom demands. With the high level of sensitivity associated with their data, insurance companies are a specially attractive target for ransomware attacks. As a wide range of deadly ransomware gangs keeps cropping up every day, ransomware has become one of the gravest cyber risks to insurance companies globally.
#3 Third-party Risks
Every company these days uses third-party services. However, when they forget to take proper precautions, the results can be devastating. According to a report by Ponemon Institute, 51% of businesses have suffered a data breach caused by a third party. While third-party vendors, suppliers, and partners are very important parts of everyday business operations, they also expose insurance companies to massive cyber risks.
#4 Patch Management
Cybercriminals often exploit software vulnerabilities to access and steal sensitive information from an organization. If an insurance company fails to update its software patches on time, it becomes highly vulnerable to cyber attacks. To protect your company against cyber threats, it is essential to keep all software updated with the latest patches.
#5 Cloud Vulnerabilities
With the shift to remote work culture, cloud storage has become a daily norm for the majority of the companies out there. While it makes things much more convenient, it also makes your company vulnerable to a plethora of cyber threats including account hijacking and denial of services (DoS) attacks.
Major Cyber Attacks on Insurance Companies
Now that we have discussed the major cyber threats to Insurance companies, let’s take a look at some of the renowned victims of these threats. Here is a list of some of the major cyber attacks that brought well-known insurance companies to their knees.
#1 Anthem Healthcare
In 2014, the renowned health insurance plan provider Anthem suffered one of the biggest healthcare data breaches in history, which led to the compromise of the Personally Identifiable Information (PII) of 78.8 million individuals. The stolen records included the names, addresses, social security numbers, and birth dates of the affected individuals. In addition to the loss of data and damaged reputation, Anthem Healthcare also had to pay around $40 million in damages as well as $115 million to settle a class-action lawsuit.
#2 CNA Financial Corp
One of the biggest cyber insurance firms in the US, CNA Financial Corp, suffered a ransomware attack on 21st March 2021. The cyber attack disrupted the organization’s customer and employee services for three days as CNA was forced to shut down to prevent further compromise. The cyber attack utilized a new version of the Phoenix CryptoLocker malware, which is a form of ransomware. Counted amongst the most devastating ransomware attacks, it cost the company a whopping $40 million in ransom.
#3 French Insurer AXA S.A.
In May 2021, the French insurance giant AXA was hit by a huge ransomware attack just a few days after it announced that it will not cover damage caused by that class of cyber attack in France. This attack targeted the insurance company’s Asia Assistance division and affected IT operations in Malaysia, Thailand, the Philippines, and Hong Kong. The Avaddon ransomware group claimed responsibility for this attack on its dark website along with taking credit for stealing 3 terabytes of its data.
#4 Tokio Marine Insurance Singapore
In August 2021, a subsidiary of Tokio Marine Group called Tokio Marine Insurance Singapore was hit by a ransomware attack. This attack exclusively affected the organization’s Singapore subsidiary only. No evidence of impact or damage on other group companies was found by the investigators. As soon as the attack was detected, the insurance company immediately isolated the network to prevent any further damage.
#5 Arthur J. Gallagher & Co.
Counted amongst the largest insurance brokers in the world, Arthur J. Gallagher & Co. was targeted by a ransomware attack in September 2020. The attackers managed to gain access to the data contained within certain segments of the insurance company’s network. Highly sensitive personal, health, and financial information was stored on the systems compromised by the attack. Following the attack, the company was forced to shut down all of its systems to limit the damage.
Holistic Cyber Risk Management in Insurance Sector
As the instances mentioned above clearly indicate, insurance companies are highly vulnerable to various cyber risks. In addition to making the importance of cyber security in insurance companies blatantly obvious, these incidents also show that the security strategy for these companies should be more proactive instead of reactive.
So, what can you do to protect insurance companies against these cyber risks?
Well, here are some of the major measures you should definitely include in your cyber risk management strategy for insurance companies.
- Conduct Periodic VAPT– Vulnerability Assessment and Penetration Testing (VAPT) helps in detecting any weaknesses in your company’s IT infrastructure, enabling you to fix the weaknesses before a malicious actor can exploit them.
- Train Your Employees– No matter how expensive, sophisticated, or complex security solutions you implement, your organizations will be vulnerable to cyber attacks as long as your employees don’t have a basic understanding of cyber security. The best way to protect your company against social engineering attacks is to provide them with cyber security awareness training. You can use tools like TSAT to make the training sessions effective and engaging.
- Ensure Prompt Patch Management– Make sure all your software is kept up-to-date with the latest patches to avoid any exploitable vulnerabilities that may lead to a disastrous cyber attack.
- Ensure Proper Access Management– Limit a vendor’s access to your data depending on the vendor’s security posture. Make sure your vendors can only access the data they need to get on with their jobs and nothing more.
- Enforce Strong Password Policy: Weak passwords can become a massive vulnerability. Enforce a strong password policy across your organization and make sure your employees use unique, complex passwords for all their accounts.
With insurance companies coming under fire from all sides, it has become essential to take every preventive measure possible to protect your company. The prospect of massive financial losses, irreparable damage to the company’s reputation, and long draining legal battles are enough to demonstrate the significance of cyber security for insurance companies. So, take the measures mentioned above to make sure your company doesn’t have to suffer the damage only a cyber attack can cause.