Insurance Companies Under Siege: Unraveling the High Stakes of Cyberattacks

Insurance Industry Faces Increasing Cybersecurity Threats

The Growing Target on Insurance Companies

Insurance companies have become prime targets for cyber attackers due to the abundance of personal, medical, corporate, and other confidential data they hold. In recent years, the number of cyberattacks on insurance companies has surged, with multiple high-profile incidents occurring just in 2023.

In June, Sun Life was targeted through an attack on its vendor Pension Benefits Information LLC. In May, Prudential Insurance saw over 320,000 customer accounts impacted, while New York Life Insurance Company had 25,700 accounts affected during the same period. Genworth Financial experienced a breach that affected up to 2.7 million individuals. These attacks all involved the MOVEit file transfer cyberattack.

Other common ransomware attacks have also targeted the insurance industry. Point32Health, the parent company of Harvard Pilgrim Health Care and Tufts Health Plan, was hit by a ransomware attack in April. NationsBenefits reported being a victim of the Cl0p ransomware gang. Managed Care of North America (MCNA) Dental experienced the largest attack on an insurance company in the US, compromising 9 million patient records through the LockBit attack.

The shift toward digital channels and the increasing dependence on technology in the insurance industry has made companies more vulnerable to cyber attacks. In an effort to create tighter customer relationships, offer new products, and expand their share of customers’ financial portfolios, insurance companies have invested in digital platforms and systems. However, this digital transformation has also opened up new avenues for cyber attackers to exploit.

The Risks Associated with Insurance Applications

The amount of private, corporate data collected in insurance applications has become a goldmine for cyber attackers. Marc Schein, a risk management consultant at Marsh McLennan Agency, highlights the vast range of potentially valuable information contained in insurance applications. This includes details such as the amount of insurance a company is purchasing, which can be useful for ransomware attackers seeking to maximize their demands. Additionally, insurance applications may reveal deficiencies in a company’s network security, providing attackers with insights into potential vulnerabilities.

In addition to personal and corporate data, other insurance products, such as errors and omissions policies or directors and officers policies, can provide valuable information about trade secrets, private information of key company executives, and data on potential business transactions. The exposure of this sensitive information can have significant consequences for companies.

Patricia Titus, Chief Privacy and Information Security Officer at Markel Insurance, emphasizes the importance of evaluating cybersecurity infrastructure not just for insurance clients but also for insurance companies themselves. Markel Insurance is actively exploring technologies to enhance its own data protection measures and microsegment its networks to limit attackers’ lateral movement in case of a breach.

Safeguarding Insurance Applications and Policies

Encrypting files sent during the insurance application process is a vital step in protecting sensitive information. This ensures that intercepted data during transmission remains unreadable by attackers. Companies should adopt robust encryption protocols to safeguard their customers’ data and protect their own operations.

Insurance companies must recognize that they are not just protectors of client data but also guardians of their own proprietary information. Trade secrets, private data about executives, and errors and omissions policies all contain valuable data that attackers can exploit if breaches occur. Implementing strong cybersecurity measures, including encryption, network segmentation, and regular vulnerability assessments, is crucial for preserving the confidentiality, integrity, and availability of critical information.

Editorial: The Urgent Need for Cybersecurity Investment in the Insurance Industry

The recent surge in cyberattacks against the insurance industry is a clear indication that the sector needs to take immediate action to strengthen its cybersecurity defenses. As insurance companies increasingly migrate to digital channels and expand their technological capabilities, the potential risks and consequences of cyber incidents become ever greater.

Protecting personal, medical, and corporate data should be a paramount concern for insurance companies. Beyond the financial costs of data breaches, there are significant reputational risks and potential legal consequences, especially with the increasing regulatory focus on data protection.

Insurance companies must allocate resources to invest in robust cybersecurity infrastructure. This entails implementing the latest security technologies, regularly assessing vulnerabilities, conducting comprehensive risk assessments, and fostering a strong cybersecurity culture within organizations. Collaboration with cybersecurity experts and industry partnerships should also be pursued to ensure that insurers stay ahead of emerging threats.

Advice for Insurance Companies and Consumers

To insurance companies:

• Invest in robust cybersecurity measures that include encryption, network segmentation, and regular vulnerability assessments.
• Train employees on best practices for data protection and create a strong cybersecurity culture within the organization.
• Collaborate with cybersecurity experts and leverage industry partnerships to stay updated on emerging threats.
• Regularly review and update security policies and procedures to address new risks.

To consumers:

• Ensure that the insurance companies you work with prioritize cybersecurity and data protection.
• Inquire about the security measures they have in place and their response plans in case of a data breach.
• Consider purchasing cyber insurance to mitigate the financial and reputational risks associated with potential data breaches.
• Take steps to protect your own personal data, such as using strong passwords, enabling two-factor authentication, and being cautious of phishing attempts.

The insurance industry plays a vital role in safeguarding individuals and businesses against unexpected risks. It is imperative that the industry takes proactive steps to fortify its defenses and protect the sensitive data entrusted to it.