Cyber threats aimed at the insurance sector: Are you prepared?

Matt Dowson, cybersecurity lead at cloud computing company iomart, outlines how digital transformation across the insurance industry has opened the door to more vulnerabilities, while simultaneously grappling with data privacy regulations.

The insurance industry has embraced digital transformation over the last decade and as a result has seen several benefits and opportunities open, including improved customer experience, more efficient operations, and reduced costs.

However, it has also made organisations within the sector a target for cyber-criminals seeking to exploit vulnerabilities and gain unauthorised access to sensitive data.

The impact of cyber attacks on insurers can be far-reaching, affecting not only the companies themselves but also the insured individuals and businesses who rely on them for protection and support.

IBM’s latest Cost of a Data Breach report stated that of all record types, customer and employee personally identifiable information (PII) is the costliest to have compromised.

As such, it is vital that the sector be aware of the predominant threats it could be facing, as well as how to combat them.

Data breaches and ransomware threats

The insurance sector collects and stores vast amounts of PII and financial data. A successful cyber-attack can result in a severe data breach, exposing policyholder information and leading to grave privacy concerns for employees and customers, as well as major financial implications for the company.

A recent example of such a breach occurred earlier this year when the personal information of more than 2 million Aflac life insurance and Zurich auto insurance policyholders in Japan was leaked online after cybercriminals compromised a third-party contractor.

Ransomware attacks have also become a significant threat to insurance companies, causing disruptions in operations and compelling organisations to pay hefty sums in ransoms to retrieve their data.

While ransomware is not a new tactic, it is one still very much favoured by financially motivated cyber-criminals. The newest technique, dubbed ‘double extortion’, involves cyber-criminals not only holding data to ransom, but also threatening to leak it on underground forums should companies refuse to pay up in a timely manner.

A recent example of this was a ransomware attack by the LockBit hacker group on US dental insurance giant, MCNA Dental. In this case, the ransomware group claimed to have published all of the files it exfiltrated after the company refused to pay the ransom demand.

Regulatory compliance

The insurance industry is subject to various data protection and privacy regulations, including the EU’s General Data Protection Regulation 2016 and the Data Protection Act 2018, both of which govern the collection, processing, storage and transfer of personal data in the UK. However, keeping up with the ever-evolving regulatory landscape can be a challenge.

Although compliance is not something we would deem a threat – its goal is quite the opposite – it can add to the pressure and stress when it comes to cybersecurity, with data breaches resulting in fines should companies be found not to be taking the appropriate measures.

What’s more, a change in regulation could result in several changes across the organisations – for example, the need for legacy technology and systems to be updated, customer expectations and therefore relationships changing, and operational changes when it comes to aspects like internal processes, documentation and communication methods.

How to prepare your organisation

Although the risk of falling victim to cyber-attack cannot be prevented, there are steps organisations in the insurance sector can implement to make it less likely.

Firstly, ensure the security of third-party providers. It doesn’t matter how strong your security policies and solutions are if the companies you work with don’t match your standards.

Secondly, always back up any data and make accessing it as difficult as possible. Using measures such as multi-factor authentication, strong password policies and privileged access rules can be effective here. Also, having an immutable backup that has been tested can be critical to your organisation’s overall security defence. Immutable backup systems are architected differently than those of the past, to provide ransomware protection, and to safeguard data against a host of other dangers, both external and internal.

Thirdly, lean on cybersecurity consultants who understand the threat landscape and can advise on the best measures for you to deploy based on your infrastructure, budget, customer base, and on the type of data you store.

Lastly, ensure you have ongoing visibility into who and what is accessing your network. The hybrid world has made it more likely for new devices or users on the network to go undetected, so having good asset management and network detection and response capabilities is so important.

No one solution will be a silver bullet when it comes to preventing a cyber-attack, however implementing some or all these solutions will make positive steps forward as you progress on your security journey.

Overall, strong cybersecurity must not be seen as a point-in-time thing or tick box exercise – it should be seen as a continuous strategy that adapts and aligns with your current priorities and challenges, as well as the broader threat landscape.