Cybercriminals are Finding Nascent Ways to Attack the Insurance Industry: How Can it Protect Itself?

30 August 2023 alastair walker Opinion 0

Matt Dowson, cyber security lead at iomart takes a look at cyber security, ransomware and other threats facing insurance brands.

Despite a relatively slow start, the insurance industry’s race towards digital transformation has picked up pace over the last few years. COVID-19 and the rise of “insurtechs” hoping to modernise the industry, has resulted in a sector embracing technology. In fact, research from Gartner found that global insurance firms plan to increase their investment in application modernisation (68%), cloud platforms (47%) and artificial intelligence/machine learning (40%).

This transformation journey has had a considerable impact on the sector, from the adoption of nascent technologies like blockchain, enhanced data analytics and insights, to improved customer experience and reduced business costs. However, as organisations continue embracing innovative technologies, the sector becomes increasingly susceptible to cyber threats. Malicious actors are actively targeting insurance firms to exploit vulnerabilities and gain unauthorised access to sensitive data.

The impact of cyber-attacks on insurers can be far-reaching, affecting not only the companies themselves but also the insured individuals and businesses who rely on them for protection and support. According to IBM’s latest Cost of a Data Breach Report, it found that of all record types, customer, and employee personal identifiable information (PII) is the costliest to have compromised. As such, it’s vital that the sector is aware of the predominant threats it could be facing as well as how to combat them.

Data breaches and privacy concerns

The insurance sector collects and stores vast amounts of Personally Identifiable Information (PII) and financial data. A successful cyber-attack can result in a severe data breach, exposing policyholder information and leading to serious privacy concerns for employees and customers as well as major financial implications for the company.

The industry witnessed this earlier this year when the personal information of more than 2 million Aflac life insurance and Zurich auto insurance policyholders in Japan was leaked online after cybercriminals compromised a third-party contractor.

The rise of ransomware

Elsewhere, the threat of ransomware has significantly increased over the last few years. In fact, ransomware is one of the most persistent cyber threats across the entire UK, affecting all types of businesses. For insurers, however, ransomware attacks cause significant disruptions in operations, often forcing organisations to pay hefty sums in ransoms to retrieve their data.

Ransomware is by no means a new tactic, and, despite major government and law enforcement intervention, it will likely remain a threat to businesses for some time by financially motivated cybercriminals.

It’s common for ransomware threats to evolve too as cyber criminals become more advanced with their tactics. The latest technique, ‘double extortion’ involves cybercriminals not only holding data to ransom, but also threatening to leak it on underground forums should companies refuse to pay up in a timely manner.

The US dental insurance giant, MCNA, was recently attacked in this way by the LockBit hacker group, which claimed to have published all of the files it exfiltrated after the company refused to pay the ransom demand.

The hidden threat of fraud

While ransomware can often grab the headlines, companies are now wrestling with the threat posed by invoice and payment fraud. This is where, typically, a fraudster poses as a supplier.

By compromising a third party in your supply chain they tell you their payment details have changed and provide new bank account details. This may be followed up with a notice stating the payment is overdue and is required urgently. The fraud then may only be realised when the genuine supplier seeks payment.

Barclays has found that UK firms lost more money to invoice related scams than any other type of fraud during the three-month period ending Feb 2022.

Photo by Anete Lusina from Pexels

Regulatory compliance

Insurance companies are bound by several regulations under the Prudential Regulation Authority, including various data protection and privacy rules such as GDPR and the Data Protection Act 2018. These regulations, designed to govern the collection, processing, storage, and the transfer of personal data in the UK, has markedly improved the safeguarding of sensitive information.

It may seem strange that although regulatory compliance rules are designed to protect people from malicious actors, their very presence can add to the pressure and stress of cybersecurity for insurance firms. If any data breaches do occur, insurance companies face fines if they’re found to not have taken the appropriate measures to mitigate them.

Preparation is key

Increasingly sophisticated hackers have made cyber-attacks almost impossible to be prevent, but there are steps insurance firms can take to reduce the likelihood of it happening. Vetting the security of third-party providers is critical. A third-party business’ lack of cyber protection could completely undermine an insurance business’ cybersecurity measures, no matter how strong they are.

For organisations in the insurance sector, which hold huge volumes of personal customer data, ensuring all information is backed up is key to reducing data breach threats. Strong passwords, multi-factor authentication and privileged access rules can all be used to safeguard data. Immutable backup systems, which provide ransomware protection and safeguard data against malicious actors can be a critical aspect of a business’ cybersecurity arsenal.

Finally, seeking the advice of trusted cybersecurity consultants who understand the challenges of an organisation and industry, but also the wider threat landscape, is a must. These consultants can ensure a business’s cybersecurity is adequate for its infrastructure, budget, customer base and the type of the data it stores.

Conclusion

For insurance businesses, protecting against cybersecurity threats is critical not only for financial and reputational issues, but also to protect against compliance repercussions.

The variety of threats now facing organisations means cybersecurity can no longer be a tick box exercise. A considered cyber strategy is critical for every business – particularly those in regulated industries such as insurance.

 

About alastair walker 19486 Articles
20 years experience as a journalist and magazine editor. I'm your contact for press releases, events, news and commercial opportunities at Insurance-Edge.Net
Twitter

Related Articles

News

SRIS Teams Up With Qlaims on Video Loss Adjustment

21 September 2020 alastair walker News 0

Specialist Risk Insurance Solutions (SRIS), the Retail broking arm of Specialist Risk Group (SRG), is strengthening its claims proposition with video tools and access to expert loss adjusters to help clients with complex property and […]

Global insurance trends

Optio Group Establishing MGA & Brokerage In Dubai

29 September 2022 alastair walker Global insurance trends 0

Optio Group, the specialty MGA, today announces it will establish an MGA and reinsurance broker in Dubai, subject to final approvals from the UAE regulatory authorities. Both businesses are expected to be operational by 1/1/2023, […]

News

MetLife and YuLife: New Partnership Deal Agreed

14 December 2021 alastair walker News 0

Leading insurer MetLife UK and tech-driven insurance company, YuLife, have announced an exciting new partnership which sees MetLife become an underwriter for YuLife’s Group Life cover policies. The partnership reflects the two companies’ aligned values and shared interest […]

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.