While no industry is safe from cybercrime, the financial services industry — and specifically the insurance sector — continues to be a prime target, greatly impacted by the frequency and scope of cybercrime. Attacks like ransomware, phishing and, more frequently, social engineering fraud are costing companies an average of $9.44 million this year — more than twice the global average. 

There are a handful of reasons why insurance attracts cybercriminals, including the wealth of personal identifiable information (PII) that insurers manage and store, the industry's size, and the growing number of attack surfaces available. According to Todd Lukens, chief information security officer at Nationwide, insurers need to pay attention to how cyber fraud is changing, and take steps to reduce vulnerabilities to protect this valuable information. 

The changing nature of cyber fraud

A popular attack surface on the internet now are application programming interfaces (APIs), which Lukens notes is "the new language of commerce," in how they provide the framework for how systems interact with each other. "Threat actors have realized that APIs are a vehicle for sharing data, and insurers use them to ensure seamless interactions with partners, other members and companies," says Lukens. "If an API isn't designed with the right business logic, it can put sensitive information at risk for breach."

Insurers can be an unwitting conduit for malicious cyber activity. Something as simple as searching for auto insurance quotes on a quoting website can, through the API, expose potential customers to threat actors who steal the information transferred from a larger data source without ever having to do any kind of sophisticated attack.

New advances in technology are introducing new threats as well. Deep fakes are continuously evolving, allowing threat actors to take over someone's account or policy and issue a fake or fraudulent claim to get payment. They have come along much faster than anticipated with the advancements in generative AI. 

"We're seeing the intersection between phishing, social engineering and deep fakes now," said Lukens. "Every insurer must start anticipating new threats and plan early to protect against them. Aside from just protecting, insurers must also be able to detect a range of threats and respond accordingly."

Prevention and "defense in depth"

On the subject of protection, Lukens emphasizes something that we've all heard before. 

"Insureds should be very careful about what they post on social media. Even if you no longer use sites like Facebook, all the previous information you've posted is already out there," says Lukens. "Using information from your social footprint, threat actors can create a comprehensive profile of you that can then be used to take over your identity. That's where social engineering, phishing or deep fakes start too."

For insurers, Lukens stresses "defense in depth" — relying on a combination of business practices, technologies and processes for protection. At Nationwide, these multiple layers involve training as well, so that every customer-facing employee is educated and informed on how to detect and report cyber threats. Then, they're tested and retested to ensure their skills are up to date so they respond correctly in real life.

"At Nationwide, we know our customers trust us to protect their PII with extraordinary care," says Lukens. "We're committed to ensuring their personal information remains secure. It's what drives us every single day."