How insurers can protect against cybercrimes

Insurers that suffer a cyberattack could encounter financial losses, business disruptions and reputational damage, the same losses their policyholders would experience.

No matter how much insurers invest in cybersecurity, no single tool can guarantee protection against all attacks. Cybercriminals are evolving their tactics and will always try to seek out any loopholes in systems. (Photo: losmostchos/Adobe Stock)

Since the start of the pandemic, cyberattacks have grown in frequency and sophistication. Coupled with the rise of distributed workforces, organizations — especially those that manage vast amounts of data — are becoming more vulnerable to these data breaches. In fact, Gartner predicts that by 2025, 45% of organizations worldwide will have experienced a cyberattack.

And while cybersecurity is becoming an increasingly key priority for all industries, it’s especially important for insurance.

Natural targets for cybercriminals

Insurers are more susceptible to cyberattacks for a few main reasons.

As a financial safety net, everyone needs insurance — which means insurance companies and consumers are required to share highly sensitive and personal information. Types of information include addresses, social security numbers, billing and payment information, and more.

Another reason that makes insurers prone to attacks is that they likely are working with outdated and ill-equipped technologies. Insurers, by nature, are risk-averse, and making any kind of updates or changes to the technology they use can present risk. As a result, they are known for adapting slower to modernized processes and thus are likely operating in systems that are not built to detect or prevent cyberattacks — ultimately increasing the susceptibility of these systems and technologies being compromised.

For those that that have implemented digital channels to better interact with consumers, the external exchange of this information can create more security gaps. Insurers become even more vulnerable if cybersecurity isn’t already built into the new system.

Known for possessing high volumes of sensitive data, insurers are responsible for understanding how they can safely store and protect the data of their customers.

Understanding potential points of attack

Cyberattacks can happen at any point for insurers. When insurers ask for information from consumers, the transfer of provided data opens the door for a potential breach. This occurs most often when data and information are shared during new business, underwriting and claims processes. During new business and the underwriting process, personal information about the applicant is required for the carrier to effectively evaluate the risk. Additionally, banking information must be collected to facilitate the payment of insurance premiums.

However, even when data is at rest, based on the systems and databases insurers use, sensitive information can still be prone to an attack. Cybercriminals can hide their tracks while navigating to the data in many ways, but often the easiest method is infiltrating a device that can readily access sensitive information, such as an office workstation or remote worker’s laptop, or exploiting a vulnerability in a system or database.

Although there are multiple benefits to digitally storing information, insurers also run the risk of accidental and internal exposure for heavily relying on manual, paper-based activities. By having physical documents that contain and list the information, if left unprotected, data can also be easily stolen. Additionally, following the “paper trail” when trying to understand what has been lost can be much more difficult with physical mediums, compared to an IT system breach.

The aftermath of a cyberattack

If a cyberattack does occur, the results can be extensive and damaging for a company making it difficult to recover. Insurers could face:

Financial losses: From potentially paying a ransom, lawyer fees to dispute any civil cases or paying IT teams to repair systems, insurers could suffer from the recovery costs associated with a cyberattack.

Business disruption:  The setback may even disrupt operations, which could lead to a loss of revenue. Insurers may be prevented from performing day-to-day activities like claims processing if their system is down or information is stolen.

Reputational damage: The loss of current and potential customers could cause the most harm to insurers as it could take years to rebuild trust with them and stakeholders.

While the severity of attacks may differ, it’s challenging to predict when a cybercriminal may strike. To best protect themselves, insurers must strive to create a security-conscious environment and reevaluate their approaches to cybersecurity.

Adopting and improving cybersecurity — the warning signs

Whether cybersecurity measures are already in place or in progress, there are several warning signs insurers should recognize and address to prevent or mitigate an attack.

  1. Lack of awareness or training.

Insurers do not need to consider themselves “experts” in cybersecurity, but some education should be provided to all staff regardless of their role. Across different industries, many companies enforce recurring, mandatory training for employees to understand and prevent cyberattacks. Developing strong security awareness across departments enables multiple layers of protection for an organization.

It’s also become more common for companies to add security responsibilities to job descriptions, demonstrating the heightened awareness that any employee with access to the company’s network or resources must have training.

In some cases, customers and partners must work exclusively with companies committed to conducting cybersecurity training with their employees.

  1. Outdated software.

Operating within an outdated and ill-equipped system can hinder insurers’ ability to improve their cybersecurity posture. Instead, migrating to a private cloud provides extra layers of defense to prevent attacks with compliant and secure storage solutions. Regular intervals of patching are required when working in a private cloud which results in improved security and performance for users.

Employee workstations and third-party software, such as web browsers, should be patched regularly and monitored for vulnerabilities. When working with IT teams, insurers should check that they formally adopt patching as part of their standardized processes. Without a patching program, the volume of vulnerabilities identified each week could be impossible to manage.

  1. Mismanagement of sensitive data and information.

Insurers need to establish formal data handling guidelines to safeguard information. This includes creating a policy that details how and where certain types of data can be used. Data loss protection (DLP) tools and resources can aid with creating a policy that is best suited for an organization. DLP can help ensure sensitive information is not lost, misused or accessed by unauthorized users in unauthorized places.

  1. Lack of adopting artificial intelligence (AI) and automation.

Managing and sorting large volumes of information can become overwhelming, especially for those that have not previously tried to tackle it. Analyzing and improving cybersecurity is not a human-scale task. Consider implementing security tools and logging systems that have some level of AI built into the framework. These technologies help insurers with monitoring attacks and provide meaningful guidance on how to address them. Since AI-based tools are designed to learn over time, they become stronger based on vulnerabilities or attacks previously identified.

  1. Lack of technical control levels.

To access sensitive information or resources, more companies are making multifactor authentication, biometrics or passkeys part of their norm. These cybersecurity measures can help block potential entry points for cybercriminals and reduce the impact of an attack. No longer viewed as optional steps, employees and IT teams should continue to embrace this change since it benefits the organization and its customers. For any new technical safeguards, it’s recommended insurers fold this into their regularly scheduled security awareness training.

No matter how much insurers invest in cybersecurity, no single tool can guarantee protection against all attacks. Cybercriminals are evolving their tactics and will always try to seek out any loopholes in systems. Although cyberattacks may be escalating, insurers can do their due diligence by understanding the landscape and knowing their options to build or improve their cybersecurity programs. The cost of a cyberattack can be detrimental to an insurer and their customers which is why starting protection now is so important.

Jeff Hiegert (Jeff.Hiegert@hyland.com) is Hyland’s Industry Product Manager for Insurance and helps define the strategies and priorities for Hyland’s insurance-specific solutions. Dylan Border (Dylan.Border@hyland.com) is Hyland’s Director of Cybersecurity and leads teams that facilitate the secure operations of Hyland’s enterprise networks, systems and business processes.

Related:

Hackers contacted CEO’s son, wife to exert pressure during extortion attempt

Hey you, get off my cloud: Mitigating cloud cyber risks

Authentication: Digital insurance’s new competitive differentiator