Cybersecurity and Insurance Agencies: Best Practices

The insurance industry has become a prime target for cybercriminals due to the vast amounts of sensitive personal and financial data it handles. As cyber threats evolve and become more sophisticated, insurance agencies must prioritize robust cybersecurity measures to protect their clients' information and maintain trust in their services.

Various terms are used to describe the data frequently targeted by cybercriminals. These include Protected Personal Information (PPI), Confidential Information (CI), and Protected Health Information (PHI). Specifically, these terms address Personally Identifiable Information (PII), such as name, address, phone number, and email address, along with other sensitive information such as social security numbers, credit card numbers, financial account numbers, student education records (including schedules), medical records, and passwords.

Cybersecurity by the Numbers

Paradoxically, cybercrime has become both a huge threat and a major source of growth for the insurance industry. Here are a few sobering statistics:

• $7.2B: Approximate value of direct written premiums by US-domiciled insurers for cyber coverage in 2022 (NAIC) 
• $9.48M: Average cost of a data breach to a US company in 2023 (Statista)
• 725/124M: Number of hacking incidents and health records breached in the healthcare industry in 2023 (Managed Healthcare Executive) 
• 70: Number of cyber-compromises to the financial services industry in Q1 2023 (RPS)

Cyber Threats Facing the Insurance Industry

Data Breaches

Data breaches pose a significant cybersecurity threat to insurance agencies. In recent years, several high-profile incidents have highlighted the vulnerability of the industry. For example, in 2023, HCA Healthcare suffered a data breach that exposed the personal information, including names, addresses, and social security numbers, of approximately 11M individuals. Such breaches can lead to severe financial losses, reputational damage, and legal consequences for insurance agencies.

And it’s not just carriers who are impacted by cyber attacks. In August of 2023, Keenan & Associates experienced a data breach that exposed PII. A mere 5 months later a class action suit was filed against Keenan asserting 7 separate causes of action. 

All 50 states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted laws that require companies to notify individuals when their information has or may have been compromised. 

Ransomware Attacks

Ransomware attacks have also become increasingly common in the insurance sector. These attacks involve cybercriminals encrypting an agency's data and demanding a ransom for its release. 

Often, these attacks are carried out through social engineering scams, such as phishing emails (see below). The scammers trick unsuspecting (and frequently under-trained) employees into downloading or opening attachments that contain malicious code. The impact can be devastating, potentially disrupting operations and compromising client information.

From 2022 to 2023, ransomware attacks increased by nearly 72% in the US, rising from 2,662 to 4,611 reported cases. These attacks cost US companies a record-high $1.1 billion in ransom payments, in 2023 – not including the costs of business disruption and reputational harm.

Social Engineering, Phishing, and More

A social engineering attack is when a person is tricked into unwittingly doing something online. Cybercriminals use social engineering to gain unauthorized access to systems and data by targeting employees and exploiting human vulnerabilities to. Social engineering threats come in many forms, including the following:

Email Phishing is the most common form of phishing. Scammers create fake email domains that appear to be real organizations and send thousands of emails to their targets. These fake domains often substitute one character for another. The email includes an attachment or a link that, when clicked, enables the hacker to employ various techniques to extract data or monitor the victim's computer. In some cases, no code is injected, but the link allows the hacker to capture user inputs. This is especially intrusive when the link prompts the user to enter their credentials. 

Spear Phishing is like email phishing but is focused on a specific set of users, such as IT or HR staff. Whaling, a variation of spear phishing, targets very high-level individuals such as C-level executives. In either case, attackers frequently impersonate senior executives or other trusted connections and convince targets to disclose sensitive, high-value information.

Vishing and Smishing are variations of email scams that use mobile phones. In smishing attacks, scammers send text messages with deceptive content. Vishing attacks involve actual phone conversations with the scammer directly speaking to their target.

Clone Phishing is another variation of phishing in which the attacker copies legitimate emails previously sent by trusted sources. Scammers replace the real link with one that redirects the victim to a fraudulent website where the victim provides their username and password to the scammer.

Pharming is a sophisticated form of phishing where the scammer hijacks a company’s Domain Name Server (DNS) and routes traffic from the target website to a fraudulent site that appears legitimate. 

Pop-up Phishing entails using pop-ups on websites. For instance, a pop-up that says the site wants to display notifications may install malicious code on a user’s computer when the person clicks, “Allow.”

Evil Twin Attacks use fake Wi-Fi hotspots that appear legitimate but are designed to intercept and steal sensitive data and login credentials sent over the connection. 

Insider Threats

Insider threats pose a significant cybersecurity risk to insurance agencies. Employees and contractors with authorized access to an organization’s systems, data or network can intentionally, accidentally, or through negligence, expose, steal, sabotage, or leak sensitive information. 

Because insiders don’t need to bypass firewalls or access policies, the threats caused by insiders can be difficult to detect. Implementing strict access controls and conducting regular audits are crucial in mitigating these risks.

Cybersecurity Strategies for Insurance Agencies

Build a Cybersecurity Team

Cybersecurity threats are evolving relentlessly, making investing in a cybersecurity team vital, even for smaller agencies. As Nordic Defender wisely points out, “No information system can be considered secure without a group of talented and knowledgeable people who understand and know what they should do to keep it safe and protected.”

A team of cybersecurity professionals must constantly be creating, updating, and tracking configuration profiles, attack surface reduction rules, security policies, compliance profiles, conditional access policies, and more.

Logically, an organization with no cybersecurity team is more vulnerable to data breaches than an organization with a cybersecurity team. Considering that the average breach costs almost $9.5M, a team that prevents a single event pays for itself easily. 

Implement Robust Cybersecurity Frameworks 

To combat cybersecurity threats, insurance agencies should implement robust cybersecurity frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) ISO/IEC 27001. These frameworks provide comprehensive guidelines for identifying, protecting, detecting, responding to, and recovering from cyber incidents.

Perform Regular Cybersecurity Risk Assessments

Regular risk assessments are crucial for maintaining a strong security posture. According to CrowdStrike, “A cybersecurity risk assessment is a systematic process aimed at identifying vulnerabilities and threats within an organization's IT environment, assessing the likelihood of a security event, and determining the potential impact of such occurrences.” 

Insurance agencies should conduct frequent security audits and penetration testing to identify and address potential weaknesses in their systems.

Implement a Vulnerability Management Process

A vulnerability management process is an ongoing, comprehensive, proactive, and often automated process designed and implemented to keep technology systems, networks, and applications safe from data breaches and cyberattacks. It’s much more than a one-time vulnerability assessment project. 

Vulnerability management tools such as Microsoft Defender, Tripwire, Qualys VMDR, Tenable Vulnerability Management, and InsightVM are designed to scan networks, computer systems, and software applications continuously for exploitable weaknesses. The tools notify cybersecurity professionals of vulnerabilities and sometimes provide instructions on how to mitigate them.

A strong vulnerability management process is an important component of a comprehensive cybersecurity plan.

Conduct Ongoing Training

Humans remain the weakest links in the data security chain. That’s why employee training and awareness programs are essential in creating a culture of cybersecurity within insurance agencies. Regular training sessions should cover topics such as identifying phishing attempts, proper handling of sensitive data, and adherence to security policies.

Programs that simulate attacks by, for instance, sending internally created phishing emails to employees, can work to identify individuals who need training and keep the entire organization vigilant. 

Develop an Incident Response Plan

Developing and maintaining an incident response plan is critical for minimizing the impact of cyberattacks. This plan should outline clear procedures for detecting, containing, and mitigating security incidents, as well as communication protocols for notifying affected parties.

A cyberattack is a stressful and disruptive event. During and immediately after an attack is the wrong time to be figuring out what to do.

Technological Solutions for Enhanced Security

In addition to vulnerability management tools, insurance agencies should leverage other technology solutions to enhance their security, such as:

• Advanced encryption methods, which should be employed to protect sensitive data both at rest and in transit. 
• Multi-factor authentication (MFA), which adds an extra layer of security by requiring multiple forms of verification before granting access to systems or data. MFA should be enabled on all applications and devices that provide for it.
• Intrusion detection and prevention systems (IDPS) can help agencies monitor their networks for suspicious activity and respond quickly to potential threats. 

Consider Cybersecurity Insurance 

Cybersecurity Insurance, or Cyber Insurance covers your business’ liability for a data breach that exposes sensitive information, such as social security numbers, credit card numbers, bank account numbers, and protected health information.

Typically, these policies cover legal fees and expenses and may also help with costs for notifying customers of a data breach, restoring the personal identities of affected individuals, recovering compromised data, and repairing damaged computer systems.

Additionally, agencies may want to consider an AI insurance policy to cover risks associated with copyright  infringement, mis- or disinformation, data privacy, and biased outputs.

The market for cyber insurance policies is in its early stages, with little risk history and a cybersecurity landscape that is evolving so rapidly that it makes assessing and pricing risk difficult. However, the support these policies can provide cannot be ignored given the ever-increasing growth of cyber threats and artificial intelligence.

Conclusion

As cyber threats continue to evolve, insurance agencies must remain vigilant and proactive in their approach to cybersecurity. By implementing best practices, leveraging advanced technologies, and fostering a culture of security awareness, agencies can better protect themselves and their clients from the ever-present threat of cyberattacks.

In addition, agencies must be familiar and compliant with the cybersecurity regulations of each state’s department of insurance where they are licensed to do business. A data breach is a massively disruptive, expensive, and stressful event. There’s no need to add the risk of sanctions, fines, or potential loss of licensure to that list.

Should you need help navigating the cybersecurity regulatory landscape, please reach out here to consult with an expert. We’d be delighted to help you.