Insurance-Related Cyberattacks on the Rise: Are Agencies Prepared?

Insurance has become one of the top industries targeted by cybercriminals. In fact, a recent ranking by the cybersecurity vendor Ekran included finance and insurance as one of the five industries “most at risk of data breaches.”

As SC Media, published by the CyberRisk Alliance, noted this spring, “[G]iven the bounty of information held by insurance companies, it was only a matter of time before hackers started going after traditional insurance companies.”

Since the primary motivation for cybercrime is to extract information that can be sold on the dark web, insurance client lists can be quite valuable. There are some well-known companies that have been in the news due to cyberattacks.

But just as insurers are at greater risk, so too are insurance agencies. Agents and brokers are often the first to collect and process the client data that makes its way through the insurance value chain. Smaller, mom and pop agencies are especially vulnerable because they haven’t always invested in the security protections required to thwart cyberattacks.

Today, any business — regardless of size — that possesses digitized information is a target for malware, phishing, ransomware and denial-of-service attacks. Agencies need to be prepared.

Third-Party Due Diligence

Many insurance agencies rely on third-party providers for software, IT infrastructure, and network management and monitoring. While large cloud providers such as Amazon, Microsoft and Google have robust security protections built into their platforms, smaller vendors may not.

Third-party risk management is an important first defense for agencies that rely on vendors for their digital needs. In addition, many state and federal cybersecurity regulations now include third-party compliance requirements.

Conducting an annual, in-depth information security review of your organization’s third-party providers not only can satisfy these regulatory requirements, but also provide peace of mind that sensitive data and systems are being protected properly according to industry standards.

At the very least, you should ask for and examine these four items during your review:

It’s also a good idea to spell out in any agreements you have with vendors how data will be safeguarded, stored and accessed by these third parties.

The Rise of Ransomware

In just a few short years, ransomware has become a universal threat, sparing no industry or type of business. Victims range from large corporations to nonprofits, government agencies and even churches. Overnight, ransomware victims discover that all of their network files have been encrypted, rendering them useless. In order to receive a key that can decrypt their files, the victim must pay a ransom.

The cause of ransomware is usually pretty simple: human error or lax safeguards. Most ransomware infects a network through a phishing email that someone mistakenly opens, leading to a malicious download or click-thru to a fraudulent website.

Insurance agencies can protect against ransomware by adopting mitigation strategies that are part of any sound data security policy. Following good cyber hygiene means regularly updating your systems with the latest security patches and filtering out spam emails.

Kaspersky, the antivirus software maker, has one of the better checklists for preventing ransomware attacks. Here are some vulnerabilities that Kaspersky says could make your agency more susceptible to hackers:

• Your devices have outdated software.
• You’re not running the latest security patches on your browser and operating system.
• You don’t have a backup plan for your data.
• You don’t have a cyber-security prevention plan.

To prevent a ransomware infection, Kaspersky has these reminders:

• Never click on unsafe links.
• Avoid disclosing personal information.
• Don’t open suspicious email attachments.
• Never connect to unknown storage media.
• Use only known download sources.
• Keep your programs and operating system up to date.
• Use a virtual private network (VPN) when connected to public Wi-Fi.

Instituting Cybersecurity Controls

If your agency writes cyber insurance, you know that carriers are tightening the cybersecurity requirements your clients must meet to become insurable. A good question to ask yourself is whether your agency meets those same requirements.

Here are a few of the cyber-protections that most insurers look for in a potential cyber insurance customer. How many of these have you implemented at your agency?

Multifactor Authentication (MFA). Using MFA for your logins is a must these days. Many software programs offer MFA as an option, but it has to be turned on. Be sure you’ve activated MFA so that it takes more than one credential to log in to your systems. Consistently enforce MFA across all platforms and channels, including email and social media.

Password Protection. In addition to MFA, strengthen your password requirements and use password managers to generate and protect unique passwords. Employees should have access privileges for only those systems they need to use.

Removal of Outdated Devices and Systems. Unsupported platforms are highly vulnerable to cyberattacks. Remove old software and devices that no longer receive security updates.

Firewalls. Bad actors often infiltrate a company’s networks through remote desktop access. Protect your systems by requiring the use of a VPN or other secure gateway when employees are accessing networks remotely. Firewalls and data can also be segmented to restrict use to certain types of traffic or users.

Backups. Encrypt and store your backups in an “air-walled” (or “air-gapped”) device that isn’t connected to the internet. Regularly test your backup procedures and have a plan for restoring your systems if there is an incident.

Employee Training. The human element remains the leading reason criminals are able to penetrate an organization’s networks. Training your employees to follow good cybersecurity practices is key.

Creating a culture of awareness and caution is by far the most important and least costly preventative measure you can take. Nine times out of 10, when a forensics investigation is made into the cause of a breach, it turns out someone opened a malicious file, forgot to protect a password, visited a suspicious website or failed to back up their files.

With a little education and some basic cyber hygiene, you should have a fighting chance of avoiding the cost, lost business and liability that can result from a cyberattack. Don’t wait until it’s too late to take steps to protect your agency.