In the last two years alone, the number of successful cyber attacks has grown dramatically. This exponential growth in attacks comes as insurance companies migrate toward digital channels to create sticky customer relationships, offer new products, and expand their share of their customer’s financial portfolios. It is estimated that attackers have penetrated this sector to exfiltrate the personally identifiable information (PII) of more than 100 million Americans.
The US insurance industry reports net premiums totaling $1.22 trillion written in 2018. Fifty-one percent of those premiums were written by property/casualty insurers, while life/annuity insurers wrote 49 percent. There were 5,965 insurance companies in the US that year.
The top writers of property/casualty insurance in 2019 were State Farm, Berkshire Hathaway, and Progressive Corp. The top life/annuity writers were MetLife, Prudential, and Equitable Holdings.
There were 2.8 million people employed in the insurance industry in 2019. Of these, 1.6 million worked for insurance companies and 1.2 million for agencies, brokers, and other related enterprises.
Insurance companies are known to store large amounts of information about their policyholders. This practice makes them a target for cybercriminals. It is expected that attacks against the insurance industry will continue to grow in frequency and severity.
The insurance sector is under pressure to embrace innovation and modernize its systems and infrastructure from two fronts. Like the rest of the financial services industry, insurance consumers demand services 24/7/365 via smartphone apps. Also, financial technology companies such as Kickstarter, Patreon, GoFundMe, and others are encroaching on their traditional market space.
Providing real-time insurance and financial services with a seamless and frictionless customer experience requires the latest infrastructure technology and highly skilled personnel. Cybersecurity must be “baked in” to new software and applications. Patching up legacy systems leaves this sector vulnerable to cyberattack.
Cybersecurity within the insurance industry
Cybersecurity within the insurance industry is vital because of the industry’s size and scope and the vast amounts of data consumed by companies in this sector. We all need insurance of some type, usually more than one kind. We are required to surrender contact information, financial information, and even health information to purchase insurance. Often this information is requested before writing an insurance policy and may be given to multiple insurance companies as consumers shop around.
In January 2020, Digital Guardian, providers of a data protection platform, published the results of a survey. In this survey, they asked 20 insurance industry security professionals to respond to a single question. That question was, “what are the top security considerations for insurance companies and how to mitigate [them]?”
The blog post delineating Digital Guardians’ findings, by Juliana De Groot, is instructive because it offers the unique perspective of those that work in the industry. It does not mean that these security professionals have all the answers to questions related to this sector, but it does show what they think their problems and solutions are.
Nearly every response discussed the importance of protecting the massive amounts of PII and other sensitive information they store. There was universal agreement that the insurance industry must collect, store, and transmit all kinds of personal data about vast numbers of people by the nature of their business.
The concerns about exposure to financial liability resulting from these vast databases include significant judgments in potential lawsuits by clients, fines from running afoul of regulatory agencies, and ransoms extracted by those wielding ransomware against their organization. There was no clear favorite for these “keep you up at night” scenarios. All could potentially happen and would be equally devastating.
There were four definite themes in the “what can be done about it” or the mitigation strategies category. Most commonly offered as the most effective remedy against cyberattack was to make improvements in technology and policy. These respondents seem to understand that good technology does little good without a corresponding and equally effective policy. Technology alone will not provide adequate protection against most types of attacks. There are too many ways a policy can negate the value of technology. Leaving a database exposed in the cloud because of an unclear policy will undermine any sophisticated access control or perimeter protection technology.
The next three mitigation measures seemed to weigh equally among the respondents. They are technology alone, policies alone, and user training. The merits of technology alone or policy alone need not be discussed because they are inferior to technology and policy combined as a mitigation strategy. One can assume these respondents did not have time to articulate their entire opinion about mitigation and chose only their top approach.
User training was included in several responses and is worth noting because it is consistent with most cybersecurity research. Study after study confirms that most attacks depend on some form of social engineering. A successful social engineering attack, or attack element, is almost always the result of inadequate user training. Cybercriminals depend on their ability to trick users into providing information that, combined with other accumulated information, provides the keys needed to launch an attack.
Cybersecurity within the insurance industry is much like that in other sectors. The same cyberattacks and techniques are deployed by criminals looking for much the same types of data – something they can sell or ransom for money. The insurance industry is unique because they consume, store, and transmit information about much of the world’s population. Nearly everyone has some form of insurance, and insurance companies need to know a lot about their customers and potential customers. It is a Big Data industry, and much of that data is sensitive information about people.
While breaches at insurance companies may not be among the top data breaches of the century, this sector has garnered plenty of attention from cybercriminals. Even insurance companies that clearly understand the cyber threatscape are not immune from becoming victims themselves.
In their 2019 security report entitled Cyber Attack Inevitability, Chubb may have been more prophetic than intended. Headquartered in Warren, New Jersey, Chubb is a global provider of insurance products covering property and casualty, accident and health, reinsurance, and life insurance. They are the largest publicly traded property and casualty company globally and a leader among cybersecurity insurance providers.
On March 26, 2020, A threat analyst from the New Zealand based web security firm Emsisoft publicized a ransomware attack against Chubb in an email to the news media. Emsisoft’s Brett Callow said the incident in question came from the so-called Maze ransomware. Maze, an unusually sophisticated strain of Windows ransomware, steals data, and spreads through a network and infects every computer with which it comes in contact.
As an indicator that this attack was more about exfiltrating data than taking down the Chubb systems, Jeffrey Zack, a spokesperson for Chubb, said there was “no evidence” that the breach had hit the company’s own network, adding that it was “fully operational.” Zack did not say anything beyond that.
As proof of their success, Callow said the attackers posted a listing on their website claiming to have data stolen from Chubb. This information included the names and email addresses of three senior executives, including CEO Evan Greenberg. Chubb has not disclosed if a ransom was demanded or if it was paid.
In December 2019, the FBI privately warned businesses of an increase in Maze-related ransomware incidents.
It is interesting to note that last year Target filed a $74 million lawsuit against Chubb after the retailer claimed the insurance carrier failed to adequately compensate it for the costs incurred from its 2013 data breach involving the theft of 110 million customers’ data.
Just knowing the dangers is no protection against a cyberattack. In their 2019 “Cyber Attack Inevitability” report, Chubb wrote, “When an employee at a nonprofit accidentally visited a malicious website at work, the company’s shared server became infected with a virus that encrypted all of its files. Cybercriminals then tried to extort money from the nonprofit in exchange for releasing their stolen documents.” It is easy to imagine that something very similar to this scenario happened in the case of the Chubb Maze attack.
The insurance industry and risk
Ask any number of security professionals about the options for managing risk, and the answers will likely be similar. Security specialists and risk managers across all disciplines generally agree that there are four options for dealing with risk. While the names and descriptions may vary from industry to industry, the four universally accepted methods for handling risk are:
- Avoidance (stay away from risky endeavors)
- Mitigation (institute processes, procedures, and systems to reduce risk)
- Transfer (outsource, usually by insurance, the risk to another entity)
- Acceptance (take the chances associated with the probability of the event occurring)
In one sense, the insurance industry understands risk better than any other business sector. After all, these companies are in the business of assuming risks that other enterprises choose to outsource using insurance. Risk-averse enterprises across all markets transfer a portion of their cybersecurity risks to insurance companies to minimize their exposure to the results of a significant cyber attack.
Actuarial science and cybersecurity
The discipline that assesses financial risk using mathematical and statistical methods is called actuarial science. Actuarial science uses the mathematics of probability and statistics to define, analyze, and solve the financial relationships of uncertain future events. It attempts to quantify the risk of an event occurring using probability analysis to determine its economic impact.
Many companies within the insurance industry are masters at actuarial science. They employ actuaries — professionals who assess and manage the risks of financial investments, insurance policies, and other potentially risky ventures. These actuaries apply actuarial science techniques to understand the liabilities associated with cybersecurity insurance policies as well as cyberattacks themselves.
The insurance industry has not proven itself to have an advantage when it comes to protecting against cyberattacks. Still, the deep understanding of risk within this sector allows many insurance companies to make informed decisions about how much cyber risk to avoid, mitigate, transfer to another insurance company, or simply accept.
The risk of experiencing a significant cyberattack will vary from industry to industry. Only healthcare must protect against attacks on IoT devices that keep patients alive. Alone the financial sector provides the adversaries with an attack vector directly to other people’s money. The insurance industry manages huge amounts of data and can offer valuable insights into how risk can be reduced to actionable numbers and dealt with appropriately in the hands of a trained actuary.
What makes cybersecurity challenging within the insurance field?
The unique cybersecurity challenges faced by the insurance industry are interrelated and stem from the vast amount and varying types of sensitive data with which this sector deals. It is also essential that insurers create and maintain trust relationships with their customers. Finding solutions to these challenges is critical for the health of the industry.
The nature of the insurance business dictates that the industry collects, processes, and analyzes massive amounts of structured and unstructured data. Structured data is highly-organized and formatted such that it is easily searchable in relational databases. It is programmatically correct and machine-readable. Examples of structured data used by insurers include name, address, vehicle information, medical history, dates, and claim history. However, unstructured data has no predefined format or organization, making it more difficult to use and protect.
Unstructured data is information insurers collect in a human-readable format. It can be used to fine-tune what an insurer will or will not cover, spot indicators of fraud, and provide a customized customer experience. This data comes from email, written reports, photographs, multimedia, social media, and data analytics. It can be data that needs to be preserved for legal purposes, intellectual property, and customer PII.
Traditional security tools and technologies used for the prevention of cyberattacks are not sufficient for many insurance businesses, particularly those who handle large volumes of unstructured data. Insurance company staff in charge of data analysis often do not have the required knowledge to respond effectively to potential threats that may arise from the use of varying types of data.
Paramount to the success of an insurance company is its reputation. Nearly everyone needs insurance, but there are many insurance companies from which to choose. Trust is an essential factor weighed by consumers when deciding on an insurance carrier. They need to know that the insurance company will pay if they have a claim and that they will protect their private and sensitive data.
A highly publicized cybersecurity breach of customer data can undermine an insurer’s reputation and have severe repercussions in the marketplace.
Cybersecurity solutions for the insurance industry
Research for cybersecurity solutions for protecting Big Data generally and the insurance industry specifically is advancing rapidly. Large data sets, including financial and private data, are a tempting target for cyberattackers, and therefore protection of these assets is the focus of many new protection solutions.
Employing artificial intelligence (AI) and machine learning (ML) can significantly help insurance companies protect against malware, ransomware, and advanced persistent threats (APT). Because these new technologies can analyze large amounts of data quickly, they are well suited to solutions that can detect any deviation from an expected or prescribed pattern in data behavior. They can be used to monitor data workflows and respond to attacks immediately.
Technical cybersecurity solutions for the insurance industry must focus on access controls, data behavior, the encryption of large data volumes, and the prevention of data leaks. Big Data security solutions must offer real-time analysis and monitoring and be designed to avoid performance degradation, which leads to delays in data processing.
Given the sheer size and scope of the insurance industry, what happens in this sector can shape the entire U.S. and even global economies. Nearly every American has PII stored with one or more of these insurance conglomerates. How they protect that information can have an impact on an inestimable number of people.
The high levels of risk faced by the insurance industry, combined with the abundant resources of a lucrative business model, create an environment that attracts the best and the brightest in security solution research and development. This sector offers many opportunities for security professionals at all levels.
Trust is the very essence of insurance and is, therefore, crucial for the industry to thrive. Security professionals looking for a place to make a real difference in the lives of many people need to look no further than the insurance industry.