Attention insurance professionals: Don't click on that!
Cybersecurity is now a threat to every business. Insurance agencies and brokerages are no exception.
Take a look around your insurance organization. Can you see your biggest cybersecurity risk?
If you guessed people, you’re right. Insurance agencies and brokerages are known for stellar customer service, going above and beyond to help clients as quickly and efficiently as possible.
But employee susceptibility to cyber threats could be considered an occupational hazard as cybercriminals can exploit a business’ service-first focus to infiltrate its systems and gain access to data or extort money.
Here’s the good news: Insurance agencies and brokerages can reduce their cyber risk exposures with the right knowledge and a few key steps.
First of all, it’s important to acknowledge that proactive cybersecurity starts with education.
Knowing what threats are likely to impact your insurance business and training employees to be proactive and vigilant in the face of suspicious activity can go a long way toward protecting the business.
Masters of disguise
Consider this: An insurance agent or broker receives an email that looks like it’s from a carrier partner asking to click on a link to a document. The agent downloads the file. Unfortunately, the link contains ransomware that encrypts the business’ files. A hacker then demands money for the key to unlock the files.
Here’s another scenario: A hacker, masquerading as the organization’s owner, emails its controller, who is in charge of paying vendors. The hacker’s note explains that the business has a new partner who needs to be paid. The email contains account information for the funds transfer and apologizes for requesting a speedy turnaround. The controller issues the transfer. The next day when it is discovered that the CEO did not send the email, it is too late and the money is gone.
In another scheme, a bad actor, pretending to be an insurance client, calls to cancel the business’ liability policy, saying the client needs to cut expenses. By using online information, the caller seems to have all the information needed to prove identity. The cancellation is processed. The following week, the actual client calls to place a claim.
The technical names for these issues are ransomware, fraudulent fund transfers, and social engineering. The impacts are real, and they are becoming more and more common in all industries, including insurance. According to Marsh, there has been a 148% increase in ransomware attacks fueled by the pandemic, and one in 3,000 emails contains malware.
Meeting the challenge
Overall, many small businesses have been slower to embrace cybersecurity best practices: More than half of small and mid-sized businesses don’t use data protection or email security, according to Intel Security.
But this is beginning to change. In particular, insurance agencies and brokerages are beginning to understand that it’s much better to be prepared. According to PIA and National Underwriter’s 2022 Independent Insurance Agency Survey, data security and privacy compliance is the top concern.
Knowing the risk is an important first step. Next, it’s essential to be proactive in identifying ways to improve security and reduce the risks. The PIA Partnership developed Winning@Cybersecurity Defense, a program designed to not only educate agents about the cyber risks for themselves and their small business clients but also provide actionable steps they can take.
Here are three specific steps agencies and brokerages can prevent cyber risks from impacting their businesses:
No 1: Make cybersecurity everyone’s responsibility. Train employees to be on alert for suspicious activities. It is not just up to one person to detect threats. Consider creating a cheat sheet for agents to keep at their desks that highlights the elements of a suspicious email. These can include: bad grammar or misspelled words, using generic language such as Dear Sir/Madam, a sense of urgency, or re-questing sensitive information.
Make it business policy that if an email raises any red flags at all, the employee should reach out to known contacts in the sender’s organization to check for authenticity. For example, if a generic email comes from a vendor asking the agent to click a link to submit a payment, have the agent call the vendor representative to confirm.
Consider utilizing programs that test your employees on their cyber readiness. Some solutions will send employees fake phishing emails to see how they respond enabling agency owners to see where they need more training.
No. 2: Create a data fortress. Beyond training, there are simple processes you can put into place to secure your systems and your customers’ data. Enable multi-factor authentication, such as having agents input a code texted to their phones in addition to their passwords. Make sure to keep operating systems and applications up to date, as developers will often release patches when they discover security flaws.
Don’t allow personal devices to connect to the agency network if they don’t have security protections. If employees work remotely, discourage them from connecting their agency equipment to public WiFi.
No. 3: Practice what you preach: Get insured. Even the most secure agencies can still be infiltrated by a hacker. The average cost of a data breach can end up hurting the agency significantly if hundreds of customers’ accounts are compromised. Investing in cyber insurance can protect the agency and help it recover. Assess what cyber threats are most likely to impact your agency. Be sure the policy covers those risks. Finally, ask if the coverage provides access to experts who can help you navigate a breach.
The proactive approach
Hackers are becoming increasingly skilled at disguising themselves and infiltrating insurance organizations and other businesses. The best defense is a good offense. Insurance agencies need to be proactive to protect their businesses and their customers’ data. With a 360-degree cyber defense, including employee training and security protocols, agencies will be able to weather whatever cybersecurity storm may come their way.
Ted Besesparis (tbesesparis@pianational.org) is senior vice president of communications for the National Association of Professional Insurance Agents (PIA National) based in Alexandria, Va.
See also: