Cybersecurity: Key threats endangering insurers
Insurers are especially attractive to hackers because of the information they collect and the assumption that they have deep pockets in the event of a cyberattack.
Like most businesses, insurers are smarting from the relentless attacks on their computer networks by hackers — which are increasing in number and sophistication with each passing year.
Currently, 82% of the world’s largest insurers are vulnerable to phishing — which occurs when trusting employees unknowingly give hackers access to IDs and passwords or other ways to penetrate the company network, according to Black Kite’s “A Fight for Coverage: Cyber Insurance Risk in 2022.”
The same report found that 18% of insurance companies open their doors each day extremely susceptible to ransomware.
“Most security and risk leaders now recognize that major disruption is only one crisis away,” said Richard Addiscott, senior director analyst, Gartner — a technology advisement firm. “We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
Unfortunately, insurers are especially desirable for hackers given they have deep pockets — as well as that catnip-of-catnip for cybercrooks: The personally identifiable information (PII) of sometimes millions of customers.
Granted, we’d all like to believe that every business on the planet has the grit to tell hackers where to go when such crooks compromise their data and computer systems. But as guardians of customers’ PII, insurers face a tough choice: Standing up to hackers, or paying them off to hopefully protect the PII of their customers.
PII theft statistics are among the scariest for those charged with guarding such personal data. During 2021 alone, hackers exposed the PII of 1.5 billion users during the course of their exploits, according to the Black Kite report.
Equally troublesome, insurers specializing in cybersecurity insurance find they are of even greater interest to hackers, given that the stolen details of cyber insurance policies also offer hackers insight into the amount of ransom an insurer has agreed to pay for its insured, according to the “2022 Insurance Industry Cyber Threat Landscape Report,” from IntSights.
Observed Bob Maley, chief security officer, Black Kite: “The cyber insurance landscape has never been more volatile.”
As in previous years, one cyberthreat troubling insurers as of late is ransomware, which saw an 82% jump in incidents in 2021 over the prior year, according to Crowdstrike, an IT security firm.
The industry also saw disturbing growth in attacks on personal computing devices used by remote workers last year — as well as increased hacker penetration into giant companies via the poorly secured networks of smaller, third-party vendors.
“Year after year, the increasing risk lies with your most vulnerable partners and suppliers,” said Paul Paget, CEO of Black Kite.
Add an increase in hacker break-ins to cloud-based systems, a jump in hacking attacks orchestrated by nation-states and increasing hacker access to tricks and techniques powered by artificial intelligence, and it becomes clear that nothing less than 24/7 vigilance will be needed by insurers to thwart the cybercriminals in coming years.
Here’s a deeper look at threats that are especially dangerous to the industry:
Remote worker vulnerability: One of the downsides of all the remote working opportunities many workers are enjoying lately is the significantly increased vulnerability of their employers.
The reason? Many of the personal smartphones, home laptops, on-the-go personal digital assistants and similar technologies workers are using from home are completely devoid of cybersecurity software. That gaping vulnerability translates into open season for hackers, who can often penetrate an unsecured personal computerized device faster than a remote worker can say “oops,” and then leapfrog from that personal device onto the company’s mainframe.
Sarah Pavlak, a security industry principal at business consulting firm Frost & Sullivan, explained: “Due to the pandemic and remote working requirements, the world witnessed a significant increase in endpoint security needs. To mitigate attacks, endpoint security solutions — endpoint protection platform and endpoint detection and response — are vital as they help identify unprotected assets.”
Added Michael Sentonas, chief technology officer at CrowdStrike: “Stopping breaches requires a modern approach to security that relies on continuous, comprehensive endpoint visibility that spans detection, response and forensics — to ensure nothing is missed.”
Ransomware and ransomware-as-a-Service: Few industries have been gouged more deeply by ransomware than the insurance industry — a form of malware that seizes control of a computer’s data and demands a ransom before the data can be accessed again. Last year, industry giant CNA Financial, for example, reportedly paid one of the largest ransoms ever – $40 million – to a hacker gang that wreaked havoc on its computer network, according to Black Kite’s report.
Currently, nearly 20% of the world’s top 99 insurers have a high susceptibility to the scourge, according to Black Kite, and 82% of the globe’s largest insurance companies are also prime targets for cybercriminals.
Worldwide, across all industries, a ransomware attack occurs every 11 seconds, with an average payout to the crooks of $130,000, according to Black Kite’s report. Adding insult to injury is the growing availability of ransomware-as-a-Service kits, which sophisticated hacker gangs license-out to less-tech-savvy criminals in exchange for a cut of any ransoms secured.
Nation-state-sponsored hacking: Insurers and others have been targets of state-sanctioned hacking for years, and they can expect more of the same for the foreseeable future, according to the 2022 CrowdStrike Global Threat Report. The “Big Four” perpetrators in this space are Iran, China, Russia and North Korea.
For the insurance industry, nation-state extortion included the exposure of PII from customers of the Israeli insurance company Shirbit, according to IntSights’ report. Insurance data hackers released to the world during the caper included driver’s license photos, identity documents, and forms featuring the names and addresses of the insurer’s customers.
The leading culprit among the Big Four by far is China, which is increasingly penetrating companies and organizations by finding vulnerabilities in internet-facing software like Microsoft Exchange, according to Crowdstrike.
Adam Meyers, senior vice president of intelligence, CrowdStrike, said: “As cybercriminals and nation-states around the world continue to adapt in the changing, interconnected landscape, it’s critical that businesses evolve to defend against these threats.”
Back-door & third-party attacks: Sadly, too many insurers and others discover the hard way that the even most sophisticated cybersecurity system can be undone in seconds via a third-party partner with lax cyber defenses. Hackers take special delight in these attacks, which uncover vulnerabilities in the networks of small businesses, and are then leveraged as back-door entryways into Fortune 500 companies and similar big corporate game.
The problem is so prevalent, that market researcher Forrester predicts that by the close of this year, 60% of all cybersecurity incidents will be initiated at third-party vendors.
Moreover, by 2025, insurers and others will consider the sophistication of cybersecurity protocols maintained at the third-party firms they do business with so important that a majority will insist those businesses prove they’re engaging in IT security best practices, according to Gartner.
Jeffrey Wheatman, senior vice president of Black Kite, said: “Insurers are consistently blindsided with risk events that form deep in their digital supply chains. Black Kite’s latest research is a proof point that action needs to be taken to assess third-party risk — and plan accordingly.”
Attacks on the cloud: Scores of insurers and others with systems and data in the cloud saw a significant uptick in cloud-computing-related security breaches, according to the 2022 CrowdStrike Global Threat Report.
All insurers should insist on closely studying the security protocols their cloud provider offers, according to Andre W. Ahern, CEO, Ahern & Associates — a business consulting firm. Plus, insurers want to be sure those protocols are in writing and certified annually, Ahern adds.
You’ll also want to be sure you have documentation that your cloud provider is aware of all local, regional, national and international laws regarding the security and privacy of your data. You’ll also want to see the documentation and descriptions of the systems your provider has in place to comply with those laws, he says.
Also critical: Be sure — and get a guarantee — that your data does not pass through questionable technology hardware such as routers and other tech made by Chinese company HUAWEI, Ahern said.
AI-powered attacks: During the past few years, the cybersecurity industry has made great gains infusing every manner of artificial intelligence into the computer networks of its customers — significantly increasing the efficacy of its tech.
Unfortunately, so have the crooks.
Essentially, the same AI technology well-armed insurance companies use to monitor and analyze the latest in hackers’ tricks, techniques and software is the same AI technology hackers are using to assess the cyber-mettle of insurers. For the foreseeable future, it appears AI has simply raised the stakes in the cybersecurity war — leaving any insurer devoid of AI shielding at graver risk than a well-equipped competitor.
Andrew Walls, an analyst at Gartner, explained: “Attackers are weaponizing AI just as fast as organizations augment their defenses with it. It’s not enough for cybersecurity technologies to evolve — strategy and leadership approaches must change, too.”
Adds Frost & Sullivan’s Pavlak: “Wider AI adoption will incorporate self-healing endpoints and become more comprehensive during the next few years.”
Joe Dysart (joe@breakingnewsintech.com) is an internet speaker and business consultant based in Manhattan.
Related: