Insurance Companies Have a Lot to Lose in Cyberattacks

Insurance companies have a huge target on their proverbial backs as cyberattackers increase their focus on an industry ripe with personal, medical, corporate, and other confidential data that can be monetized after a data breach.

In 2023 alone, multiple insurance companies have been targeted, including Sun Life in June via an attack on its vendor Pension Benefits Information LLC; Prudential Insurance in May, in which more than 320,000 customer accounts were impacted; New York Life Insurance Company, which had 25,700 accounts affected during the same days period as the Prudential attack; and Genworth Financial, in which up to 2.7 million individuals were affected. All of these insurance companies were victims of the MOVEit file transfer cyberattack.

Aside from MOVEit, other common ransomware attacks also targeted the insurance industry. Point32Health, the parent company of Harvard Pilgrim Health Care and Tufts Health Plan, was hit by a ransomware attack in April, while NationsBenefits reported that it was a victim of the Cl0p ransomware gang. The largest US attack on an insurance company compromised 9 million patients of Managed Care of North America (MCNA) Dental, a victim of the LockBit attack.

Consulting firm Deloitte noted, "Cyber-attacks in the insurance sector are growing exponentially as insurance companies migrate toward digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers' financial portfolios. This shift is driving increased investment in traditional core IT systems (e.g., policy and claims systems) as well as in highly integrated enabling platforms such as agency portals, online policy applications and web- and mobile-based apps for filing claims."

The firm added, "As insurers find new and innovative ways to analyze data, they must also find ways to secure the data from cyber-attacks."

Applications Reveal a Lot

The reasons insurance brokers and carriers are now in the hot seat vary, Deloitte noted, but several stand out as key motives. While the most mundane is the profitability of obtaining personally identifiable information and personal health information for resale, there are more nefarious inducements to attack insurers — for example, insurance applications.

The amount of private, corporate data that appears on an insurance application could be a bonanza to cyberattackers, says Marc Schein, national co-chair of the Cyber Risk Practice and a risk management consultant at Marsh McLennan Agency, an insurance broker. Schein notes that applications include a vast array of potentially useful information, including the amount of insurance a company is purchasing (ransomware attackers do not want to leave money on the table when they demand a ransom), as well as some of the deficiencies a company might have in its network security.

Schein points out that other insurance products, such as errors and omissions policies or directors and officers policies, could provide valuable information about trade secrets, private information of key company executives, and data about potential business transactions.

Patricia Titus is chief privacy and information security officer at Markel Insurance, a carrier that underwrites its own assurance, specialty, and international policies. She agrees that applications can provide a deep understanding of a company's technology profile.

Insurance applications can identify technology debt, Titus says — unpatched software, outdated hardware that might be past the manufacturer's security or software patches, legacy systems that could represent potential security vulnerabilities, and other deficiencies a company might have in its network security. These vulnerabilities could be exploited by attackers.

All Sides of Insurance Transactions Are Vulnerable

Insurance clients are not the only ones that need to evaluate their cybersecurity infrastructure, Titus points out. Markel is looking at ways it can better protect its own data, as well as that of its clients.

In Markel's case, Titus says, the company is looking at technologies that could do a better job of microsegmenting its networks, limiting the ability of attackers to move laterally through the network should they successfully breach the corporate defenses. Moving laterally, she notes, is the greatest advantage an attack can have if they can find a hole into a network.

Human data always is interesting to cyberattackers, Titus adds. Should the attacker be able to access insurance applications or approved policies, they can learn a great deal about potential targets. Individuals and companies alike need to insure high-value luxury items, such as antiques. However, enterprises also insure trade secrets (think of the recipe of Coca-Cola, for example) that cannot be made public through patents, private data about executives and officers, and errors and omissions that might occur during business transactions. Ultimately, companies protect a vast array of data that can be identified and compromised should their insurance policies or applications be breached.

Schein recommends that companies submitting an insurance application send encrypted files so that anything intercepted during transmission cannot be read by the attacker.