Insurance companies hold sensitive personal information, which can be used in other online crimes. Pictured: Pfc. Loran Jones, a combat medic with the Marietta-based 248th Medical Company, 265th Chemical Battalion, updates patient medical records on May 12, 2020, at Wellstar Atlanta Medical Center in Atlanta. (Pfc. Isaiah Matthews/Georgia Army National Guard)

Insurance companies are expected to offer financial protection to their customers. But when it comes to cyber threats, insurers are increasingly finding themselves the victims of a merciless onslaught from data thieves, ransomware groups, hacktivists and even nation-states.

“The insurance industry is a target for many different types of cyberattacks,” according to the introduction to the IntSights 2022 Insurance Industry Cyber Threat Landscape Report, which drills into why and various examples of where various attacks have struck in the insurance industry. For example, breaches by groups that specialize in ransomware has ramped up as a major threat to insurers because of the role many of them play in providing coverage in the case of ransomware — either because the bad actors are seeking information on how much coverage their potential targets might have, or as revenge.

The details of cyber insurance policies, “particularly the maximum ransom amount that a cyber insurance policy will cover, are very useful to ransomware operators. Ransomware operators can use that information to calculate an optimal ransom amount that is both high enough to maximize profit but low enough for victims to accept,” said Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid7 company, which released the report.

Case in point: The report points out a few cases where maximizing their ransomware score from an enterprise client of the insurance company was the ultimate goal for the breach. This includes the March 2021 incursion on CNA Financial, a cyber insurance provider, which reportedly paid a ransom of $40 million to Phoenix CryptoLocker ransomware operators, “one of the largest-ever reported ransom payments,” according to the report.

After a malicious malware update, the attackers were able to move within the network until they gained access to the data and credentials they required to make the heist, and were even able to encrypt files of CNA Financial’s remote employees on the VPN. While the insurer denied that the ransomware gang accessed coverage limits, CNA Financial admitted that Social Security numbers, and other PII for 75,000 people was compromised, mostly of existing or former employees and family members.

Sensitive personal and financial information used for other crimes

Insurance firms often hold even more sensitive financial and personal information on individual and business customers than banks, healthcare companies or investment firms — valuable data which can fetch a high price on the dark web, or be used to create more believable synthetic identities, or to perpetrate other online crimes.

“Insurance companies are targeted for the large amount of personally identifiable information (PII) they handle and store,” Prudhomme said. “Bad actors can use this PII for fraud and other malicious purposes, including insurance fraud.”

And, as with many areas of corporate IT security, especially in the financial industry, attackers are moving in on the insurance companies as well as the third parties with which they work, from vendors to insured enterprise clients, Prudhomme added.

“The above, while coming as no surprise,” he said, “points to the significance of a strong security posture that includes access to threat intelligence that allows the insurer to tailor their defenses according to their business operations.”

Indeed, the report pointed out that insurance companies can often be a prime target for “state-sponsored threat actors because of the amount of detail” of PII they hold on business to consumer policyholders.

“Hacktivists have been known to target insurance companies for ideological reasons,” said the report.

Prudhomme recommended that insurance companies should “not only think about additional layers of protection, but the context of the business onto which you’re applying those layers.”

For example, he added that B2C security measures will have significant differences from their B2B counterparts. “Security at an auto insurer may operate differently from that of a healthcare insurer,” he said.

Additionally, Prudhomme suggested “rigorous research and risk-management mitigation can help put security minds at ease when it comes to doing business with third parties. Thinking holistically about the threats your industry faces, as well as strategically leveraging data to find those specific threats, may not mean your organization is 100% protected.”