For many years, cybercriminals have focused their attacks on banks, credit unions and investment firms. But given the bounty of information held by insurance companies, it was only a matter of time before hackers started going after traditional insurance companies.
In March 2020, one of the most notable breaches to hit the industry came to light, when it was made public that Chubb, one of the largest insurance companies in the world, had been hit by a ransomware attack. The New Jersey-based insurance company had fallen victim to Maze ransomware, a particularly sophisticated variant known to spread like wildfire throughout a network, and difficult to root out.
As if foreshadowing this highly publicized incident, Digital Guardian released a report in January 2020 pointing out the growth that it was starting to see in insurance company cyber-intrusions. (And, ironically, Chubb had put out its own cyber-awareness report the year before, called Cyber Attack Inevitability.)
“We are arriving at the place where any digitized business can become a target of a cyberattack," said John Horn, practice director for cybersecurity at Aite-Novarica. “Insurance companies are no exception.”
Last month, Armorblox reported a scam directed at employees of a large, unnamed insurance company, where bad actors impersonated Instagram support staff and sent emails with a malware payload attached in effort to get into the insurance company’s systems.
“For criminal teams with primary motivation of financial gain, there has been observed a pattern of attacking firms which hold cyber underwriting contracts, so that cyberattacks can have a predictable payoff,” Horn said.
“Client lists held by insurance companies are quite valuable to cybercriminals, as they help identify compelling client targets,” Horn continued. “Thus, insurance companies should expect cyberattacks.”
While he does not see the increased ramp-up in known attacks on insurance companies as indicative of any particular trend, Sam Curry, chief security officer for Cybereason, said that there has been at least “a slight increase in the temperature insurance carries in comparison to late last year.”
“That doesn't mean that they won't get more targeted — it only means that it’s largely 'business as usual,' without changes in cyber intensity,” Curry said.
Ironically, Curry pointed out the insurance industry in general “has been scrambling in their business models to build actuarial tables and to price cyber insurance correctly, and they have themselves been targeted by various players in the ecosystem for years.”
Earlier this year, Aite-Novarica interviewed a dozen insurance company chief information security officers (CISOs) to better understand how they approached cyberattacks, and tried to mitigate them. One universal theme that came across from this research was that “insurance company CISOs have cybersecurity needs much like a bank CISO,” Horn said. “Most all the cybersecurity principles used by a bank CISO are needed by today’s insurance CISO, as well.”
Hence, Horn advised that insurance companies need to embrace a similar approach and to mitigate cyber risk in a similar manner as other financial institutions.
In other words, if they have not done so already, insurance companies need to establish a formal risk assessment and a “robust cyber risk program which includes aspects such as defense in depth, zero-trust architectures, data security, identity, multi-factor authentication, security operations and risk management governance.”