Cyberattacks on Insurance Companies: Effects & Reactions

  • MOVEit file transfer attack. In May and June 2023, several major life insurance companies including Sun Life Financial Inc., Prudential Financial, New York Life Insurance Company, Genworth Financial, and Delta Dental of California were affected by the MOVEit file transfer cyberattacks. A substantial number of customer accounts were compromised due to an SQL injection vulnerability identified by unauthenticated attackers, which allowed them to access sensitive customer data stored in MOVEit Transfer’s database.
  • LOCKBit attacks. LOCKBit, another ransomware attack, successfully lifted 9 million patients’ data from Managed Care of North America (MCNA) Dental’s computer systems. MCNA Dental is a US government-sponsored provider of dental healthcare. The stolen data included patients’ names, addresses, birth dates, phone numbers, email addresses, social security numbers, driver’s licenses, and other government-issued identification numbers.
  • CL0P ransomware. Nations Benefits, a U.S. healthcare benefits provider, confirmed that its company had been impacted by a security breach involving Fortra™’s GoAnywhere MFT file transfer solution. The CLOP ransomware group exploited a zero-day vulnerability in GoAnywhere MFT servers that contained the protected health information of 3 million health plan members.
  • Business disruption. Business operations can be seriously disrupted by cyberattacks. Insurers cannot serve their customers, process claims, or conduct business efficiently until they recover their systems and networks after the data breaches. This can lead to financial losses and customer dissatisfaction.
  • Reputational damage. In the event of a cyberattack, confidential information of policyholders is exposed; insurers may face reputational damage. The company may lose its competitive edge if customers switch to more secure insurance providers that protect data and privacy more effectively.
  • Financial losses. Depending on the type of cyberattack, insurers may face Legal and Regulatory penalties for failing to protect customer data. Third parties or affected customers may file lawsuits against the company. Insurers may have to pay lawyer fees to dispute civil cases and the ransom to the attacker. Implementing new security measures and recovery from incidents also increases costs.
  • Hardening systems and networks: To prevent cyberattacks insurers should implement strong cybersecurity practices, including appropriate security controls and procedures to protect their networks, safeguarding their systems and networks from automated threats; monitoring compliance requirements; and testing the security plan regularly by a third-party security firm to ensure its effectiveness.
  • Raising cybersecurity awareness among employees: Insurers often overlook internal threats, such as human error, which could lead to customer information being revealed by a convincing phishing email. Cybersecurity awareness among employees reduces the risk of cyberattacks resulting from human error and helps employees detect attacks early on.
  • Having an incident response plan: Insurers must have a robust security plan to protect their customers’ sensitive information from cybercriminals and accidental data exposure by employees. They also need a detailed up-to-date incident response plan to respond effectively to any incidents that may occur.
  • Vendor risk monitoring: Supply chain cyberattacks pose a major threat to organizations of diverse sizes and industries. Insurers need to monitor the security record of third-party providers. Third-party software providers also need to recognize their responsibility and demonstrate due diligence to mitigate cyberattacks and ensure the integrity and resilience of the interconnected digital ecosystem.

Aahsanun Nessa