Cyberattacks on Insurance Companies: Effects & Reactions
As the insurance industry shifts to digitization, innovative technology, cloud computing, and extended value chains are becoming more prevalent in this industry to meet evolving business needs. It is challenging for insurers to navigate this digital landscape without being exposed to cyberattacks. This blog post will explore the recent cyberattacks targeting insurers, the implications of the attacks on their businesses, as well as potential strategies for improving insurance digital security.
Recent Incidents of Cyberattacks
Cyberattacks are increasingly targeting the insurance industry. In 2023 alone multiple insurance companies have been targeted by ransomware attacks. Some of the most recent and impactful attacks include:
- MOVEit file transfer attack. In May and June 2023, several major life insurance companies including Sun Life Financial Inc., Prudential Financial, New York Life Insurance Company, Genworth Financial, and Delta Dental of California were affected by the MOVEit file transfer cyberattacks. A substantial number of customer accounts were compromised due to an SQL injection vulnerability identified by unauthenticated attackers, which allowed them to access sensitive customer data stored in MOVEit Transfer’s database.
- LOCKBit attacks. LOCKBit, another ransomware attack, successfully lifted 9 million patients’ data from Managed Care of North America (MCNA) Dental’s computer systems. MCNA Dental is a US government-sponsored provider of dental healthcare. The stolen data included patients’ names, addresses, birth dates, phone numbers, email addresses, social security numbers, driver’s licenses, and other government-issued identification numbers.
- CL0P ransomware. Nations Benefits, a U.S. healthcare benefits provider, confirmed that its company had been impacted by a security breach involving Fortra™’s GoAnywhere MFT file transfer solution. The CLOP ransomware group exploited a zero-day vulnerability in GoAnywhere MFT servers that contained the protected health information of 3 million health plan members.
Insurer – A Preferred Target for Cybercriminals
Insurers collect and handle a wide variety of personally identifiable information (PII) on their retail business-to-consumer (B2C) policyholders to customize their services for each client. This information is useful to bad actors in committing several fraudulent activities including identity theft insurance fraud and demanding ransom. State-sponsored threats also find B2C policyholder PII lucrative because it contains many details.
However, it is not only PII information that cybercriminals are interested in. Insurers who provide commercial insurance for corporations hold information about the company’s technology profile and the deficiencies in its infrastructure. By compromising insurers’ systems and networks, ransomware operators gain access to corporate policyholders’ information, allowing them to identify their next targets and determine the optimal ransom amount to maximize profits while remaining acceptable to their victims.
In addition, the size and interconnection of this industry with other financial institutions as well as health networks, make it an attractive target for cybercriminals. Furthermore, the increasing reliance of the insurance industry on third-party technology providers opens the door for cybercriminals to initiate attacks against them. By compromising a trusted component or software within the value chain, cyberattackers can infiltrate the target insurers and their networks.
Consequences of Cybersecurity Breaches
Cyberattacks can have severe impacts on both insurance companies themselves as well as businesses and individuals connected to them. Consequences that may result from cybersecurity breaches in the insurance sector include:
- Business disruption. Business operations can be seriously disrupted by cyberattacks. Insurers cannot serve their customers, process claims, or conduct business efficiently until they recover their systems and networks after the data breaches. This can lead to financial losses and customer dissatisfaction.
- Reputational damage. In the event of a cyberattack, confidential information of policyholders is exposed; insurers may face reputational damage. The company may lose its competitive edge if customers switch to more secure insurance providers that protect data and privacy more effectively.
- Financial losses. Depending on the type of cyberattack, insurers may face Legal and Regulatory penalties for failing to protect customer data. Third parties or affected customers may file lawsuits against the company. Insurers may have to pay lawyer fees to dispute civil cases and the ransom to the attacker. Implementing new security measures and recovery from incidents also increases costs.
Enhancing Digital Security in the Insurance Industry
Since cybersecurity threats are continually evolving and the cost of security breaches is huge, insurers are required to implement robust cybersecurity measures to protect themselves and their customers from these threats. These measures include, but are not limited to:
- Hardening systems and networks: To prevent cyberattacks insurers should implement strong cybersecurity practices, including appropriate security controls and procedures to protect their networks, safeguarding their systems and networks from automated threats; monitoring compliance requirements; and testing the security plan regularly by a third-party security firm to ensure its effectiveness.
- Raising cybersecurity awareness among employees: Insurers often overlook internal threats, such as human error, which could lead to customer information being revealed by a convincing phishing email. Cybersecurity awareness among employees reduces the risk of cyberattacks resulting from human error and helps employees detect attacks early on.
- Having an incident response plan: Insurers must have a robust security plan to protect their customers’ sensitive information from cybercriminals and accidental data exposure by employees. They also need a detailed up-to-date incident response plan to respond effectively to any incidents that may occur.
- Vendor risk monitoring: Supply chain cyberattacks pose a major threat to organizations of diverse sizes and industries. Insurers need to monitor the security record of third-party providers. Third-party software providers also need to recognize their responsibility and demonstrate due diligence to mitigate cyberattacks and ensure the integrity and resilience of the interconnected digital ecosystem.
Final Thoughts
In summary, the recent shift towards digitization to deliver high-quality products is exposing the insurance industry to more vulnerabilities. Cybercriminals are constantly exploiting integrated digital platforms as a means of gaining access to sensitive data. If a cyberattack succeeds, sensitive customer data may be lost, financial losses may occur, and the insurer’s reputation may be damaged. To prevent these malicious practices and ensure the integrity of the interconnected digital ecosystem, all parties in the value chain must acknowledge their responsibilities and implement top-notch security measures.
Emtech Group Inc. is the leading provider of enterprise software quality engineering solutions for validating insurance carrier value chains. As a member of the value chain, Emtech Group Inc. recognizes the importance of security and is committed to ensuring the security of its products and applications. Emtech QMT, a QA software for insurance, is built with secure software development practices and integrated with adequate security measures that support SOC 2 attestation and HIPAA compliance.
About the Author
Ahasanun Nessa, Ph.D. is a Senior Technical Consultant at Emtech Group Inc. Ahasanun specializes in cybersecurity regulation and compliance, threat detection and risk assessment, and enterprise security. Ahasanun led the analysis and integration of cybersecurity solutions into the Automotive Parts Manufacturers’ Association (APMA) Project Arrow vehicle. She is the first author of more than 20 peer-reviewed journals and conference proceedings.