The size, scope, and vast amounts of data within the insurance industry makes it a key target for cybercrime. From our health to our cars, property, and several points in between, the average individual has several types of insurance coverage.
Data is both the foundation of and the driving force behind insurance products, policies, and pricing. Much of this data is considered personally identifiable information (PII), which means it could be used to identify an individual. Dates of birth, Social Security numbers, financial account information, and biometrics such as fingerprints are just a few examples of PII that could be found within an insurance company’s database.
Once a cybercriminal has acquired compromised PII data points, they can use this information for fraudulent activities. For example, stolen PII can be fed into an insurance company’s automated quote tool (such as with car insurance) to obtain even more PII. The more information a hacker has, the more equipped they are to commit identify theft and insurance fraud.
In this article, we will look at what makes cybersecurity challenging within the insurance industry, as well as solutions to enhance the security of personally and financially sensitive data.
Why is cybersecurity particularly challenging for insurance companies?
The insurance industry collects, processes, and analyzes massive amounts of structured and unstructured data. Structured data is organized and formatted in a way that makes it easily searchable in databases.
Examples of structured data in the insurance industry include:
- Names
- Addresses
- Medical history
- Claim history
- Vehicle information
Unstructured data, however, does not have a predefined organizational structure or format. Unlike structured data, this type of information does not easily fit within a traditional, column/row spreadsheet or database. However, unstructured data contains critical information that insurers use to customize coverage options and detect fraud.
Examples of unstructured data sources include:
- Emails
- PDFs
- Video files
- Written reports
- Data analytics
- Photographs
- Social media
The insurance industry faces unique challenges when it comes to cybersecurity. The large volume of PII data held by insurance companies is subject to compliance standards and regulations and is also a lucrative target for malicious actors.
Read on to learn more about why cybersecurity is challenging for insurance companies in particular.
Cybersecurity risks unique to the insurance industry
Data breaches and ransomware attacks are increasing in frequency and complexity. Since 2020, financial institutions have increased their use of digital and remote solutions for daily operations. After the health sector, the financial sector (including insurers and brokers) was the hardest hit by COVID-19-related cyber events.
In addition to the insurance policies themselves, some of the most sensitive data held by insurance companies is personal identifying information such as dates of birth, Social Security numbers, passports, and drivers’ licenses. These PII data points are highly valuable to cyber criminals in identity theft operations.
While the insurance industry as a whole is targeted by cybercriminals, companies that provide cyber insurance coverage are even more high-value targets. This is an insurance policy that protects businesses and their customers in the event of data loss, such as a breach or ransomware attack.
Should a hacker successfully compromise their networks, malicious actors will have access to policy details and security standards for cyber insurance coverage, as well as the maximum amount the policy will pay in a ransomware event. This information gives ransomware operations an easy way to determine a ransom amount that the victim will agree to.
The size and scope of the insurance industry, as well as the highly valuable data these companies hold, make these companies a lucrative target for malicious actors. With personal, health, identity, and financial information on file, a single gig of insurance data could be worth as much as $10,000.
In fact, the 2022 Cyber Insurance Risk report indicates that 82% of insurance companies are the focus of cybercrime such as ransomware attacks. Recent cybersecurity events include:
CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million in ransom after a 2021 ransomware attack locked officials out of the CNA network. While the FBI and the Treasury Department discourage companies from paying ransom amounts, companies like CNA do so to recover their stolen data. However, only 42% of organizations successfully recover their data after paying the ransom.
In 2020, insurance and benefits broker Arthur J. Gallagher & Co. suffered a ransomware attack in which hackers obtained PII of thousands of Gallagher customers and employees. The affected individuals filed a class-action lawsuit against Gallagher for failing to protect their information and for failing to notify or assist the people whose data was compromised.
Cybersecurity insurance provider, Chubb,became a victim of a data breach in 2020. The security incident is attributed to the Maze ransomware group, which is known for encrypting networks and devices, exfiltrating data, and holding it for ransom. While the attack didn’t impact the operation of Chubb’s networks, the ransomware group posted a list of the data stolen from Chubb, including the names and contact information of senior company executives.
The importance of cybersecurity in the insurance industry
The insurance industry is subject to some of the most comprehensive data protection and privacy regulations:
- Gramm-Leach-Bliley Act (GLBA). GLBA regulations protect consumers’ financial information and PII. Insurance companies must develop a comprehensive information security program that contains controls such as encryption, risk assessments, access controls, and multifactor authentication (MFA), among others.
- Health Insurance Portability and Accountability Act (HIPAA). Health insurance companies are considered health plans that must comply with HIPAA provisions for data security and privacy. This includes (but is not limited to) best practices such as data encryption, audit logs, access controls, and risk assessments.
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML). The BSA is a collection of laws and regulations aimed at reducing the risk of money laundering in the United States. The insurance company is responsible for the effectiveness of its compliance program, which includes the activities of its agents and brokers. BSA/AML regulations apply only to high-risk insurance products such as annuities and permanent life insurance policies, both of which can be used to facilitate money laundering activities.
Regulations for insurance companies are increasing, with more states requiring companies to better protect consumer data. As of May 2022, Kentucky became the latest state to develop a cybersecurity statute based on the National Association of Insurance Commissioners (NIAC) Insurance Data Security Model Law. Currently, 21 states have adopted models to enhance cybersecurity in the insurance industry.
How WinZip Enterprise enhances cybersecurity in the insurance industry
The best way to mitigate risk is to protect data before adverse events occur. An insurance company’s files and databases contain a wealth of information that would negatively affect financial performance and public perception if it were compromised.
Following a data breach, 83% of customers will no longer use the products and services of the affected organization. A comprehensive data protection strategy should include best practices such as the following:
- Customized access controls. Access controls restrict access to resources and data based on what’s necessary for a user’s job functions. This is known as the principle of least privilege (POLP), which helps prevent unauthorized access to sensitive information.
- File-level encryption. File encryption gives insurance companies increased control and visibility over their sensitive PII. Encryption renders the information contained within a file unreadable to anyone without the appropriate decryption key, rendering the file useless to cybercriminals.
- File tracking. To prevent and eliminate data loss, insurance companies should regularly review system activity. File tracking makes a record of every time a file is edited, moved, or deleted. This makes it easier to detect and control system vulnerabilities such as human error (e.g., accidental deletion of a critical file).
WinZip® Enterprise protects sensitive data with a customizable set of enterprise-grade tools for secure backup, file transfer, encryption, and more. Insurance industry IT administrators have granular control over the operating environment, making it easy to implement and enforce policies that uphold cybersecurity.
Using the Advanced Encryption Standard (AES) format, WinZip Enterprise encrypts data at the file level so that it is safeguarded while at rest and in transit. This type of encryption is ideal for insurance companies that must comply with various data security regulations.
Learn how WinZip Enterprise helps insurance companies stay safe amidst today’s leading cybersecurity threats.