Managing cybersecurity risk in the insurance industry

While assessing risk is a core function of the insurance industry, it’s no small irony that when it comes to the security of their own operations, many insurers are less focused than they should be on vulnerabilities.

Cyberattacks — whether business email compromise, ransomware or another scam — have become much more sophisticated over the years. These criminals are good at what they do and are well funded and well organized. And they’re making financial services firms, such as insurance companies, prime targets.

What makes these crimes especially insidious is that many cybergangs are based abroad in countries such as North Korea, Russia and parts of Eastern Europe, where U.S. law enforcement often has no authority to arrest and extradite suspects. In places where governments essentially ignore these activities or even encourage them, the challenges to shut down these operators are significant.

Why insurance companies are vulnerable

The vast amounts of personally identifiable information (PII) and intellectual property that insurance firms hold about their clients make them prime targets. Financial and health data, the stock in trade of the industry, is what attackers have their eye on. But how effectively is your firm protecting its clients’ PII?

Consider these five questions underlying the risk profile of your organization:

1. How well does your security prevent attackers from entering the “door” of your company?
2. Do you fully understand where all your data resides?
3. Do you know how data travels within and outside your organization?
4. Do you have security measures in place that restrict who has access to sensitive data within the company?
5. Is access limited to only those who truly need it?

If you are uncertain about the answer to any of these questions, your organization may be at significant risk in the event of a cyberattack.

In many cases, the breach starts with a simple email to employees. People click on links or attachments with viruses or fall for a plausible looking email sent by a scammer and provide personal information to criminals or unwittingly land on an “evil twin” website set up for nefarious purposes.

It’s often a numbers game. If threat actors send out a phishing email to 200 people in the organization, and if just one or two of them click on something that enables an interloper to get inside the organization, the results can be devastating. The attackers may steal a copy of your data, encrypt all of your critical files (including backup files) and request a ransom. So even if your firm has a strong data recovery plan, the cybercriminals have their hands on your unencrypted data to extort you into paying the ransom.

Protecting your core processing system data

The crown jewels for the criminals: the data in your core processing system. And even if you have gained confidence through penetration testing and other security testing, that data can be exposed if employees export it into spreadsheets saved on personal systems where it may not be well protected.

There are many ways that data may be exposed inadvertently by employees. If a laptop is stolen, any unencrypted data that’s been downloaded from your secure system or copied to a USB storage device becomes much less secure and could constitute a data breach.

Where is your data traveling?

It’s critical to know not only where data resides in your network or on the cloud but also where it travels inside and outside of your organization. It’s not uncommon for businesses to lack proper controls to restrict unauthorized external sharing no matter what the broad security measures are for, say, claims processing or developing quotes for clients. If you allow your employees to use a cloud file sharing service that isn’t properly secured, you’ve lost control over where it is stored.

Hiring third-party professionals to test your controls through penetration testing, vulnerability scanning and a general IT review is important. But adequate training of your employees is also critical to make sure they aren’t creating the opening into your data through email scams or even phone calls by people impersonating others at your company to get information from you. This kind of employee training needs to be ongoing, as it’s easy for people to let their guard down over time about these kinds of threats.

How Wipfli can help

Protecting your data from cyberattacks is an increasingly complex task with ongoing requirements. It is never a set-it-and-forget-it situation. Wipfli professionals have deep experience in assessing and testing system risks, as well as in implementing managed detection and response services and end-user behavior monitoring. Contact us to learn more about the solutions that may be right for your organization.

Sign up to receive more cybersecurity content in your inbox, or continue reading on:

• Stay ahead by staying informed about digital asset insurance
• How’s your cybersecurity IQ? What financial service organizations need to know
• 3 cybersecurity tips for financial services

This article was co-authored by Scott Vandeputte, a manager in tech consulting.