Escalating Cybersecurity Risks: A Growing Challenge for Insurers

Insurance companies not only assist other businesses in managing their cybersecurity risks, but they also grapple with cyberattacks directed against themselves. As cybersecurity risks increase, heightened vigilance becomes critical.

No Industry is Safe from Cyberattacks

Some industries are more tempting targets for hackers than others, even though no industry is safe from cyberattacks. Companies possessing a wealth of valuable data that can be monetized and those willing to meet substantial ransomware demands are frequently targeted. Both the financial and insurance industries typically have a treasure trove of personal, health, and confidential data that makes them prime targets for cyberattacks.

This may explain why cyberattacks against these sectors increased in 2022 even as most industries experienced a slight reprieve from such incidents. According to Abnormal Security¹, ransomware attacks against the financial sector (including insurance companies) increased by 75% year over year in the first quarter of 2022, mainly due to LockBit attacks against small accounting and insurance companies. LockBit ransomware encrypts and locks critical data, making it inaccessible to the victim.

According to the IBM Security X-Force Threat Intelligence Index 2023², the combined finance and insurance sector was the second most frequently targeted sector in 2022, comprising 18.9% of all attacks, just behind the manufacturing industry which held the top spot.

Recent Attacks Against Insurers

Not all ransomware attacks make headlines. However, some large attacks against insurance companies have recently garnered media attention:

• Genworth Financial fell victim to a massive data breach that impacted millions of its policyholders and agents.³ A global cyberattack in May 2023 involving the MOVEit file transfer software has resulted in an unknown number of incidents of stolen data across industries, affecting a wide array of victims, including Shell and the United States Department of Energy. Corvus Insurance reported the MOVEit breach accounted for 9% of victims in the second quarter and 13% of all victims in Q3.⁴
• TechCrunch⁵ reported a ransomware attack against a dental insurance company exposed the data of nearly 9 million patients. The LockBit ransomware group claimed responsibility for the attack, stating that it published all the stolen files after the insurance company refused to pay a $10 million ransom.
• AP News⁶ states that the second largest health insurance company in Massachusetts was hit with ransomware, potentially exposing sensitive personal information of current and past members.

More Serious Data Breaches and Ransomware Attacks Raise Concern

The increase in frequency and severity of data breaches and ransomware attacks have raised concern. According to the 2023 Travelers Risk Index, 54% of participants believe it’s inevitable that their businesses will experience a cybersecurity incident.⁷ In an interview with Digital Insurance⁸ in November, Tim Francis, enterprise cyber lead at Travelers, discussed the changing risk landscape and the shift to a more dangerous level of ransomware attacks. When fully deployed, these attacks will essentially encrypt and disrupt the entire operating system, causing impacts that are much worse in terms of their longevity and financial impact.

Corvus Insurance’s latest Global Ransomware report indicates a 95% increase in ransomware activity year over year from Q3 2022 to Q3 2023.⁹ According to the IBM 2023 Cost of a Data Breach report¹⁰, the average cost of a data breach increased 2.3% to $4.45 million per event. Their research also revealed that 37% of ransomware victims studied did not involve law enforcement in ransomware attacks and ended up paying, on average, $470,000 higher breach costs than those that did.

Defending Against Cyberattacks

Businesses cannot afford to be complacent about cybersecurity. Attacks have evolved and security measures need to keep up. Per the Travelers Risk Index⁷, 90% of businesses report confidence in implementing best practices to prevent or mitigate cyberattacks, yet at least 25% have not implemented basic prevention measures, such as firewall/virus protection, data backup and password updates. Maintaining offline backups of critical data can help businesses recover from a ransomware attack without giving in to demands. Travelers’ Tim Francis suggests that at a high level businesses need to at least use endpoint detection and response (EDR), multi-factor authentication (MFA), and develop a comprehensive incident response plan (IR).⁸

Keeping Payment Data Secure

Insurers that store sensitive personal data can be prime targets for hackers. Having sensitive payment data in your system increases your security risks and your compliance burden. One Inc takes cybersecurity seriously. We adhere to industry-leading security requirements that reduce your risk of exposure, simplify your network security and compliance practices, and help to protect your policyholders from payment data theft. As a Nacha Certified Third-Party Sender, we have met rigorous standards for risk management and compliance, demonstrating the strength of our corporate controls.

Learn more.

Sources:

1. Abnormal Security - https://abnormalsecurity.com/blog/ransomware-volume-drops-q1-2022
2. IBM - https://www.ibm.com/reports/threat-intelligence
3. Insurance Business Magazine - https://www.insurancebusinessmag.com/us/guides/the-insurance-industry-cyber-crime-report-recent-attacks-on-insurance-businesses-448429.aspx#Insurance%20industry%20cyber%20crime%20report%20%E2%80%93%20top%20attacks%20on%20the%20sector%C2%A0
4. PC 360 - https://www.propertycasualty360.com/2023/10/31/ransomware-activity-sees-95-year-on-year-spike/
5. TechCrunch - https://techcrunch.com/2023/05/31/ransomware-attack-on-us-dental-insurance-giant-exposes-data-of-9-million-patients/
6. AP News - https://apnews.com/article/ransomware-health-insurer-harvard-pilgrim-point32health-d7d7d150006a91dd86dd75e09c388522
7. Travelers - https://www.travelers.com/resources/risk-index/2023-cyber-top-business-risk
8. Digital Insurance - https://www.dig-in.com/list/travelers-risk-index-cybersecurity-remains-concern?utm_source=newsletter&utm_medium=email&utm_campaign=V3_DIG_Daily_Briefing_2023%2B%27-%27%2B11292023&bt_ee=NCWPbUB1f%2B%2FvtLmwLBao2T5tl1Hxl2t4HNxnujX3nS%2BizV%2Fyr0Ezb5zchEMjQ3S%2B&bt_ts=1701266455080
9. PC 360 - https://www.propertycasualty360.com/2023/10/31/ransomware-activity-sees-95-year-on-year-spike/ 
10. IBM - https://newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs