Insurance companies are expected to provide financial protection to their customers. But when it comes to cyber threats, insurers are increasingly falling victim to a relentless onslaught from data thieves, ransomware groups, hacktivists, and even nation states.
“The insurance industry is a target for many different types of cyberattacks,” states the introduction to the IntSights 2022 Insurance Industry Cyber Threat Landscape Report, which provides the reasons and various examples of where different attacks have struck in the insurance industry. For example, security breaches by groups specializing in ransomware have become a major threat to insurers, as many of them have a role in providing coverage in the event of ransomware – either because the attackers are seeking information about the coverage of their potential targets might have, or as revenge.
The details of cyber insurance policies, “particularly the maximum ransom amount that a cyber insurance policy will cover, are very useful for ransomware operators. Ransomware operators can use this information to calculate an optimal ransom amount that is both high enough to maximize profit and low enough for victims to accept,” said Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company that published the report.
Case in point: the report points to a few instances where maximizing their ransomware score from a corporate customer of the insurance company was the ultimate goal for the breach. These include the March 2021 break-in at CNA Financial, a cyber insurance provider that reportedly paid a $40 million ransom to Phoenix CryptoLocker ransomware operators, “one of the largest ransom payments ever reported,” according to the report.
After a malicious malware update, the attackers were able to roam within the network until they gained access to the data and credentials they needed for the heist, even encrypting files belonging to remote CNA Financial employees in the VPN. While the insurer denied that the ransomware gang accessed coverage limits, CNA Financial admitted that Social Security numbers and other PII of 75,000 people were compromised, mostly existing or former employees and family members.
Sensitive personal and financial information used for other crimes
Insurance companies often hold even more sensitive financial and personal data of consumers and businesses than banks, healthcare companies or securities firms – valuable data that fetches a high price on the dark web or can be used to create more credible synthetic identities to commit other online crimes.
“Insurance companies are being targeted because of the large amount of personally identifiable information (PII) they process and store,” Prudhomme said. “Bad actors can use this PII for fraud and other malicious purposes, including insurance fraud.”
And as in many areas of corporate IT security, particularly in the financial industry, attackers are penetrating insurance companies as well as the third parties they work with, from providers to insured corporate customers, Prudhomme added.
“While not surprising,” he said, “the above points to the importance of a strong security posture that includes access to threat intelligence that allows the insurer to tailor its defenses to its business.”
Indeed, the report pointed out that insurance companies can often be a prime target for “government-sponsored threat actors because they have so much detail” of personal information they keep when doing business with consumer policyholders.
“Hacktivists have been known to target insurance companies for ideological reasons,” the report said.
Prudhomme recommended that insurance companies “think not only about additional layers of protection, but also about the context of the business you’re applying those layers to.”
For example, he added that B2C security measures will have significant differences from their B2B counterparts. “Security with an auto insurer might work differently than it does with a health insurer,” he said.
Additionally, Prudhomme suggested that “rigorous research and risk management can help provide peace of mind when dealing with third parties. If you think holistically about the threats your industry faces and use data strategically to find those specific threats, it may not mean your organization is 100% protected.”