Other than for ransoming the monetizable sensitive data, cybercriminals are targeting the industry for vengeance, political agendas and other motives.

In May last year, Asian components of insurance firm AXA were hit by a serious data breach resulting in the theft of 3TB of data and sensitive records being exposed as part of a multi-faceted cyber-attack. This occurred after the firm announced it would stop reimbursing new French customers for ransom payments to ransomware attacks.

The headline-grabbing attack is significant because it not only involved damaging disclosure of customer data but likely aimed at punishing the firm for its business decisions. Also, the attack was among was one of a series that hit insurance firms in the past year.

Not long after the AXA attack, Tokio Marine Insurance Singapore, which also provides cyber-insurance coverage, disclosed in August 2021 that it had also been hit by a ransomware attack.

According to reports, the AXA data breach may have originated at a third-party vendor in Thailand, so it is clear that it is not enough to simply protect one’s own cyber boundaries against evolving threats.

What insures the insurers?

For an industry whose business is to manage risks, it may sound ironic that the specter of a cyber-attack is not something that such firms manage well enough today.

In March 2021, CNA Financial reportedly paid a ransom of US$40m to ransomware operators that had locked up the files on its computers. Notably, its financial losses were not fully covered by its own cyber insurance.

According to a KPMG study, 85% of insurance CEOs surveyed indicated that the pandemic had caused accelerated digitalization of their operations and the creation of next-generation operating models. While digitalization has been a common endeavor across many different sectors, the insurance sector is an attractive target because of a number of unique factors:

  • To start with, insurance companies have a credible store of personally identifiable information (PII), which could include basic data such as contact information or social security or taxpayer identification numbers.
  • Even more sensitive is protected health information (PHI), such as medical records and medical expenses and failed claims, which can be found in insurance companies. When exposed, these personal records make for highly damaging situations, which add to the leverage for the attackers when it comes to demanding a ransom.
  • State-sponsored threats targeting victims of data breaches for intelligence or other espionage purposes are also a looming cause of concern for insurance firms other than fraudsters. Around 2014 and 2015, the American health insurer Anthem was hit by a massive data breach, allegedly carried out by a Chinese cyber-espionage group, that affected 78.8m American customers. Security researchers have been concerned that this could lead to hackers cross-referencing with another attack on the United States government’s Office of Personal Management, which handles security clearances for employees and contractors with access to classified information. This could enable hackers to find personal vulnerabilities, say, large healthcare debts, which can be used as leverage to persuade the victims of the data breach to commit espionage against the US.

Given the severity of such threats, what can insurance companies do to protect themselves? Unfortunately, there is no one-size-fits-all solution. Each insurer has to find a solution that is specific to its needs.

Besides adding more layers of protection, it is critical to think of the context of the business onto which these layers are applied. For example, measures to enhance business-to-consumer (B2C) security would be significantly different from business-to-business counterparts.

Similarly, an insurer’s operations will also determine how it may apply its security layers. For example, a car insurance company run its operations quite differently from a healthcare insurer. What is common, though, is the need to have rigorous research and risk management in place, long before a threat emerges.

In cybersecurity, there are no 100% guarantees, but having a holistic way to monitor threats across the industry and using data to find these threats will give insurers a better chance at mitigating their risks.