Cyber insurance necessarily involves detailed information about the security infrastructure of a business, and that information is also valuable to cyber attackers. The more detailed an assessment of a company’s current security posture, the better an insurer can feel about their ability to predict that company’s future risk. However, insurers have to very carefully control the information they receive from their customers. Additionally, web tools like online claim filing and customer web portals provide potential attack vectors that insurers have to secure. As insurance is a business that involves trust, insurers have strong incentives to protect their customers’ information, and no long-term cyber attacks have been reported in the insurance sector.
Insurers maintain information on their customers — and in some cases even those who request a quote but don’t eventually become customers — and this payment and personal identification information can be very useful to attackers, for its black-market value and as stolen credentials to log into customer systems. Storing encrypted customer information is a necessity, and access to that information should be restricted wherever possible, even within the insurer. Insurance, like any other business, is susceptible to social engineering and phishing attacks; employees of any insurer should be trained in secure operating practices such as the use of two-factor authentication, encryption, and being wary of email links and attachments.
Cyber attacks against health insurers like Anthem have made the news for their scope, affecting up to 80M individuals who are or were insured by Anthem. Insurers in other industries haven’t been subjected to the same amount of scrutiny, but in many cases are spending more on information security than their health insurance counterparts. A survey by the New York State Department of Financial Services found that the majority of property and life insurance companies spend between 3–5% of their overall budget on information security, whereas most health insurers only spend 1–2%. No insurer spent more than 7% of their budget on information security, and some surveyed insurers spend less than 1%. Increased spending is no guarantee of better security, but information security spending is increasing at 86% of surveyed insurers.
Transparency on the part of an insurer can increase trust, and paradoxically admitting to having been attacked can be a more realistic and trustworthy response than having never been subjected to a cyber attack. Insurance regulators understand that cyber attacks are widespread and common, and are more likely to believe insurers who have identified cyber attackers and moved to better protect their systems. Annual questionnaires by insurance rating agencies include questions about cyber attacks, and ask more follow-up questions to insurers who state they have never been subject to a cyber attack.
Follow the conversation on Medium