Data Security: Is Your Insurance Agency Safe from Cyber Attack?

Blog25 Jan 2021

Data Security: Is Your Insurance Agency Safe from Cyber Attack?

Technology is a double-edged sword for independent agents. On one hand, it’s created immense opportunities and helps make things more efficient, while meeting customers’ needs.

But on the other hand, it creates some major security concerns. Over 6.1 million data records are lost or stolen every single day, according to the Breach Level Index. That’s 71 records per second.

Here’s what you need to know in order to combat cyber crime and protect your customers’ data security and privacy.

Why Insurance Data is So Heavily Targeted

Many industries are at risk of cyber attack. After business and healthcare organizations, the most frequently targeted companies in the first half of 2018 were banking, credit and financial organizations, writes digital security expert Ryan Manship.

However, the insurance industry also faces a lot of threats.

Cyber criminals know that independent agents frequently handle highly sensitive information yet have very few measures in place to protect their customers from cyber attacks, writes the team at cloud-based disaster recovery company, CloudSecureTech. As a result, analysts have noticed an alarming trend where hackers are increasingly targeting insurance companies with the purpose of stealing customer data to use for fraud.

Global consulting firm Protiviti confirms this saying there has been a significant spike in successful cyber attacks in the insurance industry over the past two years. In fact, more than 100 million Americans have had sensitive personal information compromised due to insurance data breaches.

And unfortunately, it’s a problem that’s likely here to stay.

Let’s take a look at attacks on health insurance providers in recent years. While the motivations and consequences of breaching homeowners insurance data might be different than with health insurance, the fall-out can be just as severe.

The Aflac Attack in 2018

Megan Berkowitz at Insurance Thought Leadership talks about one such data breach in May 2018 involving insurance company Aflac. The company revealed that it was the target of a major data breach that involved the possible exposure of their customers’ sensitive personal data, which stemmed from hackers gaining access to independent contractors’ email accounts.

More specifically, an investigation discovered that a wide range of information like names, dates of birth, addresses, policy numbers, social security numbers and even bank account information was compromised, notes insurance journalist Lyle Adriano.

Aflac did a good job at handling the situation, immediately taking action by reporting the incident, isolating certain email accounts and resetting passwords. But despite their swift action, the personal information of as many as 10,000 customers was exposed, says Fred Donovan, senior editor at HealthITSecurity.

And this wasn’t an isolated incident. Freelance journalist Jennifer Abel points out that at least 81 percent of major healthcare or health insurance companies fell prey to cyber attacks during the past two years.

The Anthem Attack in 2015

An even bigger incident happened in early January 2015 and involved major health insurer, Anthem. It was actually the biggest data breach of a U.S. healthcare institution to date, according to Berkowitz. The wide-scale attack targeted Anthem’s IT system and took course over a period of a few weeks.

Some 80 million patient and employee records were breached, potentially exposing customer names, birth dates, social security numbers, as well as employee information and income data, writes Matthew Goldberg, consumer banking reporter at Bankrate. Ultimately Anthem paid $16 million to the Office of Civil Rights, a record high settlement under the Health Insurance Portability and Accountability Act, and agreed to undertake robust corrective action.

The First American Breach in 2019

Another notable breach that happened just a few months ago in May 2019 involved First American, a financial services company that offers title insurance and specialty insurance to the real estate and mortgage industries.

“A massive data leak containing 885 million personal and financial records was found unprotected on the website of First American Financial Corp.,” writes Steve Turner, chief information security officer at identity protection company Sontiq. “The company, a leading title insurer for the US real estate market, exposed consumers’ social security numbers, bank account numbers, mortgage and tax records, wire transaction receipts and driver’s license images dating as far back as 2003.”

Key Data Vulnerabilities

These examples show that health insurance providers face some of the greatest risks. In fact, LA-based insurance brokers, Catano Insurance says of all the data breaches that happened between 2010 and 2017, 63 percent involved the theft of medical data.

However, no one in the insurance industry is immune, and it’s crucial that independent agents understand major data vulnerabilities. One of the biggest is gaps in infrastructure security.

“Infrastructure vulnerabilities and unpatched or last-generation security software provide easy fodder for hackers who can potentially do a great deal of damage through theft and other malicious activity,” says the Business World team. “If the company has not yet begun its digital transformation they may be inadvertently be leaving themselves open to attack.”

Another is identity theft. There are many ways an insurance customer’s personal information can be compromised. Sometimes it’s a mistake on their end like using unsafe internet connections in a restaurant, cafe or airport. But more often than not, it’s due to an oversight on an insurance agency’s end.

For example, identity theft protection company LifeLock explains that it could happen if an employee leaves their work computer unattended or is lax about security with their smartphone. If someone were to steal it, they could gain access to a large volume of personally identifiable information to exploit.

Also, many cyber criminals use a technique called phishing, which uses manipulative emails or malicious websites to wrongfully obtain personal information from a person or group by posing as a trustworthy company. The goal of phishing is to fool a person into giving over their login information or other personal data, explains Nate Lord at Digital Guardian.

Infecting a company’s system with malicious code is quite common too. This involves a hacker inserting code into a software system, database or script to create an undesired effect, writes application security company, Veracode. In this situation, a cyber criminal can use malicious code to infect a system with things like viruses, worms and Trojan horses, all of which can compromise data security and bring a system to its knees.

The point here is that insurance companies face many risks. To keep your network safe and protect the sensitive information of your customers, you need to take data security seriously.

Data Security Best Practices

With that said, it’s essential to have an understanding of data security best practices. This begins with implementing a 24/7 network security monitoring solution, says the team at Alert Logic, a threat intelligence and defense platform. Using this type of technology continually monitors things like network traffic, logins and general activity and instantly alerts you when there’s any questionable behavior.

Vulnerability scanning is similar to network security monitoring but focuses on finding security holes that could potentially be exploited, notes technical writer Margaret Rouse. This will let you know about any weaknesses in your network that could make it vulnerable to attack. That way you can resolve any issues before hackers have the chance to exploit them.

As noted, phishing attacks are another big concern for independent agents. In 2018, 83 percent of respondents from a cybersecurity survey encountered phishing attacks — up from 76 percent in 2017, says tech writer Anthony Spadafora. It’s crucial that you and your employees learn how to recognize phishing attempts.

Studies found that offering formal training on preventing these attacks helped increase employee detection by nearly 60 percent. That’s why you should educate your staff on how to identify questionable emails and how they should respond if they find something suspect.

Beyond that, using multi-factor authentication can help keep sensitive information out of the wrong hands.

This is an authentication method that requires a user to enter a password along with a second factor such as their face or a fingerprint scan before they can gain entry, explains Teju Shyamsundar at access management platform Okta. While not completely foolproof, it greatly lowers the chances of a hacker gaining access to sensitive customer information.

How to Stay on Top of Data Security

Many industries, like the financial services sector for instance, take serious cybersecurity measures because of strict regulations, explains Chris Camacho, chief strategy officer at business risk intelligence provider Flashpoint. But most insurance companies have historically been less diligent in their efforts for the simple fact that they have far fewer regulatory requirements.

And that’s something that needs to change, especially considering the growing number of cyber attacks that have taken place over the past few years.

Understanding key data vulnerabilities and applying data security best practices should help keep your customers’ information safe and minimize the likelihood of your company experiencing an attack.