Insurance companies: a “tasty morsel” for cybercriminals

Yes, that’s one of the tastiest bits…to hack the insurers first – to get their clientele and work purposefully from there.
-Unknown cybercriminal from the REvil group in a March 16and2021 interview.

And feast on bites of insurance, cybercriminals have it! Insurance is the fourth most attacked economic sector. The titles of the hacks weren’t hard to find:

  • The insurance company CNA suffered a ransomware attack where they reportedly paid $40 million in ransom in March 2021.
  • In February 2022, insurance giant Aon suffered a cyber attack. No details have been released as the company is in the early stages of assessing the incident, but multiple systems have been compromised.
  • Last summer a cyber attack was conducted at a small insurance agency in Illinois. The damage? $6.85 million in losses.

The main reason why the insurance industry has a target on its back? Their reliance on third parties as part of their business model.

Most insurance companies, for example, use independent agents to sell and write policies in various lines of business. Although these agents often require the same privileged access as carrier employees, they are effectively external third parties (non-employees).

Another example is the reliance on high-volume call centers for a wide variety of business practices, including validating documents, communicating policy details directly with customers, updating personal customer information, capturing policy changes, etc. All of these tasks require hundreds of non-employees to have access to the carrier’s sensitive and valuable customer information.

The greatest risk of a breach for a carrier comes from the “insider threat”.

Hundreds (or thousands) of agents and other third-party workers processing and accessing sensitive customer information daily create a large attack surface for bad actors. It only takes one unknown identity to expose your entire agency to a serious breach. According to a Opus and Ponemon study, 59% of businesses said they had experienced a data breach caused by one of their vendors or third parties. Alarmingly, these are breaches that occurred because the company granted privileged access to their sensitive information.

Ensuring that customer information is handled in the safest and most secure manner remains one of the most critical responsibilities and challenges facing insurance companies, their agents and providers.

Fortunately, insurance companies have resources that will make them less palatable to cybercriminals. SecZetta’s Non-Employee Identity and Risk solution is uniquely suited to meet the needs of carriers struggling to provide large populations of independent agents with appropriate and timely access to their systems.

Download the White paper on insurance companies for more details on today’s non-employee identity and risk challenges that carriers face, as well as how SecZetta can improve operational efficiency, reduce costs and reduce cyber risk for carriers and the agencies and agents they support.

SecZetta provides easy-to-use third-party identity lifecycle management solutions specifically designed to help insurance companies automate risk-based identity lifecycle management processes for non-employee populations.

You can visit SecZetta’s full capabilities for yourself by click here or by schedule a demo.

Kristan F. Talley