ITIJ 216 | January 2019
Insurance companies will continue to be targeted by cyber criminals, so how they prepare and protect themselves will be the difference between remaining in business and being left behind. Tatum Anderson assesses the risk
SamSam, WannaCry, Petya, Equifa, Orangeworm – these are just some of the high-profile global cyberattacks circulating the globe this year and last. They wreak havoc, stealing and demanding ransoms. A Lithuanian cosmetic surgery clinic experienced the theft of personal data as well as tens of thousands of private photos, including nude pictures in 2017. Its patients were threatened with blackmail.
Other attacks have had far-reaching financial consequences. One breach at a US credit bureau in the same year released the personal details of 143 million US consumers; but in years to come victims could experience account takeovers, loan fraud, tax fraud, and employment fraud.
Cyberattacks even have the potential to cause injury and death. WannaCry caused chaos in hospitals in 150 countries in 2017; in the UK alone, almost 7,000 hospital, clinic and GP appointments were cancelled, and ambulances and patients were diverted from five accident and emergency departments that were unable to treat some patients.
Cybersecurity is a business problem, not a technology problem; the entire company has to own it, ownership can't be outsourced
Cyberattacks have made such an impact that in 2018, 11 members of the exclusive Organisation for Economic Cooperation and Development (OECD) group cited cyberattacks as the greatest risk of concern to doing business. The World Economic Forum ranked the threat of cyberattacks above even extreme weather events and terrorist attacks.
Cybervillains are disrupting services through ‘denial of service’ attacks, causing business systems to launder the proceeds of crime, unknowingly. But, primarily, they are stealing data with the intent to coerce or extort. That’s the aim of so-called ransomware. In fact, a quarter of all cyber insurance claims received by AIG last year were because of ransomware attacks. They amounted to just 16 per cent in previous years between 2013 and 2016.
Importantly, cyberattacks are starting to affect every sector – from healthcare to construction – and, now, even insurance. Traditionally, the sector has lagged in its response to cyberattacks because other sectors, such as banking, were being pummelled by attackers. But as banks and other targeted institutions stepped up security, attackers are moving on to weaker targets – such as insurance companies – according to consultancy firm KPMG.
A lot is at stake. Insurers hold a treasure trove of sensitive information on individuals across all sorts of areas, including health, payment information, addresses and personal property, said KPMG.
Although insurers confidently deal with massive risks every day, there is a consensus that perhaps many are unaware of just how much of a target they themselves have become. “Many insurers tend to underestimate how much critical customer data they actually have and that can lead to a false sense of security,” said Robin Ingle, Chairman of Ingle International and Novus Health in Toronto, who has a counter terrorism, corporate intelligence and a digital security background. “They don’t feel they will be targeted and even if they were, feel damage might be minimal.”
Within travel insurance, specifically, there might be particular vulnerabilities, said Paige Schaffer, President and COO of Generali Global Assistance’s Identity and Digital Protection Services’ Global Unit. Travel insurers often don’t enjoy the same type of loyalty that other types of insurance companies do; consumers often buy travel insurance individually for each trip or vacation they take and, most times, they’re shopping around for the best deal each time they do. “This means, if they have a negative experience with your business – or, more specifically, your business finds itself a victim of a cyber incident – your customers will be more likely to jump ship and never come back,” she explained. “A blow to their trust in letting their personal data be compromised would likely be a deal-breaker.”
While there is considerably less churn in IPMI, there are still likely to be risks. “Companies still need to maintain that expectation of trust and responsibility with their members – particularly when it comes to data security,” added Schaffer.
Breaches or attacks on information systems have financial implications, certainly. There can be direct financial losses through paying ransoms, plus the result of any business disruption. In travel and assistance, decisions are required very quickly. If ransomware holds hostage to key information, key business decisions can be disrupted. And, there’s only about a 50-per-cent chance of getting data back in a ransomware attack, regardless of whether payment is made or not, according to the Cyberthreat Defense Report from research firm CyberEdge Group.
its latest report in 2018 revealed only 20 per cent of management boards have ever discussed cybersecurity
Experts say that although there might be immediate costs, there may also be substantial long-term costs that are often unaccounted for. In January 2015, Anthem Insurance companies experienced a data breach involving 78.8 million customers, which cost around $260 million to clean up. But it has also spent $115 million in legal settlements and credit monitoring for affected customers.
Reputational damage, however, can have added ramifications. Ovidiu Patrascu, Sustainable Investment Analyst at global investment manager Schroders, reckons investment decisions will be severely affected by a company’s ability to defend itself against cyberattacks. “The negative impact a data breach can have on a brand links straight to companies’ competitiveness, future revenues and future cash flows. Data breaches often uncover poor governance practices and weak management; changing people or policies is quick but re-establishing market and customer trust take much longer,” he said in a note earlier this year.
What is clear, is that determined intruders are after data on insurers’ customers. Matt Dowing, Principal Analyst, Active Intelligence at security firm AlertLogic, said recently that a huge number of lower-level hackers have been creating special pieces of software that use processing power on other computers to mine for cryptocurrency. But although they aren’t stealing data, they act like a canary in the coal mine. “A determined intruder would be able to find the same vulnerability that the coin miners would likely have already exploited,” he said. “Given the volume and persistence of the coin mining attacks we see, it stands to reason that coin miners’ bulk scanning and exploitation would take advantage of a known vulnerability first.”
He recommends monitoring for symptoms of likely coin mining – such as traffic to known mining pools, high processor utilisation, and antivirus detections for coin mining malware. “Effectively, you can infer compromise from this activity, the same way you infer low oxygen levels because the canary quit singing,” he said.
Understanding your vulnerabilities
Many of the fixes Dowing recommends are easy, but curiously aren’t routinely done by companies. Software companies who spot vulnerabilities in their own systems routinely issue fixes, or patches. The problem is, these easy fixes aren’t always installed by their customers. NHS Digital issued critical alerts warning organisations to patch their systems well in advance of the WannaCry outbreak. “You really need to think about patching vulnerabilities because there is active worming and malware,” he said. “I don’t understand why people don’t patch – maybe they don’t have a patch management programme, maybe they don’t patch at all. However, there are high-profile sites that are getting attacked six months after the patch is released.”
Of course, networks can be extremely complicated and companies won’t always be aware of their vulnerabilities. “So, it’s understanding your systems and having a good inventory of your network and then, of course, monitoring and patching and having a process where you do that,” he advised. “It can be difficult, but we recommend you do regular vulnerability scanning to host discovery and find the vulnerabilities.”
What’s crucial, however, is putting together a specific strategy to identify and get rid of intrusions – rather like an emergency plan used in terrorist situations. He advises understanding the kill chain, the sequence of events used to create an attack. “What we do is map all the points of attack, see where they lie and decide what your mitigations are at each stage and where you can improve,” he said.
Robin Ingle agrees a robust plan is absolutely crucial. NovusHealth is moving much of its infrastructure to the cloud but is using technology to pre-empt many problems. “We are leveraging technology that will automatically kill any server and replace it with a fresh one in minutes without interruption if it detects even the smallest unauthorised changes were made,” he said. “Insurance should be embracing technologies like this, but many tend to be somewhat averse, or slow to adapt to technology change.”
That said, insurers should approach only the right kinds of IT security company to help solve their problems, according to Robin Ingle. He said: “Avoid any company that says they can solve this problem for you, or says they can solve this problem solely with technology; neither is ever true.”
Understanding all business-to-business interactions is vital too, as the industry is so interconnected. “Vendor and supplier networks are becoming more extensive, opening the door to additional risk management requirements,” said Ingle. “As a result, more and more contracts with vendors and third parties stipulate security and data protection requirements. Companies are also having to audit their suppliers and vendors to ensure compliance.”
Several initiatives have also formed to tackle the issues collaboratively. Some are run by governments, such as the UK’s National Cyber Security Centre, others include businesses, such as the World Economic Forum’s Centre for Cybersecurity.
In other words, cybersecurity is about more than technology. “Cybersecurity is a business problem, not a technology problem; the entire company has to own it, ownership can’t be outsourced,” added Ingle.
The transformation will surely squeeze some travel insurance providers out
Others agree. The UK Department for Digital, Culture, Media and Sport, which carries out a Cyber Security Breaches Survey every year, reckons if support for cybersecurity comes from the top, and corporate policies and controls are updated, employees will be trained and companies can better stay ahead of ever-changing threats. Despite that, its latest report in 2018 revealed only 20 per cent of management boards have ever discussed cybersecurity, and only 30 per cent have board members or trustees specifically overseeing cybersecurity.
Compliance with regulations such as PCI and ISO 27001 certification – the best-known standard providing requirements for information security management – will help as well, say security experts. In addition, compliance with the EU’s new General Data Protection Regulation (GDPR), which came into force in May 2018, forces companies to clarify how personal or sensitive data is stored and who has usage rights, and assigns responsibility to companies to keep customer data safe, with high fines if they fail to do so.
But Generali’s Schaffer reckons that even though the cyber security threat hasn’t changed since GDPR came into force, the potential impact and cost to breached companies is now greater. “Arguably, the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of GDPR, as it applies to all companies processing the personal data of individuals residing in the EU – regardless of the company’s location,” she said. “For this reason, most companies have smartly decided to meet these more stringent regulations to be on the safe side. While this is certainly a step in the right direction, GDPR is still relatively new, so only time will tell if it’s really going to reduce the resulting cybercrime and identity theft incidents.”
Other criticisms of GDPR are that it is heavy on protecting privacy, but light on a standardised compliance framework to enforce it. There are neither standardised implementation guidelines, authoritative body governing audits nor standardised certification or audit compliance frameworks for GDPR. It’s up to governments to work out what their approach is.
Many believe, however, that perhaps the easiest way to disrupt cyberattacks is to focus on employees. They are vulnerable to spear phishing, which is one of the biggest headaches for companies. Here, a hacker attempts to target one or more individuals using finely-tuned, personalised tactics to trick users into breaking security procedures. So effective is it, that around 90 per cent of all cyberattacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers, according to the Cyberthreat Defense Report. Training is therefore vital. The report said: “Failing year after year to invest in your company’s human firewall is inexplicable and inexcusable.”
Data security should certainly be top of any insurer’s agenda, especially in an age where technology has become ubiquitous and data is stored and processed in a multitude of ways and places. “As smartphone use reaches saturation point and most of life’s transactions are digital, the ability to keep customers’ information safe and secure is absolutely business critical,” said Andrew Sherwin, Operations Director at Aquarium Software. “This means that data protection, for so long the poor relation in software system development, is now rightly centre stage. Any firm who cannot demonstrate robust data protection measures risks not only falling foul of the regulator but suffering potentially irreparable long-term brand damage.”
In the end, how companies choose to tackle cyberthreats may end up reshaping the industry, says Generali’s Schaffer. “The transformation will surely squeeze some travel insurance providers out; those that stayed at the forefront of the movement and helped shaped the conversation from within will likely be the ones left standing at the top,” she said.