In the crosshairs of cyber attackers, insurance companies face growing online threats

By Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company

In May 2021, the insurance firm AXA was hit by a serious data breach, which resulted in 3TB of data including identity documents, claims, reimbursements, account details and customer medical records being exposed as part of a multi-faceted cyber attack.

More specifically, the Asian components of the insurer were hit after the company had said it would stop reimbursing new French customers for ransom payments to ransomware attacks.

AXA was hit by a group called Avaddon, which also conducts distributed denial of service (DDoS) attacks on top of setting up ransomware to pressurise victims to pay up.

The headline-grabbing attack is significant because it not only involved a damaging disclosure of customer data but may also be aimed at punishing AXA for not covering ransomware in reimbursements for its customers.

Indeed, the attack was among a series of recent attacks that have hit insurance companies in the past year, as they became attractive targets for cyber attackers.

The AXA compromise may have originated at a third-party vendor in Thailand, according to reports, so it is clear that it is not enough to simply protect one’s own cyber boundaries against evolving threats.

Not long after the AXA attack, Tokio Marine Insurance Singapore disclosed in August 2021 that it too was hit by a ransomware attack.

For an industry whose business is to manage risks, it may sound ironic that the spectre of a cyber attack is not something that they often manage well enough today.

Though details on that attack are not public, the subsidiary of the Japanese property and casualty insurer also provides cyber insurance coverage.

For an industry whose business is to manage risks, it may sound ironic that the spectre of a cyber attack is not something that they often manage well enough today.

In March 2021, CNA Financial reportedly paid a ransom of US$40 million to ransomware operators that had locked up the files on its computers. Notably, its financial losses were not fully covered by its own cyber insurance.

In the past year, threat actors looking for a larger attack surface to mount hacking campaigns have also been monitoring the rapid digitalisation of the sector that is accelerated by the Covid-19 pandemic.

While digitalisation has been a common endeavour across many different sectors, the insurance sector is an attractive target because of a number of unique factors.

To start with, insurance companies have a credible store of personally identifiable information (PII), which could include basic data such as contact information or social security or taxpayer identification numbers.

Even more sensitive is protected health information (PII), such as medical records and medical expenses and failed claims, which can be found on insurance companies.

Eighty-five per cent of insurance CEOs say the pandemic has accelerated the digitalisation of their operations and the creation of next-generation operating models, according to a study by consulting firm KPMG.

When exposed, these personal records make for highly damaging situations, which add to the leverage for the attackers when it comes to demanding a ransom.

While the main concern of insurance firms is fraudsters, they also have to be on the lookout for potential state-sponsored threats that target victims of a data breach for human intelligence or other espionage purposes.

Around 2014 and 2015, the American health insurer Anthem was hit by a massive data breach, allegedly carried out by a Chinese cyber espionage group, that affected 78.8 million American customers.

Security researchers have been concerned that this could lead to hackers cross-referencing with another attack on the United States government’s Office of Personal Management, which handles security clearances for employees and contractors with access to classified information.

This could enable hackers to find personal vulnerabilities, say, large healthcare debts, which can be used as leverage to persuade the victims of the data breach to commit espionage against the US.

Given the severity of such threats, what can insurance companies do to protect themselves?

There is no one-size-fits-all solution, unfortunately. Each insurer has to find a solution that is specific to its needs.

Besides adding more layers of protection, it is critical to think of the context of the business onto which these layers are applied.

For example, measures to enhance business-to-consumer (B2C) security would be significantly different from business-to-business counterparts.

Similarly, an insurer’s operations will also determine how it may apply its security layers. A car insurance company run its operations quite differently from a healthcare insurer, for example.

Given the severity of such threats, what can insurance companies do to protect themselves?

What is common, though, is the need to have rigorous research and risk management in place, long before a threat emerges.

There are no 100 per cent guarantees in cyber security but having a holistic way to monitor threats across the industry and using data to find these threats will give insurers a better chance at mitigating their risks.

Find out more about the latest cyber threats to the insurance sector from the industry report from IntSight, a Rapid7 company.