Insurance: Irresistible to Cyber Criminals

Cyberthreats against financial institutions have increased exponentially in the last year and are expected to grow relatively unchecked. The world's biggest data breaches involve millions of records and subject consumers to identity theft risk for years to come. More and more, insurance consumers expect carriers to interact through online channels. As insurers aggressively move into new online territory through agency portals, online policy applications, Web-based claims-management systems and mobile apps, they introduce new vectors of cyberfraud risk.

Hackers' paradise

Insurers house a remarkable amount of personal information that identity thieves find irresistible. In October 2012, the insurance industry saw firsthand how intent hackers were on accessing this information when Nationwide suffered a major data breach. Hackers stole names, Social Security numbers, driver's license numbers and dates of birth for more than 1 million individuals – including policyholders as well as individuals seeking quotes.

James Ruotolo SAS

And the industry is entering an era of data growth. "Big data" is all the rage as insurers continue to amass huge amounts of consumer information. Telematics and social media programs are driving this trend. Insurers are looking to use new analytic technologies to take advantage of all this information. But those same organizations also need to prepare for a new reality in which cyberthreats continue to grow at breakneck speed and insurers become ever more attractive targets for would-be identity thieves. In this world, data security will become a top priority.

Cyberrisk in financial services

Unsurprisingly, banks tend to be a frequent target for hackers. Criminals tend to follow the money. With online account access and plenty of ways to move money electronically nowadays, banking institutions are an obvious target of cyberattacks. A new report from Longitude Research surveyed bank executives to identify cybersecurity challenges and opportunities, and concluded insurance companies may be next in line behind banks as key targets of cyberthreats.

Mike Usher, Director of Information Risk at Prudential Corporation Asia, a financial services firm, says in the report: 'The biggest change coming is a shift from primary targets, which from a criminal point of view has been banks. But vigorous investment [at banks] has opened up secondary targets, which in the crime world might be insurance companies or anyone who holds significant information on customers.'

Among the key findings of the report: Preparedness for cyberrisks remains weak, with only one in four organizations indicating that its internal resources are "highly prepared" to address cybercrime. Insurance executives should treat the Nationwide breach as a harbinger of things to come in the industry.

Mitigating the threat

The Longitude report also confirmed that technologies and threats are rapidly evolving. In order to keep pace, response strategies also need to evolve. Many cyberthreat mitigation programs are reactive – involving forensic analysis after a breach has occurred. More frequently, organizations are doing proactive penetration testing to look for vulnerabilities. But even this methodology is an increasingly outdated approach as it fails to keep pace with the scale and complexity of the cyberthreats they are meant to prevent. In the industry, there is a growing realization that cybersecurity must involve a broader, risk-based approach and move away from being seen as purely a technical problem.

There are only two types of insurers: those that have been targeted and those that will be. As insurance companies continue to acquire vast amounts of sensitive information, they must reprioritize cybersecurity and data protection as mission-critical business objectives.

About the author: James Ruotolo is an insurance fraud technologist, thought leader and the principal for insurance fraud solutions at SAS. Connect with him on Twitter.