Protect client data with these cybersecurity considerations

Insurance agents are frequently trusted to field questions, assess risks on behalf of their clients and explain coverage options to individuals and businesses. As part of these duties, insurance agents can encounter account and policyholder information such as Social Security numbers, financial information, addresses, birthdates and other sensitive information.

Given the value and sensitive nature of this data, insurance agencies are a common target for cybercriminals. In fact, according to recent Nationwide survey data, 49% of independent insurance agents say their business has  experienced a cyberattack. Like any other business, insurance agencies involved in data breaches face significant and potentially irreversible consequences. This article highlights what insurance agencies put at risk when they fail to take the proper precautions against cyberattacks. It also provides actionable steps insurance agents can take to protect themselves and their clients against would-be cybercriminals.

Understanding the cost of a data breach

Because of the nature of their work, insurance agents are typically more informed on the cyberthreat landscape than most. Still, the impact of a data breach or similar cyber event cannot be understated, particularly as it relates to the cost of an attack.

In 2023, the average cost of a data breach was $4.5 million. Additionally, organizations lose $1.3 million in an average data breach.¹

“The total cost of damages incurred by cybercrime is expected to reach $10.5 trillion by 2025”.¹

Just one data breach or cyber incident can cause irreparable reputational harm for small to mid-sized businesses like insurance agencies. In some cases, the financial impact of a data breach can force companies to close their doors. According to recent Nationwide survey data, of the independent agents that have experienced a cyberattack, 71% (up from 61% in 2022) indicated that the attack impacted or even jeopardized their agencies finances.

What’s more, according to an article from Forbes, data breach expenses often stem from “remediation efforts, legal fees, regulatory fees, intellectual property theft, operational disruption, and reputational damage”.¹ Organizations may pay $1.8 million to detect and escalate data breaches and may lose $1.3 million from said data breach.¹

Types of cyberattacks

When one thinks of a cyberattack, it’s easy to characterize the victims as those who have an online presence and regularly process payments.

“However, not only has Nationwide seen an increase in insurance agency attacks year over year, but a recent report—X-Force Threat Intelligence Index 2024—determined that the finance and insurance industry was the second most targeted industry by cybercriminals in 2023.^3″

This makes sense, as insurance agents obtain and handle financial and private data on behalf of their clients. To steal this data, cybercriminals will employ different types of cyberattacks, including but not limited to the following:

• Phishing—Phishing is one of the most common cyberattacks, with nearly one out of every four insurance agencies having already been a victim of a phishing scheme. With traditional phishing attacks, criminals send fraudulent, malicious emails to as many people as possible. Attackers will customize phishing emails to make them appear trustworthy, sometimes using logos or fake email accounts to improve the message’s legitimacy. Often, phishers will pretend to be trusted sources, like hospitals, banks or employers. The phishing message will likely include language designed to fool victims into clicking a link, opening a document, installing software or entering their username and password. If a victim falls for a phishing email, the cybercriminal can infect their computer with malware and steal sensitive information or compromise systems. There are four main types of phishing:

1. 1. Email phishing is the most common form of phishing. In an email phishing scam, a cybercriminal sends an email that looks legitimate in order to get an individual to provide sensitive information or click on a compromised link. Criminals often rely on fake domains and character substitutions in email phishing attacks.
   2. Spear phishing is a subset of phishing that targets specific individuals or organizations. These attacks often use emails, text or phone calls that are personalized to the target.
   3. Whaling is a type of phishing scam that specifically targets executives, senior leaders and other high-profile individuals. Similar to other phishing attacks, whaling is designed to steal sensitive information, gain access to financial systems or access confidential data.
   4. Vishing (also known as voice phishing) is when criminals call a target and impersonate a legitimate source, like a bank or government agency, over the phone in an attempt to get victims to divulge personal or sensitive information.

• Credential stuffing—These attacks occur when a malicious party takes a stolen username and password and tries it on various websites. In some cases, a hacker may purchase an individual’s username and password from the dark web. Then, assuming the individual uses the same password for multiple accounts, the hacker tests the stolen credentials across multiple platforms (e.g., banking or social media websites). In summary, cybercriminals use information from one account and can potentially access data from many different platforms.
• Unpatched vulnerabilities—Upon its release, computer software can have security issues stemming from bugs, bad code and similar problems. To address these types of concerns, software companies will often provide updates to patch known vulnerabilities in the software. However, before a software company issues a patch or an agency updates the software, hackers can exploit vulnerabilities to carry out cyberattacks.
• Distributed denial of service (DDoS)—17% of insurance agents say their business has been impacted by a DDOs attack. A DDoS attack is when cybercriminals inundate a targeted server, network or service with large amounts of internet traffic. This overloads system resources, creating disruptions or causing the system to become completely unavailable to legitimate users.

• Malware—Once cybercriminals are in the system, they can start accessing information and deploying malware. Malware refers to viruses, worms, Trojan horses, spyware, adware, rootkits and other unwanted software or programs. Once installed on a device, malware can disrupt normal computing operations, collect information and control system resources. Malware programs are constantly evolving, making detection and prevention more difficult for business owners and insurance agencies. In fact, 21% of insurance agents report their business has experience a malware attack.
• Ransomware—One particularly common and devastating type of malware is ransomware. Ransomware is malicious software that infects a computer and either prevents it from working as it should or prevents access to specific files until the user pays a ransom. Typically, the cybercriminals behind the ransomware demand bitcoin, a type of digital currency that is difficult for police to trace. Businesses of all sizes and types can be targets of ransomware; it can infect personal computers and entire networks and servers. Insurance agents are impacted by ransomware at an alarming rate, with 36% of agents reporting their business has been victim of such an attack.

Cybersecurity best practices

When it comes to protecting customer and client data, cybersecurity protocols must be carefully scrutinized. Doing so instills confidence that PII is safe when it’s handled by the insurance agency or a third-party provider. In particular, insurance agencies should consider the following:

1. Encryption

Through encryption, information is encoded in such a way that it is scrambled and can only be read by someone who has the proper encryption key. When handling data or selecting a software vendor, it’s important to consider how encryption will be used to safeguard sensitive information. When data is properly encrypted within a system, cybercriminals can’t read it even when they intercept it in an attack.² In particular, agencies should rely on encryption to protect client and other sensitive data stored in agency management systems (AMS) and other similar platforms. Multifactor authentication can also be enabled to add a layer of security and protect against compromised credentials. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access the AMS.

2. Data classification and handling personally identifiable information (PII)

PII refers to information—like a person’s name, social security number, passport number, date of birth, address, driver’s license number, phone number or email—that can be used to identify a person. Protecting PII is crucial, as it is often targeted in data breaches and can be exploited for identity theft or fraud. When handling PII, insurance agencies need to consider what types of personal information they collect, where it is stored and who has access to it. This is data classification and handling. It is particularly important when it comes to privacy laws, as handling certain types of information can leave the agency open to regulatory action should it be compromised in a data breach. If privacy laws are not followed, the following ramifications can occur:

• Legal penalties and fines—Regulatory bodies can impose significant fines if an entity is noncompliant with privacy laws. In extreme cases of negligence, criminal charges may be brought against executives or employees.
• Lawsuits—In the event of a data breach or the misuse of personal information, affected individuals may file class-action lawsuits. These lawsuits can lead to costly legal battles.
• Loss of business—Failing to follow privacy laws can result in lost business opportunities, particularly if the prospect has strict data security standards. Further, noncompliance with privacy laws may give existing clients the opportunity to terminate contracts, leading to lost revenue.
• Increased scrutiny—If an organization fails to follow data privacy laws, it may be subject to increased audits and regulatory scrutiny.

If that weren’t enough, an insurance agency could be required to pay other costs as a result of the hold harmless and indemnification sections of agency/carrier agreements. Some examples include but are not limited to investigation costs, notification costs, and defense and liability costs.

As a result of these potential damages, insurance agencies must take strides to encrypt and protect PII, including Social Security numbers, driver’s license numbers, debit and credit card information, bank and financial account information, and protected health information.

Protecting PII is essential for insurance agencies, especially given that they often handle sensitive client data (e.g., Social Security numbers, financial details and health information). A breach of this data can lead to identity theft, fraud and serious legal consequences if agencies fail to take the proper steps to safeguard client information.

3. Secure device management and patching vulnerabilities

Insurance agents need to be cautious when it comes to the use of personal computers and mobile devices. Notably, any device that can access agency applications must be password protected. Additionally, if a device is lost or stolen, agencies should have the ability to wipe data remotely. It’s also important to have trusted antivirus and antispyware programs installed on company devices. These programs should be set to perform scans on a regular basis for unwanted and harmful programs.

It’s critical for insurance agencies to update company software as soon as new updates are released. In doing so, security vulnerabilities that cybercriminals rely on are patched, which helps businesses avoid becoming an easy target.

4. Vendor management

When working with a third-party vendor, it’s critical to vet their cybersecurity practices. At a minimum, insurance agencies should confirm that the vendor can send and receive data securely. It’s also crucial to ask for a System and Organization Controls (SOC2) report. SOC2 reports are independent audits based on standards set by the American Institute of Certified Public Accountants (AICPA). They are used to assess the effectiveness of how an organization manages customer data, focusing on controls related to security, availability, processing integrity, confidentiality and privacy. SOC2 reports provide clients and stakeholders with assurance that the organization has implemented proper safeguards to protect sensitive information. In short, SOC2 reports are used to verify if a third party is following best practices related to financial processes, security and privacy.⁴

Insurance agencies will also want to confirm that the third parties they work with have cyber insurance in place. This is particularly valuable considering that, in order to place cyber coverage, many insurers require businesses to have a cyber assessment done. In some cases, vendors may be able to provide a copy of this assessment upon request.

If a cyber assessment is unavailable, cybersecurity vendors may be able to provide you with a questionnaire you can give to prospective vendors to determine the security policies they have in place.

5. Email safety

Cybercriminals often use email to carry out phishing scams or even distribute malware and ransomware. Insurance agents should be mindful of incoming emails and avoid clicking on links or attachments from untrusted sources. In general, it’s good to be overly cautious of suspicious emails, especially those that:

• Come from unrecognized senders
• Ask to confirm personal or financial information
• Aren’t personalized
• Are vague
• Include threatening, frightening and persuasive language

When receiving potential phishing emails, it’s crucial to report them to the proper company employee (e.g., a senior member of the IT department).

6. Password management

Ongoing password management can help prevent attackers from compromising an organization’s password-protected information. Insurance agencies will want to create a password policy that requires employees to change their password regularly, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular and may be a good option for an organization.

7. Employee training

Even the most robust and expensive data protection solutions can be compromised if an employee clicks a malicious link or downloads fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond. Employees should also know the cybersecurity policies and know how to report suspicious activity.

8. Cyber liability insurance

When cyberattacks occur, they can result in business disruptions, lost revenue and litigation. The coverage provided in standard general liability policies is sometimes not enough to protect a business from cyber exposures. As a result, cyber liability insurance has become an important consideration for any risk management program. Cyber liability insurance policies are tailored to meet a company’s specific needs and can offer a number of important benefits. While specific protections depend on the policy language, cyber liability insurance can offer data breach coverage, business interruption loss reimbursement, cyber extortion defense, forensic support and legal support.

How Nationwide helps agencies protect against cyber threats

Nationwide’s cyber defense team monitors the dark web for potential activity involving Nationwide policyholders. This occasionally leads to agency information found on the dark web. When Nationwide identifies a potential breach at an agency, sales managers will reach out. Beyond reporting possible compromises, Nationwide is committed to ensuring a cyber-safe environment while providing solutions to meet your needs.