Insurance agents are frequently trusted to field questions, assess risks on behalf of their clients and explain coverage options to individuals and businesses. As part of these duties, insurance agents can encounter account and policyholder information like Social Security numbers, financial information, addresses, birthdates and other sensitive information.
Given the value and sensitive nature of this data, insurance agencies are a common target for cybercriminals. Like any other business, insurance agencies involved in data breaches face significant and potentially irreversible consequences. This article highlights what insurance agencies put at risk when they fail to take the proper precautions against cyberattacks. It also provides actionable steps insurance agents can take to protect themselves and their clients against would-be cybercriminals.
What’s at risk?
Because of the nature of their work, insurance agents are typically more informed on the cyberthreat landscape than most. Still, the impact of a data breach or similar cyber event cannot be understated, particularly as it relates to the cost of an attack.
“In 2021, businesses lost nearly $1.8 million per minute due to cybercrime1, and the average cost of a data breach was $4.24 million2. These figures are expected to rise in 2022, and global cybercrime costs could reach $10.5 trillion annually by 20253.”
Just one data breach or cyber incident can cause irreparable reputational harm for small to mid-sized businesses like insurance agencies. In some cases, the financial impact of a data breach can force companies to close their doors. According to an IBM report, data breach expenses often stem from lost business (an average cost of $1.59 million per breach), detection and escalation costs ($1.24 million), notification costs ($270,000) and post-breach response costs ($1.14 million).4
Cyber Attack Methods
When one thinks of a cyberattack, it’s easy to characterize the victims as with an online presence that regularly process payments.
“However, not only has Nationwide seen an increase in insurance agency attacks year over year but a recent report—X-Force Threat Intelligence Index 2022—determined that the finance and insurance industry was the second most targeted industry by cybercriminals in 2021.5″
This makes sense, as insurance agents obtain and handle financial and private data on behalf of their clients. To steal this data, cybercriminals will employ a variety of different attack methods, including but not limited to the following:
- Phishing — With traditional phishing attacks, hackers send fraudulent, malicious emails to as many people as possible. Attackers will customize phishing emails to make them appear trustworthy, sometimes using logos or fake email accounts to improve the message’s legitimacy. Often, phishers will pretend to be trusted sources, like hospitals, banks or employers. The phishing message will likely include language designed to fool victims into clicking a link, opening a document, installing software or entering their user name and password. If a victim falls for a phishing email, the cybercriminal can infect their computer and steal sensitive information.
- Credential stuffing — These attacks occur when a malicious party takes a stolen username and password and tries it on various websites. In some cases, a hacker may purchase an individual’s username and password from the dark web. Then, assuming the individual uses the same password for multiple accounts, the hacker tests the stolen credentials across multiple platforms (e.g., banking or social media websites). In summary, cybercriminals use information from one account and can potentially access data from many different platforms.
- Unpatched vulnerabilities — Upon its release, computer software can have security issues stemming from bugs, bad code and similar problems. To address these types of concerns, software companies will often provide updates to patch known vulnerabilities in the software. However, before a software company issues a patch or an agency updates the software, hackers can exploit vulnerabilities to carry out cyberattacks.
Once cybercriminals are in the system, they can start to access information and deploy malware. Malware refers to viruses, worms, Trojan horses, spyware, adware, rootkits and other unwanted software or programs. Once installed on a device, malware can disrupt normal computing operations, collect information and control system resources. Malware programs are constantly evolving, making detection and prevention more difficult for business owners.
One particularly common and devastating type of malware is ransomware. Ransomware is malicious software that infects a computer and either prevents it from working as it should or prevents access to specific files until the user pays a ransom. Typically, the cybercriminals behind the ransomware demand bitcoin, a type of digital currency that is difficult for police to trace. Businesses of all sizes and types can be targets of ransomware; it can infect personal computers and entire networks and servers.
As ransomware attacks become increasingly common, numerous types of ransomware techniques have also emerged. Specifically, double extortion ransomware attacks are now a potential cybersecurity concern for organizations across industry lines. This technique follows a similar protocol to that of a typical ransomware attack but comes with an added threat—the victim must pay a ransom not only to regain access to their technology and data but also to keep that data from being uploaded publicly online.
Double extortion ransomware attacks are particularly concerning, seeing as these incidents can further pressure organizations to comply with ransom demands in order to keep their data private. In many cases, even though payment is made, the ransomware operator will still sell the data on the dark web.
Given the increased frequency and severity of cybercrime, it is imperative for insurance agencies to protect client data from cyberattacks. Complicating this duty, client data is often stored and managed through a singular location like an agency management system (AMS). An AMS helps independent agents manage customer data in one place, providing access to multiple carriers. Because these systems contain personally identifiable information (PII) and other sensitive data for agents’ clients, they are an especially attractive target for cybercriminals.
Thankfully, insurance agencies can take steps to address AMS vulnerabilities. When comparing AMS solutions, agencies should consider how individual users navigate them. For instance, an agency may want to restrict invoice access to accountants or bookkeepers. Or, they may only want certain staff members to see accounting reports. Limiting access in this way is essential because if an individual user is compromised in a cyberattack, the cybercriminal could theoretically access the same information the user can. Managing user access ensures that one compromised user doesn’t unknowingly jeopardize all of the PII available in the AMS. In this vein, AMS access should be revoked for users who no longer work at the company.
When working with an AMS vendor, ensure authorization can be assigned at the menu level. Further, be sure that security permissions can be created and adjusted by job function.6
Once in place, an AMS should be encrypted, and access should only be provided using multifactor authentication. Multifactor authentication adds a layer of security to protect against compromised credentials.
Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access the AMS. In other words, with multifactor authentication, it’s not enough to have a username and password. To log in to an online account, users will need another “factor” to verify their identity. This additional login hurdle means that would-be cybercriminals won’t easily unlock an account, even if they have the password.
Cybersecurity best practices
When it comes to protecting customer and client data, cybersecurity protocols must be carefully scrutinized. Doing so instills confidence that PII is safe when it’s handled by the insurance agency or a third-party provider. In particular, insurance agencies should consider the following:
Through encryption, information is encoded in such a way that it is scrambled and can only be read by someone who has the proper encryption key. When handling data or selecting a software vendor, it’s important to consider how encryption will be used to safeguard sensitive information. When data is properly encrypted within a system, cybercriminals can’t read it even when they intercept it in an attack.7
Data classification and handling PII
When handling PII, insurance agencies need to consider what types of personal information they collect, where it is stored and who has access to it. This is data classification and handling. It is particularly important when it comes to privacy laws, as handling certain types of information can leave the agency open to regulatory action should they be compromised in a data breach. Noncompliance with data breach and privacy laws can have significant ramifications, and penalties can be incurred in the form of:8
- Civil penalties per individual affected and/or per breach
- Penalties related to economic damages
- Penalties related to state-specific deceptive trade practices laws or as prescribed by a state attorney general
- The law that applies is within the jurisdiction of the person whose data was breached.
If that weren’t enough, an insurance agency could be required to pay other costs as a result of the hold harmless and indemnification sections of agency/carrier agreements. Some examples include but are not limited to investigation costs, notification costs, and defense and liability costs.
As a result of these potential damages, insurance agencies must take strides to encrypt and protect PII, including Social Security numbers, driver’s license numbers, debit and credit card information, bank and financial account information, and protected health information.
Insurance agencies will need to make determinations regarding the management of certain types of PII and, in some cases, may decide not to handle specific personal data (e.g., bank information) themselves. However, transferring data handling to a third party may not absolve agencies of liability. Additionally, it’s worth noting that access to sensitive data should be limited to individuals who need to use it as part of their job.9
Secure device management and patching vulnerabilities
Insurance agents need to be cautious when it comes to the use of personal computers and mobile devices. Notably, any device that can access agency applications must be password protected. Additionally, if a device is lost or stolen, agencies should have the ability to wipe data remotely. It’s also important to have trusted antivirus and antispyware programs installed on company devices. These programs should be set to perform scans on a regular basis for unwanted and harmful programs.
It’s critical for insurance agencies to update company software as soon as new updates are released. In doing so, security vulnerabilities that cybercriminals rely on are patched, which helps businesses avoid becoming an easy target.
When working with a third-party vendor, it’s critical to vet their cybersecurity practices. At a minimum, insurance agencies should confirm that the vendor can send and receive data securely. It’s also crucial to ask for a System and Organization Controls (SOC2) report. Essentially, SOC2 reports are used to verify if a third party is following best practices related to financial processes, security and privacy.10
Insurance agencies will also want to confirm that the third parties they work with have cyber insurance in place. This is particularly valuable considering that, in order to place cyber coverage, many insurers require businesses to have a cyber assessment done. In some cases, vendors may be able to provide a copy of this assessment upon request.
If a cyber assessment is unavailable, cybersecurity vendors may be able to provide you with a questionnaire you can give to prospective vendors to determine the security policies they have in place.
Cybercriminals often use email to carry out phishing scams or even distribute malware and ransomware. Insurance agents should be mindful of incoming emails and avoid clicking on links or attachments from untrusted sources. In general, it’s good to be overly cautious of suspicious emails, especially those that:
- Come from unrecognized senders
- Ask to confirm personal or financial information
- Aren’t personalized
- Are vague
- Include threatening, frightening and persuasive language
When receiving potential phishing emails, it’s crucial to report them to the proper company employee (e.g., a senior member of the IT department).
Ongoing password management can help prevent attackers from compromising an organization’s password-protected information. Insurance agencies will want to create a password policy that requires employees to change their password regularly, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular and may be a good option for an organization.
Even the most robust and expensive data protection solutions can be compromised if an employee clicks a malicious link or downloads fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyberthreats and how to respond. Employees should also know the cybersecurity policies and know how to report suspicious activity.
Cyber liability insurance
When cyberattacks occur, they can result in business disruptions, lost revenue and litigation. The coverage provided in standard general liability policies is sometimes not enough to protect a business from cyber exposures. As a result, cyber liability insurance has become an important consideration for any risk management program. Cyber liability insurance policies are tailored to meet a company’s specific needs and can offer a number of important benefits. While specific protections depend on the policy language, cyber liability insurance can offer data breach coverage, business interruption loss reimbursement, cyber extortion defense, forensic support and legal support.
Nationwide’s cyber defense team monitors the dark web for potential activity involving Nationwide policyholders. This occasionally leads to agency information found on the dark web. When Nationwide identifies a potential breach at an agency, sales managers will reach out. Beyond reporting possible compromises, Nationwide is committed to ensuring a cyber-safe environment while providing solutions to meet your needs.