Should the insurance world be worried about cybercrime?

Posted on

Is there a chance that your company might one day be at the centre of a major cyber attack? A decade or so ago, this probably wouldn't be a question you'd spend very much of your time thinking about. Today, though, things are different: high-profile data breaches are practically a monthly occurrence, and organisations in a wide range of industries are proving themselves susceptible.

They haven't been evenly distributed, of course. Most of the biggest cyber attacks of the past year and a half were targeted at North American retailers, with Target and Home Depot perhaps the two most infamous examples. The Sony Pictures hack of November 2014 was also well publicised. Insurance firms, however, seemed to be out of the firing line – until earlier this year.

Anthem, one of the biggest US health insurance providers, reported back in February that hackers had accessed and exposed personally identifiable information on around 80 million of its customers. This made for what the New York Times called "by far the largest breach in the industry" to date. Claims data turned out not to have been compromised, but the victims' medical identification numbers, social security numbers, home addresses and email addresses were all grabbed and later flogged on online black markets.

To the uninitiated, it might come across as odd that hackers would have much interest in this information. Compare with credit and debit card numbers, for instance, which can actually be used to carry out fraudulent transactions. 

This is a misconception, however. According to security experts interviewed in the New York Times report, cyber attacks that target personal information – and, in particular, medical records – are on the rise because the data represents a veritable treasure trove of fraud opportunities.

One researcher said that records of the kind stolen from Anthem have been known to fetch as much as $251 (£160) in black market auctions. In comparison, credit card numbers sell for about 33 cents.

What should insurers do to defend their data?

So, how can insurance firms keep their customers' data hidden from prying eyes and out of the hands of hackers? It's a tough one, because a lot of insurers are still storing their data in aging and siloed legacy systems – and, in some cases, bulging manilla folders. For obvious reasons, this combination of old-school architecture and duplicated information isn't the best starting point for world-class data security.

In the aftermath of the Anthem breach, the New York Department of Financial Services conducted a study of some US health insurance providers to establish some of their data protection must-haves. One of these was identified as encryption: while organisations in the States are required by law to encrypt medical records, insurers sometimes fail to do the same with their non-medical data. This was the case with Anthem, according to one executive.

Another important risk for insurance firms to address is that of third-party access to their systems. Insurers work with a lot of intermediaries, such as brokers and agents, and recent cyber attacks have shown that this kind of remote connectivity is extremely attractive to hackers armed with stolen usernames and passwords. Possible countermeasures include multi-factor authentication, as well as strong authorisation controls to prevent third parties from getting wider access than they actually require.

With the costs associated with data breaches on the rise – $363 per medical record, according to the latest data from the Ponemon Institute – it's critical for insurance firms to act sooner rather than later to defend their customers' information. Would your company withstand a cyber attack?

« Back to News and Opinion