Risk from cyber attackers — criminal, government-sponsored or recreational — has certainly not escaped most of us in the quiet corners of the insurance marketplace, but few seem aware that because of the increasing sophistication of these attackers, danger may lie in unexpected places.
Most of us realize that malware can be downloaded to our computing devices — portable or desktop — via spam or faked emails from supposedly reliable companies or even friends. Now, however, there is a newer threat. With the advent of the cloud and online services and file sharing sites, cyber attackers are now using such sites to bypass traditional security and steal information. Dark Reading, a data security newsletter, reported that in one case, malware compromised the systems of six employees at a company and created bogus accounts for the employees on a cloud service. From there, the attackers were able to use the individuals’ accounts to upload and download data as they chose. Of course, traffic going to and from a legitimate online service seemed harmless, so no alarm bells were likely to go off when the data transfers took place.
Dark Reading said this type of attack, known as advance persistent threats (APTs) is increasingly being used to gain access to confidential information — information of the type that is commonly in the hands of insurance companies, brokers and agents. In addition, the newsletter said, hackers are continuing to improve their methods, making them more effective and harder to detect.
Just how serious is this trend? Symantec, in its 2013 Internet Security Threat Report, stated that of the Top 10 industries attacked in 2012, “finance, insurance, and real estate” ranked No. 2, accounting for 19 percent of the recorded attacks. Only “manufacturing,” at 24 percent, ranked higher. And while about half of the attacks occurred at companies with 2,501-plus employees, a surprising number (31 percent) were aimed at companies with between 1 and 250 employees (an increase from 18 percent in the firm’s 2011 report).
It would seem that size of organization is a somewhat less important factor than, perhaps, its ability to fend off attacks — which may be weaker in smaller companies that generally have fewer resources.
The 2013 Symantec report also stated that, “At 36 percent, the health care industry continues to be the sector responsible for the largest percentage of disclosed data breaches by industry.”
With the insurance industry closely tied to nearly every facet of health care, it seems its profile as a target for hacking activity has grown quite significantly.
Interestingly, a number of insurance industry surveys show that data security is not among the top-of-mind concerns for most insurers and others in the industry.
Difficult as it is to contemplate, however, we are increasingly involved in a pitched battle to protect our systems and our precious confidential data from theft and/or harm. To ignore this wolf at the door — who grows fatter and more vicious with each passing day — would be foolishness.
And yet, our time and attention are focused on more immediate concerns of competitive positioning and customer attraction and retention. Insurers, brokers and agents of all sizes would be well advised to devote more time and financial resources to data and systems security.
We operate on an assumption of trust from our policyholders; a major data breach could easily destroy that trust.