Cybersecurity in the Insurance Industry

Cybersecurity in the Insurance Industry

With its huge store of personally identifiable information (PII) about policyholders, the insurance industry has become an enticing target for cyber crime. Data breaches at insurance companies over the last few years have exposed the personal information of over 100 million people. 

An infamous data breach at health insurer Anthem, Inc. is indicative of the nature of these attacks. On February 4, 2015, hackers broke into Anthem's servers and accessed 80 million company records that contained policy holder information such as names, addresses, social security numbers, and medical identifications, personal information that cyber criminals could use for identity theft ploys such as accessing bank accounts and credit cards, or even to commit health insurance fraud.

How Cybercriminals Attack

Cybercriminals use various types of malware to attack insurance companies, such as ransomware, which blocks a company’s access to its systems and data until a ransom is paid. Trojan horse malware such as Emotet and Trickbot, which were originally designed to break into banking systems, are becoming a growing threat to insurance companies.

Phishing attacks too are often used to gain unauthorized access to an insurance company’s information. Phishing is a fraudulent attempt to trick users into disclosing confidential information, typically by clicking a link in an email or by responding to a text or phone call. Recently, a phishing attack on Pacific Specialty Insurance Company, an automotive and home insurance provider, gained access to employee email account credentials, which exposed names, social security numbers, government-issued identifications, financial data, and health insurance information. 

In particular, spear phishing attacks that target a specific individual in an insurance company are growing dramatically.  Often this takes the form of impersonation. For example, an email claiming to be from a company executive asks an employee in the company’s financial department to transfer money to an account that is subsequently drained by the attacker.  

But you don’t have to be a cyber criminal to pose a security threat. Inadvertent disclosure of sensitive information is a major problem faced by insurance companies. In 2019, First American Financial Corp., a real estate title insurance company, inadvertently exposed more than 800 million personal and financial records on its website. The leaked records included social security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and drivers license images. This sort of negligence can put an insurance company’s clients at risk and also damage the company’s reputation.

Cybercriminals use various types of malware to attack insurance companies, such as ransomware, which blocks a company’s access to its systems and data until a ransom is paid.

Cybercriminals use various types of malware to attack insurance companies, such as ransomware, which blocks a company’s access to its systems and data until a ransom is paid.

Protecting Against Cyber Threats

Here are some things insurance companies should do to protect their systems and data from cyber threats:

  1. Do a risk assessment. A risk assessment determines what data and systems need to be protected and the threat of exposure. A risk assessment should cover:

    • Where and how sensitive information is stored, who uses it, and how it is used 

    • How email is used

    • How data is remotely accessed

    • What approaches are used to protect information

    • When and where mobile devices are used

  2. Create a comprehensive security plan (and test it).  A comprehensive security plan should address security vulnerabilities and specify approaches to protect against and recover from security breaches. It should not only protect an insurance company’s vital data from hackers and cyber criminals, but also protect against inadvertent data exposure from insiders.  And the plan needs to be tested to verify that it works well.

  3. Implement a defense in depth. A strong defense against cybersecurity threats can be created by implementing a solution that implements a mix of proactive and reactive technologies. One such approach is endpoint detection and response (EDR), which continuously monitors and rapidly responds to cybersecurity threat. However an EDR solution can be overly complex, producing large amounts of data and alerts. In addition, many EDR solutions rely on artificial intelligence that sometimes misses capturing key information. A better approach is managed EDR, which combines 24/7 threat monitoring, incident response, and alert filtering. Managed EDR provides deeper investigation, analysis, and validation of threats than EDR through a combination of advanced analytics, threat intelligence, forensic data collection, and human expertise.

  4. Establish a security culture. A good security program needs to include training policies that educate personnel about the company’s security policies and plans, and heightens their security awareness.  Employees who are vigilant and motivated to protect sensitive information are the most valuable armor in the defense against cyber security threats. An important facet of security awareness training are simulations that mimic malicious social engineering approaches such as phishing and spear phishing designed to  trick employees into divulging sensitive information.

  5. Take advantage of security services. The growing volume and sophistication of cyber attacks are making it difficult for insurance companies and their IT departments to devote the time and attention needed to counter these threats. In response, it’s important to take advantage of service providers who have the expertise to develop and implement security plans.

How FirmGuardian Can Help

FirmGuardian can assist your insurance company and IT team in every facet of a cyber security program, including: 

  • Identifying and reporting cyber security vulnerabilities 

  • Developing remediation strategies that mitigate against cyber security risk

  • Ensuring that appropriate cyber security policies and controls are in place 

  • Implementing robust incidence approaches that limit the impact of cyber security breaches 

  • Creating comprehensive security awareness training programs that empower employees to be the first line of defense against cyber crime


And Firm Guardian works hand-in-hand with your company’s IT team to protect vital data and computer systems by leveraging the technology you’ve already invested in. It assists your company in aligning with industry standards and best practices such as FINRA, HIPAA, PCI, and NYDFS.