Insurance Companies: A “Tasty Morsel” to Cyber Criminals

Yes, this is one of the tastiest morsels…to hack the insurers first—to get their customer base and work in a targeted way from there.”
-Unknown Cybercriminal from the REvil group in a March 16^th, 2021 interview.

And feast on insurance morsels, cyber criminals have! Insurance is the fourth-most attacked economic sector. Headlines of hacks haven’t been hard to find:

• Insurance company CNA suffered a ransomware attack where they reportedly paid $40 million in ransom in March 2021.
• In February 2022, Insurance giant Aon suffered a cyber-attack. No details have been released as the company is in the early stages of assessing the incident, but several systems were compromised.
• Last summer a cyber-attack was carried out at a small insurance agency in Illinois. The damage? $6.85 million in losses.

The biggest reason the insurance industry has a target on its back?  Their reliance on third parties within their business model.    

Most insurance carriers, for example, utilize independent agents to sell and write policies across various lines of business. Though these agents often need the same privileged access as carrier employees, they are, in fact, still external third parties (non-employees).

Another example is the dependence on high-volume call centers to assist with a wide variety of business practices, including validating documents, communicating policy details directly with clients, updating personal customer information, inputting policy changes, and more. All these tasks require that hundreds of non-employees have access to the carrier’s sensitive and valuable customer information.

A carrier’s greatest risk of a breach comes from the “insider threat.”

Hundreds (or thousands) of agents and other third-party workers processing and accessing sensitive client information daily creates a substantial attack surface for bad actors. It only takes one unknown identity for your entire agency to be exposed to a serious breach. According to an Opus and Ponemon study, 59% of companies said they have experienced a data breach caused by one of their vendors or third parties. Alarmingly, these are breaches that have occurred because the company granted privileged access to their sensitive information.

Ensuring client information is handled in the safest and most secure manner remains one of the most critical responsibilities and challenges insurance carriers, their agents, and their vendors face.

Luckily, insurance companies do have resources at their disposal that’ll make them less appetizing to cybercriminals. SecZetta’s non-employee identity and risk solution is uniquely suited to support the needs of carriers struggling with providing large populations of independent agents with appropriate and time-specific access to their systems.

Download the Insurance Carrier White Paper for details on the ongoing non-employee identity and risk challenges that carriers are facing, as well as how SecZetta can improve operational efficiency, reduce costs, and decrease the cyber risks for carriers and the agencies and agents they support.

SecZetta provides third-party identity lifecycle management solutions that are easy-to-use, and purpose-built to help insurance organizations automate risk-based identity lifecycle management processes for non-employee populations.

You can tour SecZetta’s comprehensive capabilities for yourself by clicking here or by scheduling a demo.