Even with advances in technology that can recreate people’s faces and voices, the insurance industry finds itself at the hands of unscrupulous criminals.

At the risk of sounding cliché: It’s only a matter of time before your insurance business or your clients become victims of a cyberattack.

Read through the full article here: https://www.propertycasualty360.com/2020/12/14/insurance-under-fire-deepfakes-and-cyberattacks-run-rampant/ 

Remote workers create opportunity

Additionally, with the advent of remote workforces, cybersecurity becomes the most important asset any insurance company could have. While the exact size of the American remote workforce is debatable, before the COVID-19 virus, 3.6% of the workforce, or approximately 5 million people, were remote, according to Willis Towers Watson. By the end of 2021, that number is expected to reach 42 million employees — an increase of 733%.

The actual number of remote workers is unimportant. What is important is the indisputable fact that the move to a remote workforce has left insurance companies more susceptible to cyberattacks than at any other point in history.

Cyberattacks kill revenues

MonsterCloud, the cybersecurity platform provider, says there have been an estimated 4,000 cyberattacks in the United States every day since the pandemic started. These cyberattacks have resulted in major breaches of confidential data. The inevitable consequence is an erosion of trust and customer loyalty — ergo, a direct hit in insurance companies’ bottom line. This also translates into a downward spiral for the U.S. economy as all areas are affected — from the Consumer Confidence Index (CCI) to Wall Street indices.

The insurance industry has seen a major rise in Business Email Compromise (BEC) and advancement in social engineering techniques, such as spear phishing (sending emails that appear to come from a known or trusted sender). According to the FBI, there are generally six types of BEC:

  • Scams;
  • Bogus invoice schemes;
  • C-level impersonation;
  • Account takeover;
  • Attorney impersonation; and
  • Data theft.
Sitting ducks

One worrying factor is these messages don’t contain attachments or links to activate the malware. Rather, their biggest weapon is the recipient’s normalcy bias and lack of security awareness. Additionally, the message arrives with a sense of urgency and expeditious action that needs to be taken.

As the insurance-industry workforce relies less on face-to-face communication and increasingly depends on digital communications, what’s to stop a cybercriminal from sending a video creating an insurance company’s CEO and directing employees with false instructions? Or a cybercriminal from impersonating an insurance broker and gathering personal information from a client?

The answer: nothing.

That’s because cybercriminals are well aware that insurance companies possess a trove of customers’ personal and financial information. To make matters worse, it doesn’t even have to be existing customers; these bad actors can target potential customers who reach out to insurance companies for a quote. This puts scammers and fraudsters in an ideal position to steal customers’ identities.

Compounding the problem is the latest form of cyberattacks: The deepfake.

Deepfakes can take the form of video, audio and photo artifacts. They work by leveraging algorithms (deep learning, which means machine learning) and artificial intelligence to create, edit, or modify content in such a way that it appears to be genuine. The intention is to deceive the consumer and obfuscate the truth.

What’s the solution?

There are a number of things that insurance-company employees can do to protect themselves against these kinds of attacks. Here are three of them:

  • If your insurance organization/company has not done so already, enable and integrate single sign-on and multi-factor authentication for your critical applications and services. Review how your organization provisions and deprovisions its users.
  • Ensure that your organization has a robust password policy, one that is not so obtrusive that it is rendered ineffective but not so permissive that it is easy to nullify. Get into the habit of continuously reviewing your policies and guidelines to ensure that they match your organization’s culture and users.
  • Establish protocols for urgent ad-hoc requests, perhaps requiring approval from two key approvers before a request is successfully processed. Consider out-of-band channel communications and utilizing share secret/passcode to validate the authenticity of the individual on the other end.

There is no denying that cybercrime is the greatest threat any company faces in these digital times. The reality that hackers are targeting the insurance industry is worrisome and a burden to insurance companies. But this does not have to be an onerous burden. There are avenues any company can explore so as to safeguard itself against these attacks.

“Eternal vigilance is the price of liberty,” Thomas Jefferson said. That saying applies perfectly to this challenge. The insurance industry must be vigilant and proactive against growing cyber threats.

Marivi Stuchinsky, Global CTO
Post by Marivi Stuchinsky, Global CTO
December 14, 2020

Comments