Did you know that cyber insurance is a double-edged sword? While cyber insurance helps businesses cover the financial losses resulting from cyber incidents, it may also be driving the surge in ransomware attacks on insurance companies.
“Ransomware attackers [are] targeting cyber insurance providers directly, either to obtain reconnaissance information on their cyber policyholders or to punish them for non-cooperation,” Paul Prudhomme, head of Threat Intelligence Advisory of cybersecurity firm Rapid7, tells DigitalEdge Singapore.
“Cyber insurance providers possess confidential information that could be highly valuable to ransomware attackers, such as the identities of cyber policyholders, the maximum amounts of their ransom payment coverage and the security requirements of their cyber insurance policies,” he adds.
By having that information, ransomware operators can calculate an optimal ransom amount that is high enough to maximise profit but low enough for victims to accept. Knowledge of the security standards that cyber insurers require their customers to fulfil also helps attackers craft their techniques to evade victims’ security measures, according to Rapid7’s 2022 Insurance Industry Cyber Threat Landscape Report.
Insurers are also an attractive target for bad actors as the personally identifiable information (PII) on their retail business-to-consumer policyholders can be used for identity theft or other forms of fraud.
Prudhomme shares that in January 2021, security researchers from IntSights (now known as Rapid7) discovered that a Chinese-speaking criminal with the username “Rebecca” was selling access to records from Chinese auto insurance companies, auto dealership service shops, and traffic management offices for US$3 each. The records included names, phone numbers, street addresses, drivers’ license numbers, identification card numbers, license plate numbers, and vehicle identification numbers.
See also: Alibaba anoints new chief in revamp of stalling commerce arm
Moreover, collecting PII can help attackers put more pressure on enterprise victims to pay a ransom, given the potential of losing customer confidence and the possible legal or regulatory implications of exposing customer or employee data.
Prudhomme explains that “ransomware attackers often conduct additional malicious activities, such collecting confidential data, before deploying ransomware payloads and encrypting files”. This allows them to add another layer of extortion, wherein they threaten to release those sensitive data on the dark web for further misuse by other criminals.
Cloud and lack of talents exacerbate cybersecurity issues
See also: Break up Google? What’s at stake in antitrust action
Apart from the increasing volume and sophistication of cyber threats, many organisations, including insurers, are vulnerable to cyber attacks as cybersecurity is not baked into their operations.
For many, security is still approached as an independent foundational layer rather than including it as a critical function in their IT development and operations. As organisations adopt new technologies, it is vital that they adopt a security-first architecture.Arvind Swami, director for FSI at Red Hat
Additionally, IDC Financial Insights research found that about 30% of organisations in Asia Pacific suffer from a lack of skills to ensure reliable and secure cloud services. “With more and more insurance companies moving to the cloud as they digitally transform their business, the security skills shortage across the region calls for a rethinking of cloud security measures,” says Swami.
He continues: “There are also new and different security tools that must be purchased for the cloud, in addition to the significant investments already made in legacy security. Current security platform decisions need to be future-ready and cloud-scalable, which means that all cloud applications and workloads in the cloud should have the same controls and security levels as mature legacy systems.
“[In short,] as insurers leverage new technology and open their systems to the wider ecosystem as part of their digital transformation journey, it can potentially expose them to third-party risk and increase their threat surface if the digitisation process is not handled properly.”
Building robust defences
What can insurers do to improve their cyber defence and be prepared for cyber threats? The first step is to get up to speed on current and predicted cyber threat trends that can impact their organisation.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
“Understanding what threats their organisation can potentially face, the severity of those threats and the desirability of existing company data and assets for cybercriminals are key to building an effective cybersecurity strategy. By putting in place a system to consistently monitor threats across the industry and using this data to predict potential threats, insurers will be better equipped to mitigate their risks,” says Swami.
He adds: “Next, they need to evaluate the effectiveness of current cybersecurity measures against the existing cyber threat landscape and determine how their strategy and roadmaps need to be updated and improved to protect themselves. There is no one-size-fits-all solution to cybersecurity, and each insurer must find a solution catered to their needs.”
For instance, when AIA embarked on its cloud-first programme, it leveraged the Red Hat Ansible Automation Platform as a key component of its infrastructure provisioning automation pipeline. This helped ensure all its provisioned infrastructure was compliant with security standards and that all of the security agents were deployed and ready before use by application teams. As such, AIA was able to reduce the technology and information security risks throughout its application portfolio, shares Swami.
Additionally, insurers should have robust defences against cyber threats, particularly ransomware. One way of doing so, says Prudhomme, is by disabling any remote access services that they no longer need while requiring two-factor authentication (2FA) for those that are still needed. “2FA implementations should use mobile authenticator apps, rather than SMS, which is vulnerable to SIM swapping attacks.”
He also advised insurers to ensure that virtual private network (VPN) software installations receive regular security updates as attackers can exploit VPN software vulnerabilities to gain remote access.
Besides that, Prudhomme warns against paying a ransom as it can fuel the ransomware economy.
[Instead,] a system of frequent, redundant, and segmented backups is the best defence against the encryption of files for ransom. The segmentation and encryption of sensitive data sets can also provide another layer of protection against the threat of data disclosure extortion.Paul Prudhomme, head of Threat Intelligence Advisory of Rapid7
As insurers increasingly embed their offerings into lifestyle and business services to provide more convenience to customers, it may open additional avenues for cyber attacks. Case in point: The ransomware attack that AXA experienced in May 2021 was believed to have originated from a third-party vendor in Thailand.
“Insurers should [therefore] have third-party risk programmes with which to defend themselves against threats to their infrastructure and data via vendors, customers, and other partners,” suggests Prudhomme.
The need for a security culture
Having a security culture is also crucial. “All of the tools in the world won’t help if they lack a culture of cross-collaboration across teams and a practice of viewing security as a process,” says Swami.
Ronak Shah, president of the General Insurance Association (GIA) of Singapore, concurs. “It is important to cultivate a security-conscious culture across all levels and departments as cyberattacks are no longer a question of ‘if’ but ‘when’. Cybersecurity is no longer the sole responsibility of the firm’s cyber specialists; it is everyone’s job so that we’re not only reducing external threats, but also internal threats such as human error or employee negligence,” he says.
He adds: “A worrying statistic is the fact that internal risks like employee negligence remain the weakest link in any business security framework. Developing a more holistic approach to security management across the entire organisation will help minimise an insurer’s digital transformation loopholes to prevent further exploitation by cybercriminals.”
To help insurers strengthen their cyber defence capabilities, says Shah, GIA has been advocating for greater public-private and cross-sector collaboration to build a more comprehensive understanding of cyber risks and provide valuable cyber propositions to protect vulnerable businesses.
