When asked exactly why he robbed banks, the infamous American criminal Willie Sutton is alleged to have replied, not unreasonably, “Because that’s where the money is.” In more recent years, with the massive growth of the internet, online connectivity and remote access, it has again been banks which have borne the brunt of cyber crime. Not only is the money there; banks also hold critical information about all of their customers which, in the wrong hands, can be equally valuable. However, the focus of much cyber crime is now changing rapidly, away from banks and onto insurers.
There are a number of reasons. Perhaps the most significant and straightforward is simply that over the last 10 years or so, banks’ defenses have become more sophisticated and effective. The industry has appreciated the threat and has taken measures to counteract it. Key steps have included implementing layers of technical protection as well as concerting efforts across the industry – in what is, after all, a challenge facing all banks – to exchange information and develop strong counter-measures together. It is clearly not possible to prevent all attacks from succeeding and for obvious reasons, individual banks are reluctant to publicize those attempts which do result in loss. But overall, the banks have become increasingly effective in repelling cyber crime.
Another key factor is that cyber criminals have come to realize that banks are not the only potentially lucrative targets. Certainly, banks are where the money is. But money can also be stolen from insurance companies. Furthermore, money is not the only valuable commodity available; insurers need to protect premium rating tables, claims and accident and loss information. Almost equally valuable are customer details – personal information, names, addresses, account details, passwords, health and lifestyle information, payment card information, etc. – which can either be parlayed into cash or sold on to other criminal interests that will attempt the same thing.
In addition, insurers typically enjoy far less close and frequent interactions with their clients than banks. Despite the hollowing out of the bank-client relationship in recent years, it is still true that banks and their clients typically transact business many times a week or month. By contrast, insurers may interact with their clients only when there is a claim or, in the case of life companies, when the client retires or dies. This remoteness from the client means that insurers are much less well-placed to identify potentially fraudulent or criminal attacks. And although attempts at insurance crime may still be less common that bank crime, the rewards for success can be much greater. Compromising a bank card or credit card may yield a few hundred dollars; a successful fraudulent insurance claim may produce an order of magnitude more. Nor is simple financial advantage the only motivation. As we shall see, insurers, along with many other financial services companies, face multiple challenges.
As insurers amass greater amounts of customer data through new online channels, social media, telematics and web-based claims management systems, they become even more attractive to cyber criminals. In 2012, a major security breach of a US insurer affected 1.1 million policyholders and potential customers. Hackers stole names, social security numbers, driver’s license numbers and dates of birth. The insurer acted swiftly, offering credit monitoring and identity theft protection for those impacted, including US$1 million in free identity theft insurance coverage with no deductible. In another case, a global insurer was fined £2.2 million for failing to have adequate systems and controls in place to prevent the loss of customers’ personal information.
In order to understand – and protect against – the threat, it is important to understand the range of sources.
- Organized crime: It may be tempting to think that the threat from cyber crime is relatively limited and arises from opportunistic attempts to extract small amounts of benefit. But experience over recent years has demonstrated conclusively that highly advanced organized crime syndicates are increasingly determined in their attacks on financial services companies and, recently, insurers in particular. These are sophisticated and ruthless criminals. Their tools of choice include malware and botnets that install themselves on corporate networks, either compromising security and transmitting critical data outside the company or transforming local networks into ‘slaves’ under the control of the external criminals.
Organized criminal networks have also begun to realize that it is not actually necessary to steal anything. The mere threat of loss – or of operational damage and disruption – can be enough to extract a substantial ransom from the targeted organization. Once again, many companies are reluctant to reveal publicly when they have been hit. But many have paid up quietly.
Reverse engineering of the malware distributed by cyber criminal organizations can reveal the kind of targets crime networks are focused on; increasingly over the last year or so, the evidence is that insurance companies are becoming targets.
The rapid growth of online insurance purchasing offers greater opportunities to organized crime. It can be difficult for customers, attracted by low prices, to distinguish legitimate insurers from fraudulent ones. We are seeing a spate of ‘ghost brokers’ being set up on the internet selling fake policies, taking premiums and leaving the ‘policyholder’ without coverage.
- Petty criminals: As the term suggests, petty criminals will target any and every opportunity to compromise security and extract reward. They are comparatively indiscriminate, both in their targets and in their methodology and often are just looking for front-door vulnerabilities, such as systems with missing patches and misconfigurations that can be easily exploited. There is a modernization trend within the insurance industry currently and many insurance providers are launching portals that enable clients to self-manage their policies. Petty criminals are aware of this and are able to scan these portals using special software to detect vulnerabilities for exploitation. Ensuring front-door vulnerabilities are not present on these systems is an easy way to force the criminals to move on to the next target. Although the quantum of risk may be less than is implicated in organized crime, the threat – and the disruption which it can cause even if unsuccessful – can be significant.
- State sponsored cyber crime: There is no doubt that certain states have developed, and maintain, sophisticated technological capabilities designed either to extract cash or data from vulnerable Western companies or, more commonly, to sustain the capability to hold those organizations to ransom as part of a more extensive coordinated attack.
There are fuzzy lines between traditional electronic espionage, commercial espionage and theft of data for commercial and strategic advantage. There is evidence of states commercial espionage during cross-border mergers and acquisitions (M&A) transactions. Insurance companies - along with many other industrial sectors in the West - are vulnerable to all of these dangers.
- 'Hacktivists' and terrorists: Illegal extraction of money or data is not the only objective which motivates cyber criminals. So-called 'hacktivists', terrorists and others may be driven by a damage or destroy companies’ operating capabilities. Here the threat is all the more difficult to anticipate because it can be almost impossible to predict. However, we have seen that indirect action can be especially attractive to many of the types of groups involved in these activities. For example, insurance companies that undertake business with drug companies, animal testing laboratories, defense companies and the like may well find themselves the target of cyber crime attacks from this direction.
The first priority is, obviously, to recognize the nature of the contemporary threat. Historically, insurance companies have sought to defend themselves against fraudulent claims by mobilizing resources to analyze broad patterns of incidence and investigate individual instances of particular concern. But the threat today includes not only the risk of financial loss, but also that of disruption to systems and processes that can cause both financial and reputational damage. The Canadian Office of the Superintendent of Financial Institutions (OSFI) recently released guidance on how financial services institutions can self-assess their level of preparedness for, and protection against, cyber attacks.1 Insurers can also learn from the banking sector’s success wide variety of motives, including, in particular, the desire to disrupt, in creating structures and processes to share information about threats and best practices.
Second, it is a truism that insurers’ back-office technology and systems are a generation or more behind those routinely employed by banks. There is a lack of connectivity and coordination between different systems and, therefore, less capability to identify and counter attempts at penetration and diversion. Less automation, more manual interventions and more breaks in the chain of information processing increase the potential vulnerability. Where claims processing is outsourced, security can be more difficult to monitor; more effective supply-chain management is needed. Recent research by Proofpoint Inc. shows that insurance companies currently face a higher number of email-based threats to security than any other business sector.2 In fact, KPMG’s 2012 Data Loss Barometer states that the insurance sector states is at greatest risk from social engineering attacks and system and/or human error incidents. A separate KPMG research shows that financial services companies are among those industries with the most vulnerable software.3 Upgrading systems, although expensive, is a necessity.
Finally, and perhaps most importantly, insurers need to understand how to develop a mature and effective response. The threat is all too real. But it needs to be countered with intelligent and sophisticated action. This needs to look beyond pure technical preparedness against cyber attacks to take a rounded view of people, process and technology in order to understand areas of vulnerability, identify and prioritize areas for remediation and demonstrate both corporate and operational compliance, turning information risk to business advantage. In our experience, this means acting on six key dimensions that together provide a comprehensive and in-depth view of an organization’s cyber maturity:4
Board demonstrating due diligence, ownership and effective management of risk.
The approach to achieve comprehensive and effective risk management of information throughout the organization and its delivery and supply partners.
The level of control measures implemented to address identified risks and minimize the impact of compromise.
The level and integration of a security culture that empowers and ensures the right people, skills, culture and knowledge.
Preparations for a security event and ability to prevent or minimise the impact through successful crisis and stakeholder management.
Regulatory and international certification standards as relevant.
The banking sector has shown that the threat from cyber crime can be contained and countered. Insurers need to raise the game urgently to ensure that they can mount comparable defenses.