Other parts of this series:
In this series on the importance of insurance supervisors redoubling their efforts now to protect carriers against cyber risk amidst the many other industry challenges, we have examined the frequency and severity of the peril that cyber criminals pose. Now let’s examine insurers’ cyber security weaknesses.
In its recent Issue Paper on Cyber Risk to the Insurance Sector, the International Assn. of Insurance Supervisors (IAIS) highlights numerous incidents that have exposed insurers’ weaknesses against cyber criminals.
One example is the extortion threat that financial services institutions in North America as well as Europe and Australia face from a group of criminals known as DD4BC. The group demands ransoms under threats of distributed-denial-of service attacks. DD4BC launches those attacks by using multiple systems infected with Trojan, or malicious, programs to take down a single system, causing a denial of service for its users. Two German insurers that the group attempted to extort last year refused to pay ransoms of 40 bitcoins, because the carriers concluded they would face only minor damage from the group. IAIS, however, notes that such incidents could be far more problematic if cyber criminals focus on more critical systems.
Cyber security problems also can emanate from third-party relationships, as the hack of a data server used by the state of North Dakota illustrated in 2015. The incident compromised the personal information—including Social Security numbers—included in 43,000 workers compensation incident reports and 13,000 payroll reports filed online by employers and workers.
Conversely, insurers can be the third parties that cyber criminals exploit to launch attacks on other organizations. Last year, a French insurer’s audit team discovered unauthorized access to the carrier’s accounting tools. No harm had occurred, but the discovery underscores the threat to not only the insurer but also to its business relationships and policyholders.
Insurance supervisors also cannot overlook the cyber threat that lurks internally. IAIS notes the 2012 case of a French mutual insurer that was the victim of an internal data theft that led to identity theft and false claims.
IAIS notes that it has observed three common cyber security weaknesses among insurers:
- A missing or incomplete overview of the data flow among highly and less-secured information technology systems, applications and components, which could provide cyber criminals an entry point to an organization’s most sensitive systems.
- An inadequate control process for user privileges, which either can give employees unwarranted system privileges or provide an account higher system privileges than necessary. Both problems can foster insider abuse.
- Insufficient controls over direct employee access to super-user accounts—accounts with privilege levels that most employees do not need. Hackers could gain access to and control the entire system through these accounts as a result of weak controls.
Next time: How insurance supervisors should respond to cyber risk.
- The International Assn. of Insurance Supervisors’ Issue Paper on Cyber Risk to the Insurance Sector