Introduction:
1、Companies May Be Flagging Themselves For Hackers By Buying Cybersecurity Insurance
2、How Cybersecurity Affects the Insurance Industry
Companies May Be Flagging Themselves For Hackers By Buying Cybersecurity Insurance ♂
AILSA CHANG, HOST:
Ransomware attacks have hit the U.S. food supply, the health care system, the pipelines that carry fuel up and down the East Coast. And companies are worried about being attacked. More of them are buying what's called cyber insurance, but that demand has led to higher prices and to coverage that is less comprehensive. NPR's David Gura joins us now with more. Hey, David.
DAVID GURA, BYLINE: Hey, Ailsa.
CHANG: OK, so just give us a primer first. How does cyber insurance work exactly?
GURA: Yeah. Let's take ransomware, for example. It's been in the news lately. There have been these big attacks. Colonial Pipeline is one of them. JBS, the meat processor, is another one. You know, they can cause a lot of disruption, cause a lot of damage. And the ransom demands can be sizable, as we've seen. Colonial Pipeline paid $4.4 million. Well, a company can buy an insurance policy not just to cover the ransom payment itself but also the fallout from an attack. A company may have to hire a consultant to negotiate and make a payment. There's forensics work - trying to figure out what happened, what was taken. All of that's expensive. And then there's the notification part of this, Ailsa - how much it costs a company to tell its customers, and sometimes its investors, about what damage took place.
CHANG: OK, so it sounds like cyber insurance is a good idea. But are a lot of companies actually buying it?
GURA: We have some new data on this from the federal government. In 2020, half the companies that bought insurance had cyber coverage. In 2016, four years earlier, it was just a quarter of them. So it is becoming more popular, and we're seeing the costs creep up for coverage. I think this uptick in demand for coverage says something about how normal these attacks have become. Companies are buying insurance for cyberattacks just like they buy insurance for fires and for earthquakes. That's made it become a regular part of doing business. And it's happening even as the federal government tells companies it doesn't want them to pay ransoms, that paying ransoms incentivizes more attacks.
CHANG: Well, given all these recent cyberattacks, is the thinking now that all companies should be buying cyber insurance?
GURA: Well, experts told me yes. It's becoming increasingly clear companies could benefit from this kind of insurance. But there's a catch. There's this concern that companies that buy cyber coverage could be targeted as a result. James Turgal helped run the FBI's information and technology branch. Now he's with the security company Optiv, and he consults with large companies. He told me some hackers actually scour IT systems as part of an attack to learn about the kind of insurance a company has. And then these bad actors will use that information as leverage.
JAMES TURGAL: They will actually put up a piece of that cyber insurance policy to show you that, one, they've infiltrated your system and they have exfiltrated data but also to let you know they know about the cyber insurance.
CHANG: That's scary.
GURA: Another cybersecurity consultant said she has heard of hackers figuring out what to ask for, how big a ransom to ask for based on what a policy says an insurer would cover.
CHANG: OK. Well, what about the insurance side of things? Like, how is the growing popularity of cyber insurance affecting the overall business of insurance?
GURA: Well, insurers are forcing companies to do more to improve their IT infrastructure. They're also making more of an effort to verify a company's defenses are, in fact, as good as the company says they are. And that's part of what determines the premium. Daniel Soo is a cybersecurity consultant with Deloitte, and he says this is an approach you see with other kinds of insurance, like with car insurance, for instance.
DANIEL SOO: To get different safety features on your car has an impact on your premium. It's going to be the same thing with cyber insurance.
GURA: Now, something else that's happening is insurers are denying claims if a company's systems are not as secure as it claimed. And one last point here - ransomware isn't new. It's been around for decades. But this kind of standalone cyber coverage, Ailsa, is fairly new. And because of that, policies vary. This could make it get more standardized as time passes.
CHANG: That is NPR's David Gura. Thank you, David.
GURA: Thank you.
(SOUNDBITE OF SALLY SHAPIRO SONG, "STARMAN")
How Cybersecurity Affects the Insurance Industry ♂
Insurance companies are among the businesses more reliant than ever on technology and information systems for daily processes. Insurance technology, or insurtech, improves the efficiency of the insurance industry but can also increase attack surfaces, making the data insurers collect more vulnerable to theft.
As more companies seek cyber insurance to protect themselves from the financial fallout of a data breach, insurers themselves are among the firms heavily impacted by the increasing scope and frequency of cybercrime.
After the COVID-19 pandemic, aside from the healthcare sector, the financial sector endured the most cyber events. This post looks at the impact that cybercrime has had on the insurance industry and how underwriters, who are no strangers to assessing risks, can use cybersecurity best practices to remediate and mitigate the cyber threats that affect them most.
Along with credit unions and payment institutions, insurers are among the financial institutions most affected by cybercrime. Insurers attract hackers for three main reasons:Sensitive data - Like other firms in the financial services sector, insurers that handle large amounts of customer data attract the attention of cybercriminals. Insurance-related data is particularly interesting to cybercriminals because of its inherent confidentiality. Often linked to policyholders, sensitive data helps insurers customize their policies, products, and prices for each client. Increasing attack surfaces - Insurers rely more on technology to provide up-to-date, personalized customer experiences and real-time insurance solutions. This growing reliance on technology can mean increased attack surfaces, leading to more potential vulnerabilities and potential for human error.Industry size - The size of the insurance industry, combined with the sensitivity and scope of the confidential data it collects, makes it a significant target for cybercriminals. In 2021, nearly 70% of the US population (about 220 million people) had private healthcare insurance.
Cyber attacks can lead to the loss of confidential data, business, and reputation. The scope of personally identifiable information and sensitive data processed by insurers puts the industry at increased risk of social engineering and ransomware.
Business disruption through cyber incidents is also a major problem for insurance companies, which need to react quickly to fulfill their contracts and maintain the trust of their clients.
Reputational damage can be particularly difficult to recover from since trust is vitally important in the insurance sector. Bad publicity from a cyber attack can damage consumer confidence in the brand, leading to a loss of customers and revenue.
Social engineering is a significant cybersecurity threat across sectors. Cyber attackers use a variety of methods to trick unsuspecting employees or staff to give up credentials, sensitive data, or trade secrets. Social engineering attacks can also be used to carry out other types of attacks, such as phishing, ransomware, or identity fraud.
Ransomware attacks hold company data hostage until the targeted company pays a sum of money to recover the data. According to Nozomi, cybercriminals investigate companies’ cyber insurance policies so they can customize their ransom requests to match. So data breaches at insurance companies pose a significant risk to the safety of their clients, who are then more likely to be targeted for ransomware attacks.
Having cyber liability insurance is an excellent idea, but relying on it alone to deal with ransomware is a bad one. According to Sophos’s State of Ransomware 2021 report, more organizations are paying ransoms, but fewer than one in ten get all their data back. Also, there is no assurance that hackers won’t retain access to penetrated systems or copies of compromised files.
A Distributed Denial of Service (DDoS) attack is when a bad actor uses malware-infected machines to bombard a target server with requests. It is deployed for the sole purpose of business disruption to lower the confidence in the targeted company, disrupt sales and business operations, and
The result of a DDoS can be anything from slowing down webpage performance to completely disabling a business’s online presence. This can cause serious reputational damage for an underwriting firm that cannot act promptly for its clients due to a cyber attack.
While it’s possible to trace cyber liability insurance back to the late 1990s, the recent proliferation and growing complexity of cyber attacks have caused massive growth in the market for cyber liability insurance.
Not only do more insurers offer cyber liability insurance than ever, but the costs of premiums have shot up, too, rising almost 100% between 2019 and 2022, largely due to the increasing threat from ransomware.
Underwriters are increasingly reluctant to pay ransoms. As cyber attacks become more sophisticated and targeted, including researching how much insurers will cover for a ransomware attack, the number of insurers paying out for ransomware attacks is declining.
Firms are much better off improving their cybersecurity than relying solely on a cyber insurance company to bail them out. At the same time, organizations can lower their cybersecurity insurance premiums by following cybersecurity best practices to improve data security.
The insurance industry needs to collect, store, and transmit sensitive information to function. Large insurance businesses will have massive amounts of sensitive data. The solution is for insurance providers to upgrade their defenses.
This applies to smaller insurance firms, too, since cybercriminals also target small firms because:Small firms also use valuable, sensitive dataThey tend to have poorer security than their larger competitorsThey may provide gateways to their business partners
Nobody is under the radar when it comes to cyber risks. Whatever the size of the business, there is no reason for cyber attackers to reduce their attacks on the insurance sector for the foreseeable future. All insurance firms must use cybersecurity best practices to secure information security and avoid being easy targets.
Insurance companies have a deep understanding of risk, which helps them manage cyber risks. While insurance firms understand risk, this alone does not protect them from cyber attacks.
Insurance firms, especially cyber insurance firms, should use their unique abilities to perform honest, accurate cybersecurity risk assessments and then perform the recommended actions to reduce those risks.
Risk management identifies four ways to handle risk, listed here in order of priority. AvoidanceMitigationTransfer - often via insurance coverageAcceptance
Underwriters will most likely know they can mitigate cybersecurity on two fronts: technology and policy. Both are required as they are more effective together.
Insurance companies should practice strong cybersecurity to prevent cyber attacks from occurring. By following basic practices, they can secure themselves against the biggest cyber threats affecting insurance companies.
Anti-malware and antivirus software are essential components of any cybersecurity program to build strong network and device security. With a current database of viruses and malware, antimalware software can detect and respond to threats quickly.
Similarly, a firewall is essential to defend against cyber attacks, monitoring and filtering all traffic attempting to enter a network and everything attempting to leave. It can alert network administrators to unusual activity and, via event logging, provide forensic investigators with useful information if a data breach occurs.
Cybercriminals are leveraging artificial intelligence (AI) and machine learning (ML), so it’s important that heavily targeted industries with a lot of sensitive data do the same. Built on massive amounts of input data, AI can spot known threats and learn to differentiate normal activity patterns from those that might be new threats.
An AI system can respond quickly to a cyber incident, making it invaluable for preventing cyber attacks and containing data breaches. This is especially the case if an organization is attacked in multiple ways, which might overwhelm a human operator alone, such as a phishing attempt, followed by a ransomware attack in the midst of a DDoS attack.
Limiting access to sensitive data can improve an insurance firm’s security posture because it limits the ways cybercriminals can access that data.
The more people that have access credentials for confidential information, the more chance those credentials could be compromised due to such factors as physical theft, negligence, accidental loss, misconfiguration, or phishing.
With end-to-end encryption, transmissions are more secure against hackers who may try to launch a man-in-the-middle attack, in which they intercept, read, and may modify transmissions without the knowledge of the sender or recipient.
A successful MITM attack compromises data but can also lead to the insertion of false data, such as false payment details.
Cybercriminals are continuously working to uncover new vulnerabilities and ways to exploit them. And they do not work 9 to 5. So continuous monitoring is essential to identify and respond to threats as they occur 24/7. With continuous monitoring, an insurance firm can be in a state of perpetual readiness regarding information security.
Threats to the insurance industry include potentially significant fines for non-compliance with cybersecurity regulations. Compliance monitoring and management systems help insurers keep track of their compliance requirements in an evolving cyber threat landscape.
A robust and continuous risk management process is required to keep organizations safe from evolving cyber threats. With excellent risk management policies and procedures, insurers will be able to predict cyber incidents and assess their potential impact. They can then implement policies that help prevent them or mitigate the damage if they happen.
Cybersecurity training can help limit damage from cybercrime, particularly social engineering attacks, which are a primary concern for most organizations.
Most data breaches involve human error. Often, this is because a staff member unwittingly or negligently downloaded malware to a device. With staff training, however, an insurance firm can turn a known weakness into a strong defense.
Staff training can fill knowledge gaps such as the importance of cybersecurity, password hygiene, physical security, data protection legislation, and how to identify and respond to phishing attempts.
Developing a cybersecurity culture goes further than training. It takes a long-term view and instills cybersecurity engagement in every part of an organization.
With the C-level on board, firms with mature cybersecurity cultures prioritize information security at all times at all levels. This develops over time through incentivized initiatives to build cybersecurity awareness and drive engagement with information security.
Insurance companies work with many vendors and third parties, which increases their cyber risks and attack surfaces. Focusing on third-party risk can help insurance firms understand the extent of their attack surfaces and improve their security postures by remediating vulnerabilities through policies, systems, and collaboration with associates.
Services such as UpGuard Vendor Risk can help companies better manage their scaling vendor lists and quickly identify their biggest third-party risks.
Backup systems or data backups can help insurance companies bounce back after a cyber incident. If business-critical data is compromised in a ransomware attack, an organization can use cloud-based backups to reboot its system — if necessary, even in a new location.
评论已关闭