This blog was written by an independent guest blogger.
There are more online stores and services available than ever, and you are able to shop for almost anything online whether it's groceries or insurance. There are many ways to protect yourself while browsing the internet, and one of those ways is to choose reputable businesses with strong security.
Although there are standards for online businesses to follow, some have better safety measures in place than others. In particular, insurance companies are tempting targets for cybercriminals as they hold personal and financial information for numerous clients. Security Scorecard (SSC), uses a variety of factors to assess a company's cybersecurity.
Let’s take a look at some of the factors that influence SSC grades among insurance providers and how insurance companies can prioritize cybersecurity.
The vocabulary of cybersecurity
Most businesses these days are paying attention to security and want their clients to know it. Businesses try to build a secure online presence through blogs, webinars, training, and more. But with all companies claiming they have stellar security, it’s important to understand some of the basics of cybersecurity that all insurance companies - and all companies in general - should be implementing. Some key focus areas include:
- Network segmentation directs traffic within a system and can be used to create additional roadblocks to slow and or stop scammers in the event of a breach.
- Attack surface is the total number of vulnerable points a system has that can be used by criminals to retrieve private data. Businesses must identify these weak points to boost their security efforts.
- Endpoint security secures entry points to networks from the various devices connected to said network. This includes phones, laptops, and tablets that are connected by remote workers. Permissions can be revoked remotely so damages can be mitigated.
- Digital footprints are traces of information left behind by users while browsing online. This leaves a trail to be followed to understand what information was accessed, but it also gives hackers more info to use when targeting a company.
However, even if insurance companies are aware of these concepts and take measures to address them, there are additional factors that can impact a company’s SSC rating.
Country of origin
Country of origin may impact the cybersecurity of insurance establishments for a variety of reasons. Developing countries may not have the knowledge or funding to support cybersecurity efforts. Hackers can easily exploit the outdated systems which have resulted from such circumstances.
These exploits can be seen in the swells of cybercrime that have popped up across various countries in Africa. According to the World Bank’s Cybersecurity Multi-Donor Trust Fund project, losses from Nigeria and Kenya in 2019 were estimated at $650 million and $210 million respectively, with $3.5 billion in losses overall in Africa. The continent suffers from a shortage of cybersecurity personnel, and only 20% of African countries have the basic legal frameworks necessary to address cybercrime.
On the other hand, developed countries have the means to implement continued advancements in protecting confidential information. In addition, users in developed countries tend to be able to select an internet provider that supports faster, more secure options from the variety of providers available.
Baseline network security and patch updates add to SSC grades, so those with more resources to build a stronger base network and roll out continuous patches are likely to have higher grades. Thus, insurance companies that reside in developed companies are likely to have higher scores than companies in developing countries.
Still, despite data safety innovations, scammers have still been able to break through and steal vital records in every country. Everyone should recognize that, regardless of country of origin, human error is a typical avenue hackers use to penetrate through security efforts.
The three main sectors in insurance are property/casualty, life/annuity, and private health insurance. Health insurance and health care have suffered increasing risks during the pandemic. The health insurance sector may be a more appealing mark for criminals because client records can sell for up to $900 more than other personal information like credit card numbers or social security numbers.
The sector does not directly affect SSC grades, but hacker chatter is part of the scoring system. Health insurers may have access to high ticket items, so it is possible that they may be discussed as targets. This does not mean property/casualty and life/annuity are free from these discussions. According to recent statistics, there has been a 50% uptick in the number of people buying life insurance coverage since the pandemic began, and more targets may mean more gossip about potential hits.
Irrespective of the sector, insurers must be wary of potential internal and external breaches - usually through individuals. Phishing is one of the most common ways criminals gain entry to private data, sending email attachments that host malicious threats. Every day, insurers send and receive emails with attachments regarding client accounts, so they must properly train employees to detect and delete phishing emails.
Key financial attributes
Capital strength, profitability, and size all have a role in cybersecurity and SSC grading. Capital strength can help businesses invest in network security, training for employees, patch rollouts, and software and services with better built-in cybersecurity features.
Profitability and size also have their part in their level of safety. Again, higher profits and a larger client base means more motive for hackers to go after that insurance company. Size could also equate to more employees, which leads to more points of entry for spammers to abuse in the form of individuals and their remotely connected devices. This may lead to misconfiguration - another component of the SSC grading system.
Insurance companies must contend with countless cyber dangers. SSC grades and the factors that influence them are paramount to understand so you can know which companies will be better able to ensure the safety of your data. Cybercriminals are persistent and will work diligently to steal sensitive information. Break-through breaches are always possible, so companies should have a plan in place to detect and address cyberattacks.