Cyber crime: Insurers in the firing line

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.compasscayman.com/cfr/2014/08/08/Cyber-crime--Insurers-in-the-firing-line/

As banks become more sophisticated and effective at defending themselves
against attack, the focus of much cyber crime is changing. Increasingly,
insurance companies are becoming the target. The risks are very real and
very serious. Insurers need to raise their game as a matter of urgency.

The focus changes

When asked exactly why he robbed banks, the infamous American criminal
Willie Sutton is alleged to have replied, not unreasonably, “Because that’s
where the money is.” In more recent years, with the massive growth of the
internet, online connectivity and remote access, it has again been banks
which have borne the brunt of cyber crime. Not only is the money there;
banks also hold critical information about all of their customers which, in
the wrong hands, can be equally valuable.

However, the focus of much cyber crime is now changing rapidly, away from
banks and onto insurers. There are a number of reasons. Perhaps the most
significant and straightforward is simply that over the last 10 years or
so, banks’ defenses have become more sophisticated and effective.

The industry has appreciated the threat and has taken measures to
counteract it. Key steps have included implementing layers of technical
protection, as well as concerting efforts across the industry – in what is,
after all, a challenge facing all banks – to exchange information and
develop strong countermeasures together. It is clearly not possible to
prevent all attacks from succeeding and for obvious reasons, individual
banks are reluctant to publicize those attempts which do result in loss.
But overall, the banks have become increasingly effective in repelling
cyber crime.

Another key factor is that cyber criminals have come to realize that banks
are not the only potentially lucrative targets. Certainly, banks are where
the money is. But money can also be stolen from insurance companies.
Furthermore, money is not the only valuable commodity available; insurers
need to protect premium rating tables, claims and accident and loss
information.

Almost equally valuable are customer details – personal information, names,
addresses, account details, passwords, health and lifestyle information,
payment card information, etc. – which can either be parlayed into cash or
sold on to other criminal interests that will attempt the same thing. In
addition, insurers typically enjoy far less close and frequent interactions
with their clients than banks. Despite the hollowing out of the bank-client
relationship in recent years, it is still true that banks and their clients
typically transact business many times a week or month.

By contrast, insurers may interact with their clients only when there is a
claim or, in the case of life companies, when the client retires or dies.
This remoteness from the client means that insurers are much less
well-placed to identify potentially fraudulent or criminal attacks. And
although attempts at insurance crime may still be less common than bank
crime, the rewards for success can be much greater. Compromising a bank
card or credit card may yield a few hundred dollars; a successful
fraudulent insurance claim may produce an order of magnitude more. Nor is
simple financial advantage the only motivation.

As we shall see, insurers, along with many other financial services
companies, face multiple challenges. As insurers amass greater amounts of
customer data through new online channels; social media, telematics and
Web-based claims management systems, they become even more attractive to
cyber criminals.

In 2012, a major security breach of a U.S. insurer affected 1.1 million
policyholders and potential customers. Hackers stole names, social security
numbers, drivers’ license numbers and dates of birth. The insurer acted
swiftly, offering credit monitoring and identity theft protection for those
impacted, including US$1 million in free identity theft insurance coverage.
The insurer was fined £2.2 million for failing to have adequate systems and
controls in place to prevent the loss of customers’ personal information.

Understanding the threat

In order to understand – and protect against – the threat, it is important
to understand the range of sources.

- Organized crime: It may be tempting to think that the threat from cyber
crime is relatively limited and arises from opportunistic attempts to
extract small amounts of benefit. But experience over recent years has
demonstrated conclusively that highly advanced organized crime syndicates
are increasingly determined in their attacks on financial services
companies and, recently, insurers in particular. These are sophisticated
and ruthless criminals. Their tools of choice include malware and botnets
that install themselves on corporate networks, either compromising security
and transmitting critical data outside the company or transforming local
networks into ‘slaves’ under the control of the external criminals.
Organized criminal networks have also begun to realize that it is not
actually necessary to steal anything. The mere threat of loss – or of
operational damage and disruption – can be enough to extract a substantial
ransom from the targeted organization. Once again, many companies are
reluctant to reveal publicly when they have been hit. But many have paid up
quietly. Reverse engineering of the malware distributed by cyber criminal
organizations can reveal the kind of targets crime networks are focused on;
increasingly over the last year or so, the evidence is that insurance
companies are becoming targets. The rapid growth of online insurance
purchasing offers greater opportunities to organized crime. It can be
difficult for customers, attracted by low prices, to distinguish legitimate
insurers from fraudulent ones. We are seeing a spate of ‘ghost brokers’
being set up on the Internet selling fake policies, taking premiums and
leaving the ‘policyholder’ without coverage.


- Petty criminals: As the term suggests, petty criminals will target any
and every opportunity to compromise security and extract reward. They are
comparatively indiscriminate, both in their targets and in their
methodology and often are just looking for front-door vulnerabilities, such
as systems with missing patches and mis-configurations that can be easily
exploited. There is a modernization trend within the insurance industry
currently and many insurance providers are launching portals that enable
clients to self-manage their policies. Petty criminals are aware of this
and are able to scan these portals using special software to detect
vulnerabilities for exploitation. Ensuring front-door vulnerabilities are
not present on these systems is an easy way to force the criminals to move
on to the next target. Although the quantum of risk may be less than is
implicated in organized crime, the threat – and the disruption which it can
cause even if unsuccessful – can be significant.


- State sponsored cyber crime: There is no doubt that certain states have
developed, and maintain, sophisticated technological capabilities designed
either to extract cash or data from vulnerable Western companies or, more
commonly, to sustain the capability to hold those organizations to ransom
as part of a more extensive coordinated attack. There are fuzzy lines
between traditional electronic espionage, commercial espionage and theft of
data for commercial and strategic advantage. There is evidence of states
engaging in commercial espionage during cross-border mergers and
acquisitions (M&A) transactions. Insurance companies – along with many
other industrial sectors in the West – are vulnerable to all of these
dangers.


- ‘Hacktivists’ and terrorists: Illegal extraction of money or data is not
the only objective which motivates cyber criminals. So-called
‘hacktivists,’ terrorists and others may be driven by a wide variety of
motives, including, in particular, the desire to disrupt, damage or destroy
companies’ operating capabilities. Here the threat is all the more
difficult to anticipate because it can be almost impossible to predict.
However, we have seen that indirect action can be especially attractive to
many of the types of groups involved in these activities. For example,
insurance companies that undertake business with drug companies, animal
testing laboratories, defense companies and the like may well find
themselves the target of cyber crime attacks from this direction.

How to respond?

The first priority is, obviously, to recognize the nature of the
contemporary threat. Historically, insurance companies have sought to
defend themselves against fraudulent claims by mobilizing resources to
analyze broad patterns of incidence and investigate individual instances of
not only the risk of financial loss, but also that of disruption to systems
and processes that can cause both financial and reputational damage. The
Canadian Office of the Superintendent of Financial Institutions (OSFI)
recently released guidance on how financial services institutions can
self-assess their level of preparedness for, and protection against, cyber
attacks. Insurers can also learn from the banking sector’s success in
creating structures and processes to share information about threats and
best practices. Second, it is a truism that insurers’ backoffice technology
and systems are a generation or more behind those routinely employed by
banks. There is a lack of connectivity and coordination between different
systems and, therefore, less capability to identify and counter attempts at
penetration and diversion.

Less automation, more manual interventions and more breaks in the chain of
information processing increase the potential vulnerability. Where claims
processing is outsourced, security can be more difficult to monitor; more
effective supply-chain management is needed. Recent research by Proofpoint
Inc. shows that insurance companies currently face a higher number of
email-based threats to security than any other business sector. In fact,
KPMG’s 2012 Data Loss Barometer states that the insurance sector is at
greatest risk from social engineering attacks and system and/or human error
incidents.

A separate KPMG research shows that financial services companies are among
those industries with the most vulnerable software. Upgrading systems,
although expensive, is a necessity. Finally, and perhaps most importantly,
insurers need to understand how to develop a mature and effective response.
The threat is all too real. But it needs to be countered with intelligent
and sophisticated action. This needs to look beyond pure technical
preparedness against cyber attacks to take a rounded view of people,
process and technology in order to understand areas of vulnerability,
identify and prioritize areas for remediation and demonstrate both
corporate and operational compliance, turning information risk to business
advantage.

In our experience, this means acting on six key dimensions that together
provide a comprehensive and in-depth view of an organization’s cyber
maturity:

- Leadership and governance
- Board demonstrating due diligence, ownership and effective management of
risk.
- Information risk management
- The approach to achieve comprehensive and effective risk management of
information throughout the organization and its delivery and supply
partners.
- Operations and technology
- The level of control measures implemented to address identified risks and
minimize the impact of compromise.
- Human factors
- The level and integration of a security culture that empowers and ensures
the right people, skills, culture and knowledge.
- Business continuity and crisis management
- Preparations for a security event and ability to prevent or minimize the
impact through successful crisis and stakeholder management.
- Legal and compliance
- Regulatory and international certification standards as relevant. The
banking sector has shown that the threat from cyber crime can be contained
and countered. Insurers need to raise their game urgently to ensure that
they can mount comparable defenses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!