Insurance: Irresistible to Cyber Criminals

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancetech.com/security/insurance-irresistible-to-cyber-criminal/240163420

Cyberthreats against financial institutions have increased exponentially in
the last year and are expected to grow relatively unchecked. The world's
biggest data breaches involve millions of records and subject consumers to
identity theft risk for years to come. More and more, insurance consumers
expect carriers to interact through online channels. As insurers
aggressively move into new online territory through agency portals, online
policy applications, Web-based claims-management systems and mobile apps,
they introduce new vectors of cyberfraud risk.

Hackers' paradise

Insurers house a remarkable amount of personal information that identity
thieves find irresistible. In October 2012, the insurance industry saw
firsthand how intent hackers were on accessing this information when
Nationwide suffered a major data breach. Hackers stole names, Social
Security numbers, driver's license numbers and dates of birth for more than
1 million individuals – including policyholders as well as individuals
seeking quotes.

And the industry is entering an era of data growth. "Big data" is all the
rage as insurers continue to amass huge amounts of consumer information.
Telematics and social media programs are driving this trend. Insurers are
looking to use new analytic technologies to take advantage of all this
information. But those same organizations also need to prepare for a new
reality in which cyberthreats continue to grow at breakneck speed and
insurers become ever more attractive targets for would-be identity thieves.
In this world, data security will become a top priority.

Cyberrisk in financial services

Unsurprisingly, banks tend to be a frequent target for hackers. Criminals
tend to follow the money. With online account access and plenty of ways to
move money electronically nowadays, banking institutions are an obvious
target of cyberattacks. A new report fromLongitude Research surveyed bank
executives to identify cybersecurity challenges and opportunities, and
concluded insurance companies may be next in line behind banks as key
targets of cyberthreats.

Mike Usher, Director of Information Risk at Prudential Corporation Asia, a
financial services firm, says in the report: 'The biggest change coming is
a shift from primary targets, which from a criminal point of view has been
banks. But vigorous investment [at banks] has opened up secondary targets,
which in the crime world might be insurance companies or anyone who holds
significant information on customers.'

Among the key findings of the report: Preparedness for cyberrisks remains
weak, with only one in four organizations indicating that its internal
resources are "highly prepared" to address cybercrime. Insurance executives
should treat the Nationwide breach as a harbinger of things to come in the
industry.

The Longitude report also confirmed that technologies and threats are
rapidly evolving. In order to keep pace, response strategies also need to
evolve. Many cyberthreat mitigation programs are reactive – involving
forensic analysis after a breach has occurred. More frequently,
organizations are doing proactive penetration testing to look for
vulnerabilities. But even this methodology is an increasingly outdated
approach as it fails to keep pace with the scale and complexity of the
cyberthreats they are meant to prevent. In the industry, there is a growing
realization that cybersecurity must involve a broader, risk-based approach
and move away from being seen as purely a technical problem.

There are only two types of insurers: those that have been targeted and
those that will be. As insurance companies continue to acquire vast amounts
of sensitive information, they must reprioritize cybersecurity and data
protection as mission-critical business objectives.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.