Cyber-criminals have started to recognize that insurers possess large amounts of personal information about their customers, which is very attractive to identity thieves and fraudsters. In some cases, insurers also possess significant amounts of customer credit card and payment data. However, there is at least one case in the insurance sector where the victims of a cyber-attack weren’t even paying customers but merely consumers who had requested a price quote.

Cyber-criminals targeting insurers often have significant resources. This enables them to employ sophisticated attacks that combine advanced malware with other techniques such as social engineering.

Attacks on insurance firms can result in significant, tangible damages such as fines, legal fees, lawsuits and fraud monitoring costs. However, a less obvious but no less significant impact may be loss of trust, driven by customers’ concerns about whether their information is truly safe. Since the insurance business revolves around trust, a major breach can have a very real impact on an insurer’s brand and market value.

It’s worth noting that most of the breaches publicly reported by insurance companies to date have been characterized as short- term attacks, with cyber-criminals compromising a system, stealing specific information and then quickly moving on. In fact, our research did not uncover any documented cases of long-term infiltration and cyber-crime in the insurance sector. However, we believe the number of long-term attacks may be silently growing as attackers quietly slip in undetected and establish a persistent, ongoing presence in critical IT environments.

Over the years, many insurance organizations have invested a lot of money in security tools and processes that may be providing a false sense of security. As attackers learn to leverage encryption and other advanced attack techniques, traditional tools such as firewalls, antivirus software, intrusion detection systems (IDS) and intrusion preven¬tion systems (IPS) are becoming less and less effective. As a result, many insurers may be misallocating their limited resources to address compliance-oriented, easily recognized threats while completely overlooking stealthy long-term threats that ultimately could be far more damaging.