There's been much recent discussion on the requirements for organizations to deploy strict security measures in order to lower the cost or qualify for cyber liability insurance, especially in terms of multi-factor authentication (MFA) and phishing prevention. However, insurance companies themselves face considerable scrutiny when it comes to their own cybersecurity practices and vulnerabilities.
The modernization of the insurance industry created opportunities to broaden coverage delivery and increase margins through improved data operations, and the pandemic accelerated this digital transformation. In 2021, insurtech funding grew 21%, reaching an all-time high of $15.4 billion. However, this greater leveraging of digital tools and data operations has opened up significant security challenges for insurance firms.
The nature of insurance providers’ work means they collect large volumes of sensitive data to assess and underwrite risks properly. This data, which often includes financial and health data and other identifying information, is highly prized by cybercriminals for its potential to commit fraud and open further avenues of attack.
Insurance Industry Under Attack
The valuable data they hold makes insurance companies high-priority targets for attackers. Research shows that 82% of the largest insurance carriers are susceptible to phishing attacks, and there have already been several recent insurance industry attacks, including:
- CNA Financial Corp, one of the largest insurance companies in the US, was forced to pay a hacking group $40 million to regain access to their data after a ransomware attack.
- At Geico, the second-largest auto insurance provider in the US, hackers were able to steal customer data over the space of months using compromised account credentials.
- A phishing attack compromised several employee email accounts and leaked personally identifiable information (PII) of Pacific Specialty Insurance Company customers, including financial information, social security numbers and health insurance data.
Cybersecurity systems may have a number of attack surfaces, but, according to the latest Verizon Data Breach Investigations Report, credentials are a top attack vector for the insurance and financial industry. They also are the top data type stolen in a breach. With credential compromise and account takeover (ATO) posing such significant risk, deploying strong identity authentication to secure insurance companies should be one of the primary means of defense.
Confusing Requirements, New Regulations
Identity authentication for insurance companies has proven one of the industry’s weakest security links, and legislation and regulators increasingly mandate MFA as the solution. The range of current data protection and cybersecurity regulations applying to insurance companies includes:
- New York Department of Financial Services - specifically Part 500
- National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. This will obligate the deployment of stronger identity authentication for insurance companies. Though not yet adopted by all states, the US Treasury Department has recommended nationwide adoption by 2022.
- Payment Services Directive (PSD2)
- Open Banking Initiative
- The EU’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- Payment Card Industry Data Security Standard (PCI DSS)
- Gramm-Leach-Bliley Act (GLBA)
Violating these various regulations can result in fines and compensation pay-outs. However, even greater costs are accrued through lost consumer trust and reactive security cleanups. Stronger identity authentication for insurance companies reduces identity theft and other forms of fraud and ensures more secure insurance company networks.
These security controls cannot just be applied to employees, agents and partners; they must also be applied to customers. In implementing better risk management, insurers must balance effective security with user convenience. This creates a challenge for insurers, especially those serving older demographics.
Phishing-Resistant Identity Authentication for Insurance
With the popularity of phishing and other credential-based attacks, the approach favored by cybersecurity professionals and proposed in much legislation is adopting phishing-resistant MFA. The NYDFS, for example, has given the most specific guidance on authentication protocols. Their industry letter details the need for phishing-resistant MFA, especially for remote workers, legacy systems, partners, contractors and privileged accounts. This letter aligns with similar guidance from the OMB and FFIEC.
The specific focus on phishing resistance is that many traditional MFA approaches, such as SMS, OTP or push notifications are subject to phishing, SIM swapping, man-in-the-middle and social engineering attacks. Since these are so easily circumvented, identity authentication to secure insurance companies needs to be built without the inherent vulnerabilities of shared secrets.
Phishing-resistant MFA leverages public key cryptography and does not share private credentials or secrets at any stage of the authentication process. Users can utilize the biometric identification capabilities of their devices to turn their device into a FIDO token and enable fully passwordless MFA (PMFA). FIDO standards are considered the gold standard for phishing-resistant authentication by the Cybersecurity Infrastructure and Security Agency (CISA) and the OMB. As such, adhering to them keeps identity authentication for insurance companies in line with evolving regulatory obligations.
Secure Your Data With Passwordless MFA from HYPR
HYPR makes it easy to deliver strong identity authentication for insurance companies by helping your organization adopt phishing-resistant MFA. Just as importantly, our passwordless multi-factor authentication solution has been created with the user in mind to ease frustration around authentication and get employee and customer buy-in.
HYPR True Passwordless™ MFA seamlessly integrates with most popular identity providers (IdPs) and single sign-on providers (SSOs) so that all users share the same experience. Our solution is FIDO Certified across all components and works on users’ own devices. It also accommodates different requirements and preferences across demographics, including offline login and secure alternatives for those who cannot or choose not to use biometrics.