Recent years have seen increase in attacks against Insurance companies on Cyber which cause the leakage of sensitive medical and financial information. An instance of this is the recent Meehan Insurance Data Breach where an employee's email was hacked exposing their medical and personal information. Events like this one indicate a larger issue within the insurance industry as it is no longer possible for companies in this space to rely solely on using passwords as a means of protecting their insurance agencies.
Why the Insurance Industry is a Prime Target
Insurance companies maintain many of the highest-value pieces of data, including Social Security Numbers (SSNs), driver's licenses (IDs), medical records (including diagnoses, treatment plans etc.), personal and financial history information and policy documents. Therefore, they are prime candidates for credential theft attacks including:
- Password spraying
- Phishing attempts
- Email takeovers (hacked accounts)
- MFA fatigue
- Business Email Compromise (BEC)
Generally smaller or mid-sized companies maintain additional risk because their email account serves as a place where they also store client documentation, client ID photographs, claim records and medical documents.
Why Passwords are No Longer Sufficient Protection
Cybercriminals can buy stolen passwords for pennies on the dollar on the dark web. Furthermore, they are able to brute-force or guess into weak passwords or they utilize Credential Reuse (trying a password that was previously leaked from another source), and they bypass unsuitable protection on antiquated systems.
That is the reason why it is anticipated in 2025 that single factor authentication (entering a password) will be one of the weakest forms of security control possible.
The Role of MFA
Multi-Factor Authentication(MFA) requires a second, or potentially third, item to verify a user's identity, including:
- One-time passcode (via SMS, email or an Authenticator app);
- Push notification;
- Hardware Key (such as Yubikey);
- Biometric verification.
Even if an attacker obtains your username and password, MFA will still block their access to your account.
The Greatest Mistake for Most Agencies
Many insurance companies think; "We're too small to be hacked by anyone". Attacks happen against any size agency, including insurance, because they often have the:
- Absence of dedicated IT staff;
- Lack of continuous monitoring/management;
- Failure to enforce strong Password Policies;
- No centralized security control.
Because of these reasons, small agencies are easier to penetrate than to steal from and are also less valuable than larger agencies.
Reasons for Mandatory MFA for Insurance Agencies
1. Email accounts are the most vulnerable point of entry for insurance companies to be hacked.
2. Cloud Services/C.R.M's are storage locations for client information and claims.
3. Remote Login Access is critical for companies with remote employees.
4. Access from good and/or bad vendors, as breaches typically occur via 3rd party vendor logins.
5. Secure Transfer of Sensitive Documentation including e-signatures, file share and billing systems.
Mandatory MFA Is Coming
In 2020, all 50 states in the US began introducing recommendations and regulations under various data-privacy statutes that either recommend or mandate MFA for compliance. Without MFA in place, an agency could risk:
- Fines;
- Higher Cyber Insurance rates;
- Refusal for coverage after a data breach;
- Loss of business.
Actionable Steps for Insurance Agencies to Decrease Breach Risk
What Insurance Companies Should Do Now:
• Instantaneously activate MFA (multi-factor authentication) on all employees’ email and numerals.
• Implement Authenticator Applications as opposed to SMS messages to authenticate users.
• Require periodic password changes for all users.
• Teach Employees how to identify Phishing Attacks.
• Use Access Controls based on Employee Roles.
• Regularly Audit Third Party Vendor Accounts.
Insurance Agencies operate within one of the Most Data Sensitive Industries in America, and attackers are aware of this reality. IMPLEMENTING MFA is no longer Optional, but rather a necessity for businesses doing business today, given current Cyber Threats!
