mobile-logo

Security

Featured General Insurance Security

The foundation of modern digital services is APIs. Global insurance corporations are creating, implementing, and adjusting APIs at a rate that has never been seen before. These organizations share critical data with partners, consumers, and workers using APIs, which serve as the cornerstone for their online services and transformational applications.

It is not without difficulties, though, as is the case with everything that grows quickly. The proliferation of APIs creates a larger attack surface for malevolent actors, hence opening the door to a myriad of new security concerns. These criminals are persistent and constantly looking for novel and surprising ways to target companies. Organizations used to think that requiring adequate authentication to use an API would be sufficient to discourage attackers and send them elsewhere. However, data from Salt Labs indicates that 84% of attacks were from users who appeared to be legitimate but were in fact attackers who either obtained credentials maliciously or by taking use of already-existing procedures to establish their own acceptable credentials for accessing the API.

The insurance industry, along with the financial services and retail industries, is the most vulnerable, even though the API ecosystem has expanded quickly across all industries worldwide. This article will examine the rise in API attacks in the insurance sector and reiterate the ongoing work that the security and software sectors need to do in this area because malicious actors are always working hard to exploit the present security flaws.

The days of setting up policies by calling insurance brokers are long gone; times have changed. Customers today have different demands and anticipate being able to purchase, set up, renew, and file a claim for their insurance online in one convenient location. The insurance sector, like the financial services sector, depends significantly on APIs to deliver services and drive corporate innovation. The industry has advanced into the current era with the usage of APIs and microservice-based architectures, yet there are still difficulties.

Insurance companies need to meet customer demands by processing and sharing sensitive customer data with numerous third parties, all the while making sure that customers can instantly access, amend, and submit their information via websites and mobile applications. APIs are now crucial to the insurance industry due to this new environment, which also presents new security risks and makes them more noticeable to would-be attackers. In fact, 92% of respondents to Salt Security’s State of API Security for Financial Services and Insurance survey said they had at least one serious security issue involving their production APIs in the previous year—a startling statistic. In addition, the number of insurance companies using cutting edge, AI-driven, API-driven automation technologies to assist the underwriting process, handle client claims, and deliver services has increased significantly because of Covid. As per McKinsey & Company, artificial intelligence has the potential to drastically alter the insurance sector by 2030. Leaders in the insurance industry must now quickly and effectively update, replace, or supplement their current security defenses in order to confront the compounded growing security risks.

Findings from Salt Security’s State of API Security for Financial Services and Insurance show that malicious actors are busily at work, increasingly focusing on insurance APIs. In fact, between the first and second half of last year, there was a tremendous 244% rise in unique attackers. Furthermore, a startling 27% of participants disclosed that they had lately encountered a privacy event or the release of sensitive data, and 17% had encountered a security breach originating from an API.

Insurance companies are transforming at an incredible rate to become more innovative and competitive by adopting API-first architectures and workflows. Although this benefits the sector, it also gives hackers a larger attack surface to work with, which makes it generally easier to infiltrate. Due to the increased attack surface, threat actors are now able to steal account information, compromise insurance claims, carry out fraudulent transactions, and eventually cause service disruptions. Moreover, insurers have the same regulatory and compliance requirements as financial services firms. They risk losing their clients’ trust in addition to facing large fines and harm to their brand from an API assault.

Securing APIs to safeguard digital services has become a corporate concern due to the increase in assaults and the expenses (fines, lost client trust, and reputational harm) involved with API security breaches. In its march toward digital innovation, the insurance industry has reached a pivotal point, and APIs are essential to the development of new insurance services. The time has come for business leaders to think about and put into practice tried-and-true strategies for reducing API risk, utilizing specialized AI-based security defenses for APIs. This will enable insurers to safely harness the power of APIs and maintain their competitiveness in this quickly evolving market while guaranteeing customer loyalty, compliance, and overall performance.

December 7, 2023
Cloud Computing Featured General Security

According to At-Bay, Inc., more than one in four (31%) firms reported being unable to retrieve their data following a ransomware attack, even though 92% of organizations had backed up their data, whether it was on-site, offsite, or in the cloud.

In comparison to companies who successfully restore data, the average claims cost for corporations that fail to do so is $190,000.

The insurance company and surplus lines broker claim that a successful recovery of data after a ransomware attack can save a cyber incident’s total cost by up to 41 percent. Businesses that recover their data successfully are three times less likely to comply with a ransom demand.

Not many security professionals find data backups and the numerous solutions on the market particularly exciting. It’s important to note, though, that some backup plans may end up being far more successful than others. Making the correct decision can decrease the risk that a company will have to pay a ransom by up to three times.

After reviewing its claims data, At-Bay concluded that the cloud backup architecture provided the best chance for effective data restoration. Eighty percent of businesses that used cloud backups recovered.

The remarkable success rate of cloud technology

With an 80% effective recovery rate, cloud backup architecture outperforms offshore backup by a factor of 1.5. Moreover, ransomware was paid 2.5 times more frequently by those using offsite backups than by those using cloud backups.

Optimal approaches to develop an effective data backup strategy

The four suggestions that follow can improve any backup plan and help a company recover from a cyberattack.

1. Understand the interconnectedness of systems

It is not sufficient to just copy data elements and store them in one or two repositories; instead, it is essential to catalog and classify the ways in which the system functions. Data that has been carelessly dumped can cause the restoration process to lag while IT personnel try to figure out which apps use the data.

2. Implement robust password security measures

Organizations must take extra precautions to secure passwords and other login credentials for backup accounts since hackers may target these accounts. In order to achieve this, it is advised to create a different Active Directory account with a stronger password.

3. Acquire the required bandwidth

A quick internet connection is essential while recovering from the cloud. The repair process of a business might be severely hampered by slow speeds. It is crucial to keep in mind that data can only go so fast over Ethernet, and moving terabytes of data can take days or even weeks.

4. Consistently verify the integrity of backups

Verify the backup’s functionality and file completeness by running restoration tests.

November 10, 2023
Featured General Insurance Security

It’s crucial for insurers and their partners to stay vigilant against constantly evolving cyber threats and collaborate to reduce cybersecurity risks in the ecosystem.

The insurance industry relies heavily on digital ecosystems involving multiple stakeholders. A survey found that 84% of insurance executives view these ecosystems as a vital part of their business strategy. By 2025, it is predicted that these ecosystems will generate around 30% of the world’s insurance revenue, according to McKinsey.

Ecosystems present Insurers with growth opportunities, but these opportunities also come with complex and challenging cybersecurity risks.

According to Gartner, the insurance industry’s digital ecosystems are at a greater risk of cyberattacks as the global number of active IoT devices reaches 123 billion. Enterprise web applications are expected to experience a surge in data breaches caused by API attacks, making it the most common form of attack vector by the end of 2022.

In a digital environment, there are several common cybersecurity issues that can occur, including:

  • A lack of control and visibility makes it challenging to manage and monitor assets and application components in the cloud.
  • The use of microservices in digital ecosystems has the potential to improve access for users both within and outside the organization.
  • In microservices architectures, the data is frequently moved, modified, and accessed. This means data breaches can happen even if the communication channel is not exposed, and hackers can exploit weaknesses.

How insurers can protect their digital systems:

Collaborative approach required: Ecosystem partners need to revamp security measures and foster teamwork

Insurance companies must collaborate with their partners, third-party vendors, and even their competitors to combat cybercriminals, who often work together for success. To enhance their resilience, businesses need to review their security strategy to protect themselves, their network, and their partners.

To ensure open-source security, software developers and security teams must voluntarily collaborate. They should keep track of any cybersecurity incidents and dangers they come across and share that information transparently with each other. This includes the knowledge they gain, allowing them to identify and tackle threats effectively.

Insurers and vendors can improve their security by sharing their tools through open-source software. This allows them to receive feedback and offer their own protection to others while working together to establish a unified defense for their networks.

Embrace early detection: A wise investment

In an open-source digital ecosystem, it’s important to detect cybersecurity breaches early on. These attacks can cause a considerable amount of damage if they go unnoticed for weeks. It’s crucial to respond quickly and efficiently to identify the source of the breach, the affected systems, and the extent of the damage. Doing so will help neutralize the threat before it can cause any severe harm.

SIEM software helps companies proactively detect and mitigate security threats on their network to prevent disruptions to business operations.

By collecting and analyzing data as soon as it is captured from applications, cloud environments, and networks, security, and IT teams can automatically manage event logs and network flow data in a single location.

Implementing zero-trust security: Treating everyone as a potential threat

Zero-trust architecture is a security approach that assumes that every connection and endpoint could pose a threat to an organization’s assets, data, applications, and services. This means that both internal and external sources are considered potential threats, and all connections are secured, even those already established within the organization.

Currently, approximately 60% of organizations in North America are working on zero-trust projects. Meanwhile, around 50% of companies in the insurance and finance industries have identified zero-trust security models as a high-priority area for their businesses.

Furthermore, the security model evaluates whether the connection complies with the security policies and protocols of the organization. By enforcing access restrictions, users are limited to accessing only the necessary information and are unable to access any additional data.

Implementing and maintaining a zero-trust security approach may be difficult for insurance companies that still rely on outdated technology. This method demands continual real-time authentication and verification to regulate user access. However, antiquated software may lack the necessary authentication, validation, and monitoring capabilities, which can impede the rollout of this security strategy.

Enhance security with robust authentication protocols

It is recommended that insurance companies utilize technology such as Privileged Access Management (PAM) SaaS to establish a zero-trust security approach. This can help reduce the number of entry points for cyber attackers and minimize the extent of damage caused by both internal and external attacks.

To access the system, users with special permissions need to have their credentials checked and are limited in what they can do. The security tools of the system utilize automation and user-friendly options to establish programs for privileged entry and a security framework based on zero trust.

Data segmentation

To protect customer and company information and resources, it is crucial to segment data. This means limiting access to data and allowing users to access it only when necessary and appropriate.

Studying how people use network servers can make it easier to see what’s happening and improve security in a digital environment.

One way to protect resources is by using distributed resource protection mechanisms (DRPM). This verifies client or partner profiles and only grants capability tokens to those who meet the criteria.

To control a user’s access to resources, it is crucial to implement time limits and issue tokens that expire quickly. As the user becomes more reliable, the validity of their token can be expanded over time by the provider of the resources.

Regularly conduct stress tests

A stress test is a method used to evaluate the ability of your application, system, or software to withstand extreme conditions. The objective is to detect any weaknesses, enabling you to reinforce security measures before cyber attackers make attempts to exploit them and break into your organization’s or partner’s network.

IBM’s study found that organizations that have incident response teams and tested response plans experience data breaches that cost $2.46 million less than those without such measures in place.

Insurers have various methods to conduct stress tests.

To identify vulnerabilities in their computer systems and networks, some companies opt to hire external investigators. First American Bank, for example, spends about $10,000 annually on these investigations to infiltrate their network systems.

To effectively test security measures and evaluate your team’s response to a major cyber threat, simulating a real-world scenario is the best approach.

Ecosystem partner evaluation: A comprehensive approach

Accenture’s report shows that while 97% of insurance companies believe they have the necessary qualities to be a desirable ecosystem partner, only 26% of those insurers feel that their ecosystem partners are equally committed to enhancing their security resilience.

Insurance companies need to perform a security assessment or audit before adding new partners to their systems.

Insurance companies are depending on third-party vendors such as cloud service providers and software-as-a-service to grow their digital operations. To safeguard their data, it is crucial for them to select vendors who possess strong data handling strategies and excellent cybersecurity credentials.

Find Service Organization Control 2 (SOC 2) certification

The SOC 2 certification is a report that confirms that service providers adhere to specific standards for managing customer data. It involves an auditing process created by the American Institute of CPAs (AICPA) and is widely used in the industry to evaluate internal controls.

To obtain SOC 2 certification, a vendor must undergo a rigorous audit that verifies their compliance with IT security standards. The audit assesses the efficiency of their data security policies and systems, processing accuracy, confidentiality, and protection of customer information.

LenderDock itself is SOC 2 certified and has put in place monitoring of the health of these systems by automating most areas and has a dedicated team that oversees the performance.

In other words, your data is secure, and your process is simplified using LenderDock’s services.

Take immediate action!

Although there is a risk involved in providing vendors with access to customer data, transaction information, and digital assets, the benefits of these systems guarantee their continued use.

It’s important for insurers and their partners to stay updated on the most recent cyber threats and work together to decrease the risks of cybersecurity in the system. Taking prompt action is crucial.

May 17, 2023
Automation Business Featured General Insurance Security

As technology continues to progress, insurance companies are faced with an ever-growing risk of malicious attacks that could jeopardize the data they retain on their policyholders. It is anticipated this threat will only increase in frequency and intensity over the coming years.

In today’s digital age, the chances of facing a cybersecurity attack are increasingly high. Data shows that the United States faced 46% of the world’s cyberattacks in 2020 alone – a worrying figure more than twice higher than any other nation. It is no longer “if” an organization will be targeted by hackers; it’s when they can expect to encounter such a threat.

As the risk of digital breaches increases every year, companies in high-risk fields must take a proactive approach to security. It isn’t about being more prepared than competitors – it’s about evaluating your resources and determining which ones are worth protecting from attack. This will help you determine your level of susceptibility and what preparation steps need to be taken.

Predicted to become more frequent and intense in the future, cyber-criminals are increasingly targeting insurance companies for their vast caches of personal information. The massive amounts of Personally Identifiable Information (PII) stored by insurers are highly sought-after resources on the dark web, with millions of Americans already affected. To protect their policyholders from nefarious actors, it’s essential that these organizations continually invest in cutting-edge security protocols and practices.

With the cyber threat landscape constantly evolving, 68% of business leaders feel like their cybersecurity risks are rising. As a leader in an insurance firm, it is time to take action and guarantee that you are fully prepared for any impending threats. Here’s how: maximize your team’s efficiency and response times by taking preventative steps to limit all potential risks posed by cybercriminals.

1. Prepare Your Employees with the Essential Skills to Reduce Risk

It is critical to consider all potential vulnerabilities when analyzing security risks. A study revealed that 95% of cyber-attacks are caused by human error, which can happen at any access point during online activity. Therefore, teaching employees the appropriate digital safety techniques should be a top priority to prevent misfortune.

Here are some tips and tricks for keeping your data secure:

  • Instill the Responsibility of Device Care — Recent data from Forrester revealed that 15% of corporate intrusions are caused by lost or stolen devices. With remote work on the rise, it is crucial to be proactive and take precautions; any device–personal or professional– can become a gateway into your network. To stay safe, IT teams should consider investing in a device management solution that allows them to manage employee devices remotely and minimize risk exposure. However, this must only serve as an additional security measure—it shouldn’t replace existing solutions.
  • Educate Staff to Identify Suspicious Behavior — To maximize the safety of their devices, employees must be trained to recognize any possible signs of suspicious activity. This could include new apps and programs suddenly appearing on their device; a slow-down in performance for no clear reason; added browser extensions or tabs that weren’t there before; as well as loss in mouse/keyboard control. Thus, it is essential for all personnel using company equipment to stay alert and mindful of such occurrences.
  • Safeguard Confidentiality at All Times — Make sure to properly communicate the importance of secure processes such as virtual private networks (VPNs), multi-factor authentication, and frequent password changes to all staff. Showcase tangible examples of data breach consequences in order for employees to comprehend that threats can arise anytime, anywhere – placing them and their confidential information at risk too. This will emphasize how imperative careful security management is for everyone.
  • Make the Most of Training and Online Courses — To ensure your organization’s safety, frequent “security check-ins” and comprehensive virtual training courses are available from the Federal Trade Commission, Department of Homeland Security, and other reputable sources. These invaluable tools will equip you with everything you need to protect your business from harm.

2. Unlock the power of Artificial Intelligence (AI) and Machine Learning (ML)

As insurance companies become increasingly digitized, the employment of artificial intelligence and machine learning techniques can help mitigate risk. Data aggregation is a powerful tool for combating malware, ransomware, as well as advanced persistent threats (APT). AI & ML allow for exponentially faster data analysis to detect anomalies within datasets. Implementing these technologies further enables continuous monitoring of workflows and rapid response should an attack occur.

When searching for a cybersecurity solution to secure your firm’s data, you must be sure that it follows certain measures. Make access control management, examining data behavior, encryption of large volumes of information, and prevention from potential leaks top priorities in order to ensure the safety of your insurance business.

3. Design a Detailed Action Plan

Having a well-defined plan and protocol can bring peace of mind to all stakeholders – insurance leaders, investors, and customers. This strategy should encompass all possible safety protocols as well as emergency actions. Here are some suggestions for best practices:

  • Data Privacy Rules and Regulations: Designed to deliver a comprehensive overview of corporate data processing and guarantee the utmost safety, this guide will ensure your company’s security.
  • Retention Policy: This document outlines the specific requirements for where and how long corporate data must be retained, providing a comprehensive overview of storage and archival processes.
  • Data Protection Policy: Uncovering the way an organization manages the private data of its employees, customers, vendors, and other external stakeholders is essential.
  • Unfortunate Occurrence Reaction Plan: To guarantee a swift, competent, and systematic answer to security issues including ransomware strikes and breaches, appropriate responsibilities and processes must be followed.

Despite the possibility of a cyber threat appearing to be remote, it is essential for insurance firms to optimize their preparedness and security in order to protect against potential attacks. In recent years, countless businesses regardless of size have fallen victim to cyberattacks – an unfortunate trend that continues today. If your company relies on digital systems or employees engage with the online ecosystem, chances are high that you may experience either attempted or successful intrusion attempts.

Can your organization risk an unexpected disaster? If the answer is a resounding no, it’s time to act! Protect what matters most – resources, personnel, and especially customers. Put your plan into motion now so you can be sure of security in any situation.

February 23, 2023
Featured General Insurance Security

Insurance organizations contain a plethora of sensitive and confidential data. As they evolve their technology and work more closely with others, how can they protect this delicate information?

As the insurance industry stores immense amounts of confidential, personal, and financial details on its policyholders, it’s not difficult to comprehend why they are such a desirable goal for fraudsters.

Recent data from IBM’s Threat Intelligence Index reveals a concerning statistic: finance and insurance are the second most targeted industries for cyber attackers at 22.4% of all known attacks, surpassed only by manufacturing due to vulnerable global supply chains. This is the first time in over five years that finance and insurance have not topped this list, showing just how serious the continuing threat remains to insurers and insurtechs alike.

In a recent interview with InsurTech Magazine, Alan Calder, CEO of GRC International Group–a provider of IT governance, risk management, and compliance solutions–shared that, “Cybercriminals are pros at accessing, exfiltrating, and monetizing personal databases. They’re good at extorting organizations, are being pushed into increasing digitization and automation and, unless cyber security and privacy issues are considered in detail as part of project planning, organizations tend to leave large holes in what should be secure systems. Cybercriminals find and exploit these gaps. As well as these technical vulnerabilities, cybercriminals regularly ‘social engineer’ staff into providing access to systems and data.

“This all means that insurers have to build privacy by design into their systems, and they have to train and keep their staff continuously aware of the ever-changing social engineering attacks that are being focused on them.”

Insurers must be aware of the potential threats posed by mishandling confidential information.

The insurance industry is continually adopting new technology and needs to be vigilant about potential weaknesses. If a fresh platform leaves an insurer exposed to fraudsters, it’s not beneficial – it’s more of a liability. Plus, due to the ever-increasing number of alliances, purchases, and integrations within this sector, insurers must carefully weigh the extent of risk that comes with each choice they make.

“One of the biggest concerns in the insurance sector when it comes to using data is how widespread party sales functions are,” says Caroline Carruthers, the UK’s first ever Chief Data Officer at Network Rail and a highly acclaimed independent data consultant, offers her expertise to both public and private organizations when it comes to managing their data.

“Agents who sell insurance often use third-party data, and they don’t always have a robust process for how data is transferred to each organization. That in itself is a foundation-level issue because if you can’t rely on consistent, quality data coming to you, and you can’t rely on consistent governance and security of that data, you’re approaching data transformation with your hands and feet tied.

“Any transfer of data between two different systems has an element of risk. Thankfully, most insurance companies have moved on from manual data entry, which poses the highest risk, but not enough companies have standardized how they transfer and store data across third parties. If you’ve paid for a lot of data from external sources, you need to be able to use it to drive value instead of being hampered by poor processes.”

Do customers remain confident in sharing their personal information with insurers?

Consumers have proven that they are willing to share their data with insurers, particularly if there is an incentive involved. However, most consumers (80%) remain apprehensive about how their personal details are being used online; a statistic made evident by e-commerce company Motive.co. The consequences associated with these exchanges can be consequential and so it’s no wonder that individuals would like more control over the use of their data in this digital age.

Although there is an upside to this issue: research conducted by McKinsey with 1,000 North American consumers demonstrated that financial services ranked first among sectors in terms of the security and trustworthiness of personal data. It’s essential to establish strong systems and prevent breaches; however, how you engage with customers can be fundamental for gaining public approval – not just as a way of shielding your business from cyber-attacks but also for being viewed as doing the proper thing.

LenderDock keeps sensitive data secure

When it comes to the security of your data, LenderDock is dedicated to maintaining a high level of protection. As a SOC2-certified company, we are far exceeding industry standards for safeguarding customer information and providing an extra layer of assurance that your data is secure with us.

January 10, 2023
Featured General Insurance Security

Insurers are familiar with the many problems caused by cyberattacks, but how familiar is the industry with the specific types? 

The insurance and insurtech industries are more than aware of the potential dangers of cyberattacks. After all, insurers provide coverage to many of the entities that may be vulnerable to or targets of scammers that aim to disrupt business and steal data or monetary funds. 

With the issues they face today, what is the insurance industry doing to protect itself from these attacks and how will the current climate of the economy affect the ability of insurers to battle cyberattacks? 

What threats should providers be aware of? 

Insurtechs and insurance carriers face a variety of threats, including ransomware attacks, data exfiltration, email phishing scams, and dedicated denial of service (DDoS) attacks. 

Insurance companies store large amounts of both financial and personal data, which means that any successful cyberattack could have dire consequences for them as a company and for their customers. 

It comes as no surprise that the finance and insurance industries are targets of cyberattacks. Along with the possibility of unmitigated data loss, malware and DDoS attacks have the ability to cause disruption to financial institutions while leaving customers without access to services. 

The state of the 2022 cyber threat landscape 

According to the data from the 2022 IBM Security X-Force Threat Intelligence Index, server access attacks were the most common types of attacks aimed at insurance and finance organizations.  In 2021, they accounted for 14 percent.  

Common cyber threats insurance organizations face:  

  • Server access attacks – An attack that involves gaining access to a company’s servers, either by exploiting a system weakness or by using stolen or leaked passwords. 
  • Ransomware – Malware that prevents a user from accessing their own programs and files until they have paid a ransom to the scammers. 
  • Credential harvesting – A credential harvesting – or password harvesting – attack involves attackers gathering many compromised user accounts, usually by sending a phishing email attack. 
  • RATs – Remote access trojans are a type of malware that allows a criminal to remotely control an infected computer including accessing the files and data stored on it. 
  • Misconfiguration – An attack that occurs when a cybercriminal discovers vulnerabilities in the security configurations of a cloud, application, or web server. 

While the IBM Index shows that insurance and finance industries are no longer the most targeted for attacks – that title now belongs to the manufacturing industry – they still accounted for nearly a quarter of the threats (22.4 percent). 

Although the number is slightly lower than the previous year, this in no way means that insurtech and fintech companies are in the clear. 

Additionally, companies need to be aware of potential weaknesses within their organization that could leave them exposed to cyberattacks. Unfortunately, with recent staff layoffs as well as the rising cost of business operations, both insurtechs and insurance carriers are now as vulnerable as ever. 

LenderDock values security 

As a company, LenderDock takes possible security threats very seriously. Being SOC 2 certified, LenderDock is exceeding industry standards while protecting your data. Rest assured that your data is safe with LenderDock. 

October 19, 2022
Featured General Insurance Security

While consumers are moving towards digital channels and apps more than ever before to complete daily tasks; the trend is also being seen in the insurance industry.

Let’s take a look at some of the risks you may face in the insurance sector.

Mobile apps: The risks

While many people moving to use apps for their insurance needs, it also means that many important pieces of valuable information end up concentrated in the apps. Medical information, addresses, account numbers, SSNs, etc. is far more valuable on the black market than the average credit card number, seeing as credit cards can be canceled. Personal information is usually permanent, and it can be used for fraud and other schemes by criminals.

With the large amount of information contained in the apps, it’s not particularly surprising that cybercriminals are targeting insurers and mobile apps.

Just recently in 2021, the New York Department of Financial Services fined multiple insurers for noncompliance breaches. Fines aren’t the only punishment for leaky insurers either. If companies are found negligent in protecting their mobile app, successful attacks often result in lawsuits.

Apps can be attacked in a multitude of ways, but there are six main ways the attacks occur. If proper steps are taken to protect consumer information, a vast majority of attacks will be unsuccessful.

1. Stealing personal policyholder information

Things like full legal names, marital status, date of birth, and social security numbers are often stored on insurance mobile apps. There can even be a driver’s license with car information (VIN, license plate number) stored on them.

To protect this data, it needs to be encrypted in the app by using the AES 256 or a similarly strong system. Data shouldn’t be the only thing that is encrypted, however. It should also cover the data used by the APIs. If things like tokens, URLs, passwords, etc. aren’t properly secured, cybercriminals can easily use them to access the insurer’s system.

2. Location information

Insurtech and insurance apps track location data for many reasons, including things like driver behavior to provide discounts or to activate or deactivate coverage based on location.

By rooting (Android) or jailbreaking (iOS) a device, hackers can gain more privileges that allow them to control the operating system and access location data. Apps should have the capability to detect when the device is jailbroken or rooted and shut them down to prevent unsafe data storage.

3. Keyloggers and overlays

The latest malware can employ a trick on its users, where it presents a fake screen over an insurance app, making the user think that they’re entering their data into a trusted source. Malware steals data in this way and can also take over accounts and other malevolent acts.

Keyloggers work similarly but run in the background while tracking every key entry a consumer makes in an application. Mobile apps need to detect these attack types so they can stop operating when they are in effect to protect the user and their data.

4. Intercepting data through transactions

Many insurtech apps allow policyholders to pay for coverage as they need it, adding coverage as they go. While this is a great feature, it also makes these apps vulnerable to attacks on payment information. To protect payment data, all data types must be encrypted using a level to comply with the PCI (Payment Card Industry) standard.

If an insurer is found to be in violation of PCI compliance, fines and even the loss of ability to accept credit cards as a payment type may result.

5. Abuse of static and dynamic analysis tools

Software developers use this information to debug and complete other important tasks during software creation, but it can also be used by cybercriminals to discover an app’s internal logic. The insights enable them to create polished, targeted, and highly effective attacks on not only the apps, but also the app’s back-end services.

Obscuring the binary code will help prevent reverse engineering, while added shielding with anti-debugging, anti-reversing, and anti-tampering protections will strengthen the app’s defenses.

6. Network attacks

Many mobile apps from both insurtech and insurance companies communicate using TLS 1.1 and HTTP, neither of which are particularly secure. They allow for cybercriminals to perpetrate “man-in-the-middle” attacks on data while it’s being transmitted, which allows for them to steal and even alter it mid-stream. To protect against potential attacks, developers should implement TLS version enforcement, TLS 1.3, secure certificate validation and malicious proxy detection.

In conclusion

Both insurtech and insurance industry members have a great chance to grow and improve consumer satisfaction with mobile apps. These apps must be secure or a cybercriminal is waiting in the dark to execute their next attack. Securing against these threats will help ensure the safety of everyone and their data while building a foundation for digital expansion.

October 3, 2022
Business General Security

LenderDock recently passed the SOC 2® Type 2 Examination. So, what does this really mean for you?

What is the SOC 2 Type II report?

It is a report on the suitability of the design and operating effectiveness of the controls used on our primary systems, supportive system components, and business processes that warrant our principal service. It also provides assurance to external parties with respect to the security and availability of the systems that validate LenderDock’s lienholder process automation and the confidentiality of the information that is processed by these systems.

How is LenderDock’s SOC 2 certification measured?

The certification is issued through outside auditors. They measure the ability that LenderDock has demonstrated in following five core trust principles, which are broken down as follows:

1. Security

This section of certification refers to the protection of system resources against unwanted and unauthorized access. Access controls help prevent abuse of the system, unauthorized removal or changing of data, theft, and software misuse.

Security tools used or installed by the IT department (e.g., web application firewalls, intrusion alerts, two-factor authorization) are helpful in preventing breaches that can lead to unauthorized access to company data and systems.

2. Availability

This principle refers to how accessible the system is, as well as the products and services that are stipulated in a contract or SLA (service legal agreement). The base acceptable performance level for the system’s availability is set by both parties.

While this principle does not include system usability or functionality, it does involve security-related items that could affect availability.

3. Processing Integrity

Processing integrity addresses if a system succeeds in its purpose (e.g., delivering data at the correct time). The data processing must be complete, timely, valid, accurate, and authorized.

4. Confidentiality

Data is labeled as confidential if its disclosure and access is restricted to specific personnel or organizations. Examples include business plans, intellectual property, company finances, and other types of sensitive information.

Encryption is important for the protection of confidential information during transmission. Both application and network firewalls and rigorous access controls can be used to safeguard company information that is being stored or processed on computer systems.

5. Privacy

The privacy section addresses the system’s ability to collect, use, retain, disclose, and dispose of personal information in compliance with LenderDock’s privacy notice, as well as the criteria set forth in the AICPA’s generally accepted privacy principles, also known as GAPP.

Personally identifiable information (PII) is information that can distinguish an individual (e.g., SSN, address, name). Some personal data related to sexuality, religion, health, and race is also considered sensitive and requires extra levels of security. Controls are required to protect all PII from unauthorized access.

Significance of SOC 2

SOC 2 audits are rigid, and SOC 2 Type 2 reports are attested per the SSAE-18 standards published by AICPA. The SOC 2 framework includes the 17 principles of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, along with supplemental controls. LenderDock’s use of security controls aligns with the COSO principles and the supplemental controls.

What this means for you

LenderDock has put in place monitoring of the health of these systems by automating most areas and has a dedicated team that oversees the performance.

In other words, your data is secure, and your process is simplified using LenderDock’s services.

August 18, 2022