Security

Insurance organizations contain a plethora of sensitive and confidential data. As they evolve their technology and work more closely with others, how can they protect this delicate information?

As the insurance industry stores immense amounts of confidential, personal, and financial details on its policyholders, it’s not difficult to comprehend why they are such a desirable goal for fraudsters.

Recent data from IBM’s Threat Intelligence Index reveals a concerning statistic: finance and insurance are the second most targeted industries for cyber attackers at 22.4% of all known attacks, surpassed only by manufacturing due to vulnerable global supply chains. This is the first time in over five years that finance and insurance have not topped this list, showing just how serious the continuing threat remains to insurers and insurtechs alike.

In a recent interview with InsurTech Magazine, Alan Calder, CEO of GRC International Group–a provider of IT governance, risk management, and compliance solutions–shared that, “Cybercriminals are pros at accessing, exfiltrating, and monetizing personal databases. They’re good at extorting organizations, are being pushed into increasing digitization and automation and, unless cyber security and privacy issues are considered in detail as part of project planning, organizations tend to leave large holes in what should be secure systems. Cybercriminals find and exploit these gaps. As well as these technical vulnerabilities, cybercriminals regularly ‘social engineer’ staff into providing access to systems and data.

“This all means that insurers have to build privacy by design into their systems, and they have to train and keep their staff continuously aware of the ever-changing social engineering attacks that are being focused on them.”

Insurers must be aware of the potential threats posed by mishandling confidential information.

The insurance industry is continually adopting new technology and needs to be vigilant about potential weaknesses. If a fresh platform leaves an insurer exposed to fraudsters, it’s not beneficial – it’s more of a liability. Plus, due to the ever-increasing number of alliances, purchases, and integrations within this sector, insurers must carefully weigh the extent of risk that comes with each choice they make.

“One of the biggest concerns in the insurance sector when it comes to using data is how widespread party sales functions are,” says Caroline Carruthers, the UK’s first ever Chief Data Officer at Network Rail and a highly acclaimed independent data consultant, offers her expertise to both public and private organizations when it comes to managing their data.

“Agents who sell insurance often use third-party data, and they don’t always have a robust process for how data is transferred to each organization. That in itself is a foundation-level issue because if you can’t rely on consistent, quality data coming to you, and you can’t rely on consistent governance and security of that data, you’re approaching data transformation with your hands and feet tied.

“Any transfer of data between two different systems has an element of risk. Thankfully, most insurance companies have moved on from manual data entry, which poses the highest risk, but not enough companies have standardized how they transfer and store data across third parties. If you’ve paid for a lot of data from external sources, you need to be able to use it to drive value instead of being hampered by poor processes.”

Do customers remain confident in sharing their personal information with insurers?

Consumers have proven that they are willing to share their data with insurers, particularly if there is an incentive involved. However, most consumers (80%) remain apprehensive about how their personal details are being used online; a statistic made evident by e-commerce company Motive.co. The consequences associated with these exchanges can be consequential and so it’s no wonder that individuals would like more control over the use of their data in this digital age.

Although there is an upside to this issue: research conducted by McKinsey with 1,000 North American consumers demonstrated that financial services ranked first among sectors in terms of the security and trustworthiness of personal data. It’s essential to establish strong systems and prevent breaches; however, how you engage with customers can be fundamental for gaining public approval – not just as a way of shielding your business from cyber-attacks but also for being viewed as doing the proper thing.

LenderDock keeps sensitive data secure

When it comes to the security of your data, LenderDock is dedicated to maintaining a high level of protection. As a SOC2-certified company, we are far exceeding industry standards for safeguarding customer information and providing an extra layer of assurance that your data is secure with us.

Insurers are familiar with the many problems caused by cyberattacks, but how familiar is the industry with the specific types? 

The insurance and insurtech industries are more than aware of the potential dangers of cyberattacks. After all, insurers provide coverage to many of the entities that may be vulnerable to or targets of scammers that aim to disrupt business and steal data or monetary funds. 

With the issues they face today, what is the insurance industry doing to protect itself from these attacks and how will the current climate of the economy affect the ability of insurers to battle cyberattacks? 

What threats should providers be aware of? 

Insurtechs and insurance carriers face a variety of threats, including ransomware attacks, data exfiltration, email phishing scams, and dedicated denial of service (DDoS) attacks. 

Insurance companies store large amounts of both financial and personal data, which means that any successful cyberattack could have dire consequences for them as a company and for their customers. 

It comes as no surprise that the finance and insurance industries are targets of cyberattacks. Along with the possibility of unmitigated data loss, malware and DDoS attacks have the ability to cause disruption to financial institutions while leaving customers without access to services. 

The state of the 2022 cyber threat landscape 

According to the data from the 2022 IBM Security X-Force Threat Intelligence Index, server access attacks were the most common types of attacks aimed at insurance and finance organizations.  In 2021, they accounted for 14 percent.  

Common cyber threats insurance organizations face:  

  • Server access attacks – An attack that involves gaining access to a company’s servers, either by exploiting a system weakness or by using stolen or leaked passwords. 
  • Ransomware – Malware that prevents a user from accessing their own programs and files until they have paid a ransom to the scammers. 
  • Credential harvesting – A credential harvesting – or password harvesting – attack involves attackers gathering many compromised user accounts, usually by sending a phishing email attack. 
  • RATs – Remote access trojans are a type of malware that allows a criminal to remotely control an infected computer including accessing the files and data stored on it. 
  • Misconfiguration – An attack that occurs when a cybercriminal discovers vulnerabilities in the security configurations of a cloud, application, or web server. 

While the IBM Index shows that insurance and finance industries are no longer the most targeted for attacks – that title now belongs to the manufacturing industry – they still accounted for nearly a quarter of the threats (22.4 percent). 

Although the number is slightly lower than the previous year, this in no way means that insurtech and fintech companies are in the clear. 

Additionally, companies need to be aware of potential weaknesses within their organization that could leave them exposed to cyberattacks. Unfortunately, with recent staff layoffs as well as the rising cost of business operations, both insurtechs and insurance carriers are now as vulnerable as ever. 

LenderDock values security 

As a company, LenderDock takes possible security threats very seriously. Being SOC 2 certified, LenderDock is exceeding industry standards while protecting your data. Rest assured that your data is safe with LenderDock. 

While consumers are moving towards digital channels and apps more than ever before to complete daily tasks; the trend is also being seen in the insurance industry.

Let’s take a look at some of the risks you may face in the insurance sector.

Mobile apps: The risks

While many people moving to use apps for their insurance needs, it also means that many important pieces of valuable information end up concentrated in the apps. Medical information, addresses, account numbers, SSNs, etc. is far more valuable on the black market than the average credit card number, seeing as credit cards can be canceled. Personal information is usually permanent, and it can be used for fraud and other schemes by criminals.

With the large amount of information contained in the apps, it’s not particularly surprising that cybercriminals are targeting insurers and mobile apps.

Just recently in 2021, the New York Department of Financial Services fined multiple insurers for noncompliance breaches. Fines aren’t the only punishment for leaky insurers either. If companies are found negligent in protecting their mobile app, successful attacks often result in lawsuits.

Apps can be attacked in a multitude of ways, but there are six main ways the attacks occur. If proper steps are taken to protect consumer information, a vast majority of attacks will be unsuccessful.

1. Stealing personal policyholder information

Things like full legal names, marital status, date of birth, and social security numbers are often stored on insurance mobile apps. There can even be a driver’s license with car information (VIN, license plate number) stored on them.

To protect this data, it needs to be encrypted in the app by using the AES 256 or a similarly strong system. Data shouldn’t be the only thing that is encrypted, however. It should also cover the data used by the APIs. If things like tokens, URLs, passwords, etc. aren’t properly secured, cybercriminals can easily use them to access the insurer’s system.

2. Location information

Insurtech and insurance apps track location data for many reasons, including things like driver behavior to provide discounts or to activate or deactivate coverage based on location.

By rooting (Android) or jailbreaking (iOS) a device, hackers can gain more privileges that allow them to control the operating system and access location data. Apps should have the capability to detect when the device is jailbroken or rooted and shut them down to prevent unsafe data storage.

3. Keyloggers and overlays

The latest malware can employ a trick on its users, where it presents a fake screen over an insurance app, making the user think that they’re entering their data into a trusted source. Malware steals data in this way and can also take over accounts and other malevolent acts.

Keyloggers work similarly but run in the background while tracking every key entry a consumer makes in an application. Mobile apps need to detect these attack types so they can stop operating when they are in effect to protect the user and their data.

4. Intercepting data through transactions

Many insurtech apps allow policyholders to pay for coverage as they need it, adding coverage as they go. While this is a great feature, it also makes these apps vulnerable to attacks on payment information. To protect payment data, all data types must be encrypted using a level to comply with the PCI (Payment Card Industry) standard.

If an insurer is found to be in violation of PCI compliance, fines and even the loss of ability to accept credit cards as a payment type may result.

5. Abuse of static and dynamic analysis tools

Software developers use this information to debug and complete other important tasks during software creation, but it can also be used by cybercriminals to discover an app’s internal logic. The insights enable them to create polished, targeted, and highly effective attacks on not only the apps, but also the app’s back-end services.

Obscuring the binary code will help prevent reverse engineering, while added shielding with anti-debugging, anti-reversing, and anti-tampering protections will strengthen the app’s defenses.

6. Network attacks

Many mobile apps from both insurtech and insurance companies communicate using TLS 1.1 and HTTP, neither of which are particularly secure. They allow for cybercriminals to perpetrate “man-in-the-middle” attacks on data while it’s being transmitted, which allows for them to steal and even alter it mid-stream. To protect against potential attacks, developers should implement TLS version enforcement, TLS 1.3, secure certificate validation and malicious proxy detection.

In conclusion

Both insurtech and insurance industry members have a great chance to grow and improve consumer satisfaction with mobile apps. These apps must be secure or a cybercriminal is waiting in the dark to execute their next attack. Securing against these threats will help ensure the safety of everyone and their data while building a foundation for digital expansion.

LenderDock recently passed the SOC 2® Type 2 Examination. So, what does this really mean for you?

What is the SOC 2 Type II report?

It is a report on the suitability of the design and operating effectiveness of the controls used on our primary systems, supportive system components, and business processes that warrant our principal service. It also provides assurance to external parties with respect to the security and availability of the systems that validate LenderDock’s lienholder process automation and the confidentiality of the information that is processed by these systems.

How is LenderDock’s SOC 2 certification measured?

The certification is issued through outside auditors. They measure the ability that LenderDock has demonstrated in following five core trust principles, which are broken down as follows:

1. Security

This section of certification refers to the protection of system resources against unwanted and unauthorized access. Access controls help prevent abuse of the system, unauthorized removal or changing of data, theft, and software misuse.

Security tools used or installed by the IT department (e.g., web application firewalls, intrusion alerts, two-factor authorization) are helpful in preventing breaches that can lead to unauthorized access to company data and systems.

2. Availability

This principle refers to how accessible the system is, as well as the products and services that are stipulated in a contract or SLA (service legal agreement). The base acceptable performance level for the system’s availability is set by both parties.

While this principle does not include system usability or functionality, it does involve security-related items that could affect availability.

3. Processing Integrity

Processing integrity addresses if a system succeeds in its purpose (e.g., delivering data at the correct time). The data processing must be complete, timely, valid, accurate, and authorized.

4. Confidentiality

Data is labeled as confidential if its disclosure and access is restricted to specific personnel or organizations. Examples include business plans, intellectual property, company finances, and other types of sensitive information.

Encryption is important for the protection of confidential information during transmission. Both application and network firewalls and rigorous access controls can be used to safeguard company information that is being stored or processed on computer systems.

5. Privacy

The privacy section addresses the system’s ability to collect, use, retain, disclose, and dispose of personal information in compliance with LenderDock’s privacy notice, as well as the criteria set forth in the AICPA’s generally accepted privacy principles, also known as GAPP.

Personally identifiable information (PII) is information that can distinguish an individual (e.g., SSN, address, name). Some personal data related to sexuality, religion, health, and race is also considered sensitive and requires extra levels of security. Controls are required to protect all PII from unauthorized access.

Significance of SOC 2

SOC 2 audits are rigid, and SOC 2 Type 2 reports are attested per the SSAE-18 standards published by AICPA. The SOC 2 framework includes the 17 principles of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, along with supplemental controls. LenderDock’s use of security controls aligns with the COSO principles and the supplemental controls.

What this means for you

LenderDock has put in place monitoring of the health of these systems by automating most areas and has a dedicated team that oversees the performance.

In other words, your data is secure, and your process is simplified using LenderDock’s services.