Insurance consumers are more digitally connected than ever. Coupled with the enormous amounts of sensitive data insurers hold on customers, data theft risk in 2021 is escalating.
The Covid-19 pandemic has accelerated major shifts in insurance consumer expectations and behaviors. Digital use has skyrocketed. In response, insurance companies have reimagined and rebuilt the value delivery chain to cut costs, retain customers and adapt. Examples include everything from self-service kits and usage-based offerings to work-from-home staffing and the accelerated digitalization of distribution and claims. While some shifts are short-term, others such as digital models are here to stay.
This rapid pace of change in the digital space is making cyber risks challenging for insurers. In the 1H 2020 alone, the FBI and Interpol reported digital crime up 75 percent. The consequences for insurers are significant. Financially, the cost of a data breach is approaching $6 million. Strategically, loss of customer trust due to a data breach could severely impact retention, differentiation and growth plans. As insurers continue to digitalize their operations, make use of Cloud, AI and IOT and utilize more partner technologies, cyberattackers are moving continuously to exploit the point of least resistance.
of insurers may be vulnerable to web skimming based on a non-intrusive client-side data theft analysis
is the average cost of a data breach within the financial services industry, including insurance
year-on-year increase in compromised records in 2020 with over 37 billion records being compromised last year
Hackers target the client-side web app and web supply chain
data breach incidents were reported within financial services in 2020 according to a VDBIR Report
of the data breaches in financial services were financially motivated and 77% involved personal data
Client-side data breach and compliance risks
One of every two data breaches is the result of hackers according to a Ponemon 2020 study. With the web browser now a highly targeted attack surface, insurance companies are extending their server-centric security perimeter to the web browser to address several client-side vulnerabilities:
This vulnerability involves arbitrary (i.e. malicious) CSS code being injected in an insurer’s website at runtime. Compromised CSS code can extract sensitive data.
Formjacking mimics real-world card skimming. Malicious formjacking code secretly captures data – such as login credentials and payment and PII data – as your customer submits it in an online form. The data is then transmitted to a criminal destination. Kaspersky detected 510,000 unique web skimmers used across industries in 2019 and a 187% year-over-year growth in web skimming attacks.
Unauthorized transmission of data to an external recipient or destination, authorized or unauthorized, and happening either accidentally or with malicious intent.
Keyloggers are a type of monitoring software designed to record keystrokes made by a user. Keystroke loggers record the information your customer types into your website and send it to hacker sites.
HTML tags and piggybacking
Tags are used to facilitate the collection and sharing of data between a website and third-party technologies. Tag code, delivered at runtime, instructs the browser to send data to third parties and allows third parties access to data collected on the site. This risk is further compounded when third parties include tags for their partners (piggybacking).
The hacker first finds a way to infect the customer’s device. Once infected, the malware installs itself on the browser without the customer’s knowledge. The malware then records data sent between the customer and insurer and transmits it to a criminal site.