Software Security Testing for Insurers: How to Prevent Breaches

Insurers are one of the hackers’ favorite targets because these companies hold a plethora of valuable personal data. In fact, the insurance domain is 300 times more susceptible to cyber-attacks than any other industry. One of the largest for-profit health insurers in the United States, Among, is a vivid example for this. In 2015, it revealed that personal health information for more than 37 million people may have been stolen from its servers.
6 min read
All articles
By Dmitry Vyrostkov
Security Services
Software Security Testing for Insurers: How to Prevent Breaches

The effects of cybercrime are being felt throughout the insurance industry. Providers are subject to increasingly strict regulatory requirements, which can hamper business. When breaches do occur, providers face strained customer relationships, costly legal disputes, and regulatory fines. In worst-case scenarios, a company could be forced to file for bankruptcy.

However, executives can take steps toward preventing these issues, starting with investing in software and a reliable data security team that can proactively manage and prevent vulnerabilities. Frequent software testing is one of the most efficient ways of minimizing the risk of a cyber attack.

Reasons for Software Security Testing

It is natural to relax once your company has implemented an effective digital security system; however, to prevent attacks you should still be vigilant. For instance, due to the increased risk faced by insurance software providers, letting your guard down can result in a costly breach.

Insurers often outsource their software needs to third-party vendors. These vendors can offer cost savings as they handle the software and security services. However, third-party vendors present security risks of their own and cannot be solely responsible for ensuring your data protection.

Consider the recent ransomware attack at DXC, a technology provider for insurance firms. The virus locked clients out of DXC’s systems, making it impossible for insurance companies to operate normally. While the attack was isolated in one of DXC’s systems, which minimized the damage, it does illustrate the limits of third-party vendors. An in-house security team whose reaction to attacks is continuously examined allows for more proactive monitoring, as well as the ability to quickly fix vulnerabilities.

Likewise, when a brand fails to maintain operational efficiency and exposes itself up to online threats, their reputation is on the line. When attacks occur, clients may lose trust and jump ship to companies that prioritize customer privacy. Although this may seem like a small PR incident at first, the security breach can spiral into a major loss of business.

To prevent possible breaches, insurers should evaluate their software from a variety of angles. Let’s consider the most popular of them.

Penetration Testing

Penetration testing (pentesting) involves running a simulated attack on a network or application to evaluate the system’s ability to defend against internal and external attacks.

This method typically includes both manual and automated techniques. The latter is made with tools improving efficiency that would otherwise be impossible through a manual process.

Why is penetration testing relevant to insurance companies?

Pentests can help expose a company’s security flaws and how they might harm in the future. An extensive pentest can also reveal hidden hiccups your competitors may be ignoring.

Pentests can also help insurance companies evaluate the effectiveness of their IT security mechanisms, which may prevent attacks that reveal trade secrets or expose customer data. With penetration testing, insurers can understand their vulnerabilities and get advice on how to fix them.

Cloud Security Audit

Insurance companies have increasingly turned to cloud services to store their most sensitive data. However, these services, which are usually offered by third-party vendors, are also prime targets for hackers.

Cloud security audits ensure that the company-maintained infrastructure is error-free and that it conforms to (or exceeds) your company’s security policy. A thorough audit scan can also reveal security gaps and other issues that should be addressed to mitigate the risk of potential breaches.

Why should insurers conduct cloud-based audits?

The costs associated with these breaches continue to skyrocket. For instance, following a massive cyber attack last year, Capital One was recently ordered to pay an $80 million penalty to U.S. regulators. The reason behind the breach is rare control of the company’s cloud resources for excessive privileges.

If this company had invested in a thorough cloud security audit, they may have avoided that unnecessary expense.

Software Security: Compliance Management

While developing software, companies are obligated to comply with federal and state cybersecurity laws, as well as HIPAA, SOX, and FISMA requirements. While these laws differ by state, they all require companies to take measures to protect customer data and to disclose potential issues.

Some laws, like New York’s NYDFS Cybersecurity regulation, require companies to report breaches within 72 hours. Companies that do not report within this timeline can face substantial fines.

At the federal level, the Gramm-Leach-Bliley Act of 1999 (‘GLBA’) requires that insurance agents and brokers safeguard certain personal information. The law is enforced on a state level and provides a basic framework for safety requirements. States are free to set more stringent laws and decide how to enforce federal regulations. In contrast, the NYDFS Cybersecurity Regulation specifies the policies, procedures, and safeguards that a covered entity must implement based on risks and vulnerabilities identified during periodic cybersecurity risk assessments.

What is the essence of compliance management to insurers?

Enhanced cybersecurity may result in increased insurance costs, as well as additional documentation. However, compliance management keeps insurers on good terms with regulatory authorities. This is itself a badge of accreditation that gives clients a reason to trust your brand. Furthermore, in the event of a malicious attack, being compliant reduces the possibility of excessive financial penalties.

Vulnerability Management: How to Respond to Cyber Attacks

Security monitoring involves the adoption of a holistic system that accounts for every possible vulnerability. This includes measures to prevent, detect, and resolve potential issues before they develop into large-scale problems.

Some of the activities involved in this phase include analysis of actual threats, hosting environment hardening and patching, security audits, log monitoring, investigation of security incidents, and, of course, compliance management.

Why should insurers worry about vulnerability management?

According to a Willis Towers Watson survey of more than 100 c-suite executives, cybercrime is now the leading risk to insurance companies. In 2016, a business fell victim to a ransomware attack every 40 seconds, according to a report from Hejavec Group. Cybersecurity Ventures predicts that number will rise to every 11 seconds by 2021.

When breaches involve ransomware, insurers may have to pay a significant fee to unlock their stolen information. In 2019, hackers broke into an unnamed Canadian insurance company and installed malware that locked them out of their own data. The provider was forced to pay the attacker $950,000 to unlock the stolen files.

In order to focus on growth and avoid potentially devastating fines, insurers need to continually monitor and evaluate their security infrastructure.

Wrap Up

The future of cybersecurity may be unpredictable but one thing is certain: hackers are getting smarter. To beat them, insurers must keep their systems up-to-date and proactively test for possible weaknesses.

The most challenging part is that most insurance companies do not understand how these hackers operate. If a breach occurs, this lack of knowledge may result in massive expenses and permanent damage to a company’s reputation.

If your current in-house team is struggling to implement successful software security testing, consider working with a reliable partner like DataArt. While outsourcing does come with additional costs, it can prevent fines and settlements that can result from a breach. Consider it an insurance policy for insurance companies — and just one way you can stay one step ahead of the bad guys. Contact us today to learn more about our offerings in security testing services.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope
Software Security Testing for Insurers Square (1).jpg

Download a comprehensive Application Security Testing Checklist to ensure your software is well-protected