By Ujjval Patel
In order to protect your insurance agency against cyber threats, there are three key terms you first need to familiarize yourself with: phishing, smishing, and vishing.
Phishing is the process by which a cyber criminal uses using a legitimate-looking e-mail to trick one of your employees into providing private information (such as passwords or access to your network, via a malicious link) or convince them to transfer funds by impersonating a figure whom they trust.
Smishing is similar to phishing, except that the medium is different: smishing attacks use SMS or messaging apps to try to fool your agency staff, rather than e-mails.
When a cybercriminal uses phone calls to try and steal information or money from your agency, this is known as vishing.
These three most commonly perpetrated attacks remain the top cyber threats faced by independent agencies. Gone are the days of dodgy e-mails riddled with severe misspellings, offering you access to a long-lost relative’s oil fortune from a faraway country; modern cyber attacks are getting more complex and harder to detect by insurance agency principals and their staff.
One attack pattern leverages phishing e-mails from trusted contacts. In this scenario, the e-mail address of a trusted contact (for example, the agency principal) gets hacked, and a cyber criminal begins to propagate e-mails to their recipients.
In the heat of day-to-day operations, these messages can at first appear legitimate to time-stressed employees because they carry the correct e-mail address, business logo, and signature. (In one case, we recently saw an e-mail with the subject line, “Time Sensitive Message” with what appeared to be a secure link to a trusted counterparty.)
However, on closer inspection, these types of messages have many telltale signs in common that can alert you to possible threats.
- First, such e-mails (or messages/phone calls) often carry a sense of urgency in order to elicit a quick response. Any language urging you to act without hesitation is a red flag.
- Second, these messages will typically be inconsistent in tone or voice with other communications from the trusted contact. This is because bad actors use cookie-cutter templates of common business requests, and often don’t tailor messages for the specific company or industry. (This is not to say that some cyber criminals don’t do their homework; suspicion should always be the watchword when analyzing a message from a superior.)
- Third, they will ask you to download suspicious attachments, click on a link, send payments through odd channels, or provide confidential information like a network password or banking numbers. Malicious links will often include indicators that they’re illegitimate, such as hyphens or slight misspellings in key words within the URL.
All three of these warning signs can alert you or your staff to possible cyber attacks, and your agency’s staff should be trained to spot them immediately.
Don’t suffer these consequences
If your agency falls victim to a cyber attack, your business’ financial loss may prove to be just the start of your problems.
The financial consequences can include a possible ransom payment to the bad actor (i.e., payments to unlock malware that locks you out of your own operating system), costs to mitigate the damage once a breach is detected, and costs to recover to normal operations after the incident. Based on claims data collected by Nationwide, small businesses like independent agencies can spend between $15,000 to $25,000 in recovery costs alone.
In a worst-case scenario the scammer can drain your bank account, as it happened to Charles Haney, a Texas small business owner. In March of 2023, Haney was victimized in a vishing attack in which a cyber criminal convinced him he was speaking to his bank’s fraud division, and he revealed his bank account information. Within minutes, Haney’s business checking account was drained from about $192,000 to around $3,000.
There’s also your agency’s reputational risk to consider.
If your e-mail system is compromised in phishing attack, your customers might receive e-mails from you that put them at risk of being hacked. What’s more, if any of your clients’ personal identifiable information (PII) is exposed, by law they will have to be informed. According to the National Conference of State Legislatures (NCSL), all 50 states now have requirements for businesses to notify customers when their data is compromised.
After a cyber breach, the firm’s customer retention rates suffer. One study conducted by ransomware protection provider Arcserve found that 59% of consumers would likely avoid doing business with an organization that had experienced a cyber attack in the past year.
The insurance industry is built on trust and relationships, and cyber breaches can quickly erode your clients’ confidence in your ability to protect them.
Best practices to stay safe
There are several simple best practices you can follow to safeguard your agency. The first is to train and retrain your staff in cyber safety awareness as often as possible.
Sadly, the largest threat to your agency’s cybersecurity is human complacency. It’s critical to teach each team member how to consistently evaluate e-mails for suspicious indicators – sender addresses that don’t look quite right, misspellings, odd-looking links, calls for urgency, and out-of-character tone from a “known” sender, to name a few.
When a team member doubts the veracity of an e-mail, message or phone request, it is always best for them to call the sender on a known phone number, and to distrust anyone who calls your agency claiming to be from a trusted institution such as your bank.
It’s also critical to have proper professional protections in place for your agency. Many independent insurance agencies have a single person who is responsible for everything, which is not the best approach to keeping your private information secure. Cybersecurity is a specialized skill set that requires expert knowledge of the latest threat patterns.
All too often, investment in technology infrastructure is seen as a cost center, and it’s important to change that mindset. We highly recommend partnering with a managed service provider that can provide normal IT services but also cybersecurity and incident response.
However, it’s worth noting that not all service providers are created equal. When selecting a vendor, vet them to see if they have knowledge of security frameworks such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the COBIT control model, and Center for Internet Security (CIS) Controls, and understand how privacy regulations like the California Consumer Privacy Act (CCPA) might be impacted by a tight control framework.
Note that compliance and cybersecurity have some overlap in control frameworks but are not one in the same; understanding the difference is critical to securing your agency across multiple fronts.
Hackers focus on getting into your system day and night; it would be an oversight to assume one person on an agency staff can do it all to safeguard you.
Independent agencies must bat 1.000 each day to prevent exposure, but hackers only have to get it right once. As a result, it’s imperative that you also maintain the right cyber insurance policy to protect your business.
There are several things to consider for your cyber insurance protections. Make sure your agency’s policy covers data breaches and the third-party liability of those breaches. It should also cover breaches by vendors and other third parties, as well as attacks originating across the world since there are exclusions in some policies for specific geographies. It’s also prudent to ask about other exclusions, such as acts of terrorism.
One thing to note is that all cyber coverage will exclude incidents that result from poor security processes, human errors, and pre-existing vulnerabilities. Before you seek coverage, make sure you do an assessment of internal gaps to make sure things that your agency might be doing wrong don’t get excluded later.
For a good starter checklist, consult the FTC’s guidelines for cyber protections.
As the agency principal, the buck stops with you in ensuring your agency is protected against cyber attacks. Proper training for your staff, professional assistance from a managed service provider, and a well-crafted cyber policy will keep your business safe in a world in which the stakes continue to rise.
Rhodian Group, which specializes in cybersecurity, IT services, and compliance, is Renaissance’s preferred vendor for our member agencies. Visit them at rhodiangroup.com.
Ujjval Patel is the Chief Technology Officer for Renaissance Alliance. He is responsible for developing and managing the agency network’s high-performing, scalable, and secure technology stack.