Imagine this…. a couple of your leading Insurers advise they’re aware of a cyber break-in involving your Agency – WHAT??? – you never thought this would to happen to you!
Recently a partner Agency faced just such a scenario. On Wednesday, Oct 19th, “name withheld” Insurance (a mid-size regional P&C carrier) called advising they knew the Agency Username, and Password for the company network had been stolen the previous week. The following day “not saying” Insurance (a super-regional P&C group) called advising Agency passwords to their network were out there on the Dark Web, for sale!
What would you do? – I think I’d panic, and then check everything!
Don’t panic! – Cyber attacks are more common than we think, and they’re not all catastrophic. In this case, at least for this Agency so far, it involves only two records. Yes, two insureds records may have been compromised. No big deal, right?
Here’s what has happened at the Agency to date:
– Their third party “IT guy” performed a special project on their entire network to update all software and anti-virus protections – cost TBA
– Disabled all applications that are not work-related (e.g., they’re not ordering Pizza online anymore!)
– Scanned all work related devices for viruses and malware infections (including everyone’s smart phones, IPads, and tablets)!
– Identify the attack – they did! – someone had clicked on an email link that loaded malware and subsequently monitored keystrokes and logs.
– Disable and replace affected devices – apparently only one hard drive involved.
– Co-operate with the Insurers. Firstly, the Insurers cut-off all Agency Management System interface, one was back up after two days, the other was off-line completely for two weeks (back to ‘old school’ processing, call it in!). Now it will only permit two workstations access while investigations remain on-going; each login must be pre-notified and is monitored.
– “Not saying” Insurance Company require a cyber forensics evaluation, initial cost $6,500 (read Your Agency agreements!), duration estimated 3-5 days – results pending @ 9.11.15
– Agency is not going to make a cyber claim, but to comply with cyber policy conditions “notified” their carrier.
What happens next depends upon the results of the forensic investigation – stay tuned, meantime, this is what they know:
The Financial Services – Information Sharing & Analysis Center (FS-ISAC) notified the two insurance companies that 225,000 accounts belonging to them had been stolen and were available on the Dark Web, so clearly other Insurance Agencies are involved.
This is not a serious breach for the Agency, in fact, technically not a network breach at all but an application breach – as far as we know so far! The impact has been disruptive to normal operations with still an uncertain outcome.
There are more than 30 people already involved with the Agency in responding to this incident; the Agency Manager, CSR staff directly affected, agency owners, Office Administrator, in-house claim co-ordinator, agency financial staff, their cyber insurance agent, the cyber wholesale broker, the insurer’s claims department, agency IT, third party forensics team and there may be several more before the incident is closed. Should the investigation uncover more ‘damage’, the scope of the clean-up will increase, involving perhaps legal consultants, counsel and regulators.
– Was the compromised data encrypted? – yes, and so were the passwords, but they were being sold!
– Is the network wireless? – no, it’s old fashioned, hard-wired, and should be safer!
– Do employees receive cyber security training? – yes
– Are there notification requirements? – the number of records compromised at the Agency appears to be less than required to trigger formal notification under Privacy Statues – however, the Insurers involved are not so fortunate.
– Someone else usually discovers the breach
– Even minor technology breaches are disruptive
– Any breach involves direct and indirect costs
– There will be the publicity
– It could happen to you!