Threat actors targeting stronger companies through third parties

A new report from cybersecurity ratings and response firm, SecurityScorecard, entitled A Cyber Security Assessment of the Insurance Industry Supply Chain, has found that some of the greatest weaknesses in insurance industry supply chains exist where third parties provide service and distribute product.

Overall, they say the industry’s security stance is mixed. They also recommend insurance carriers focus on their underperforming third-party partners.

Circumventing defenses 

“Higher average scores did not shield companies with third-party breaches from attack. In fact, threat actors may have intentionally targeted better-defended firms through weaker links in their supply chains. The data confirms this,” they write. Notably, they say companies experiencing third-party breaches often had above average security scores themselves, “suggesting attackers circumvented strong defenses by exploiting weaker partners.” 

Ransomware remains the top threat to the industry, they add. “Still, the degree to which ransomware dominated this sample, overshadowing other threats, surprised our researchers,” they write. “A strong correlation exists between ransomware and third-party breaches, and their overlap is significant. Third-party attack vectors let ransomware operators scale their operations efficiently, infecting many targets at once.” 

Security risks 

The report also looks at fourth-party breaches, geographic variations, common security risks and specific security issues. Among them, they say application security issues account for almost half of the highest-impact problems, while network security issues represent 40 per cent of the most impactful problems. The top three security issues discussed all involved weak or missing encryption.

Malware infections and device compromises, meanwhile, affected 17 per cent of the 150 top insurance companies surveyed globally, while 56 per cent had at least one compromised credential in the past two years.

“U.S. insurance carriers had the most compromised credentials by a wide margin, skewing the data.” Among the firm’s recommendations, SecurityScorecard suggests having heightened third-party risk management (TPRM) practices when dealing with U.S. and Chinese companies. They also recommend ensuring that vendors have their own TPRM programs in place. 

Breach rates highest in the U.S. 

They add that insurance carriers and reinsurance providers had the highest security scores, while agencies, brokers and insurance software and IT services vendors scored the lowest. “Breach rates were highest for the U.S. insurance industry overall, including both carriers and agencies and brokers,” they write. “Of the 42 breached companies, 12 experienced multiple breaches. These multi-breach firms were mostly U.S. based carriers or agencies and brokers,” they add. “Out of the 150 companies, 42 (28 per cent) experienced at least one publicly reported breach, resulting in a total of 64 breaches.” 

The paper notes that carriers and reinsurers face the most stringent regulatory and solvency requirements and generally achieved the highest scores in the industry. Third-party claims processors scored in the middle of the pack, while agencies and brokers and insurance specific software and IT providers stood out at the bottom: “Their lower scores align with a pattern observed in other industries – providers of IT products and services often rank lower than their customers.” 

Agents and brokers 

As for agents and brokers, they say these service providers increase a company’s exposure to social engineering attacks and other security threats. “The push for sales and responsiveness may reduce the caution that staff exercise when interacting with unknown parties.”