A New Focus for Cyber Criminals

The new battlefront is hackers exploiting human vulnerabilities, not systems or software. Coverage needs to adapt. 

Padlock on rusty chain

KEY TAKEAWAY:

--Fortunately, an early-detection tool that blocks people from accessing suspicious links and sites in the first place has been in use for 15 years in the corporate world and only needs adaptation for a broader market. This risk-mitigation tool creates a security perimeter around people’s digital lives by overriding their browser settings on every device, cutting off the supply of data at its source and overwhelmingly reducing the likelihood of acquiring malware. 

----------

At first glance, it makes sense that the proliferation of digital devices used by the average person would make consumers more vulnerable to cybercrime. However, the reason is not straightforward. It is because our smartphones, tablets and laptops have actually become more secure that fraudsters and hackers have switched their point of attack: As vulnerabilities have become more human-centered, they are no longer hacking software — they are hacking people.

Over the last 18 months, the dynamic of this cyber threat has shifted so fast that insurers have been unable to change their policy language to keep pace. 

Our analysis shows the most prevalent claim type is social-engineering fraud, where threat actors use an onslaught of sophisticated digital scams to trick users into clicking the wrong link and sharing too much information, so hackers can defraud them of large sums of money. Social engineering is now, by far, our number-one issue. Cybersecurity firm PurpleSec estimates that 98% of cyber attacks leverage social engineering. The most common type is phishing, in which attackers dupe recipients into handing over login credentials through emails purporting to be from a trusted source that lead recipients to fake websites. 

Phishing email volumes surged a shocking 569% from 2021 to 2022, and of the 77,000 URLs created daily, 86% are fraudulent. Many people are looking to insurers for protection, but the identity-restoration coverage companies have historically offered is no longer enough. While insurers know their potential customers worry about sharing information, they are uniquely positioned to help those customers feel more secure online.

The Evolving Threat Landscape

Ransomware had been the leading claim in cyber insurance until about 2022. However, holding business data hostage and extracting payment is a much messier process for threat actors than tracking people across the internet and then impersonating legitimate websites. These social-engineering scams offer an easier access point to consumers’ personal information due to the many digital devices people now use and the growth of remote work, accelerated by the pandemic.  

Today’s threat environment is an arms race as threat actors create new fake sites every day to keep ahead of security measures. With so many people now working in online workplaces, both individuals and their employers are being exposed. This mingling of risks happens when threat actors manipulate the individual on the personal side of their digital presence to gain access to their business credentials and vice versa. 

Insurance carriers, in general, have been slow to respond to the shift toward targeting individuals, yet in one of our recent consumer surveys, most people assumed it would be their insurer — not their bank or financial provider — that would protect them from this type of fraud. That is why the new wave of social-engineering attacks represents an urgent call to upgrade coverage to protect both the consumer’s physical assets and their digital presence. 

Bringing Insurance Up to Speed

Originally, large companies used several layers of security to protect their businesses and employees against cyber-attacks. By contrast, consumers and small businesses have been an underserved market for cyber insurance and typically left to fend for themselves after falling victim to a cyber-attack or digital scam. 

Nearly every U.S. personal lines insurance company covers ID theft, but the next generation of coverage needs to include personal cyber to respond to social engineering scams, ransomware, cyber bullying and other cyber risks. Younger people are especially worried about cyber attacks, with 35% of Gen Z respondents having experienced cybercrime within the last six months, so the right coverage will have relevance to the market.

Over the last few years, early mover insurers have begun offering personal and small commercial cyber insurance, but these rarely include tools that protect against persistent cyber threats. While insurers are more likely to bind and retain business if they have a more comprehensive offering, their cyber coverage will be incomplete if it does not offer a first line of defense against top cyber risks like social-engineering scams. 

Prevention Is Better Than Managing Breaches

Threat actors tend to take advantage of people over time, where they gradually misuse personal information to avoid drawing immediate suspicion. But like a balloon slowly inflating, the problem just gets bigger and bigger. If our defense is to triage breaches in real time, we will always be left behind. 

Fortunately, an early-detection tool that blocks people from accessing suspicious links and sites in the first place has been in use for 15 years in the corporate world and only needs adaptation for a broader market. This risk-mitigation tool creates a security perimeter around people’s digital lives by overriding their browser settings on every device, cutting off the supply of data at its source and overwhelmingly reducing the likelihood of acquiring malware. 

We have not seen this type of solution used before in the context of cyber insurance or prevention, but its time has come. Our advice to insurers is to find providers offering this tool and make it part of their cyber-risk coverage. It will not only safeguard customer information but improve profitability over time by reducing cyber claim costs and making insurers relevant at a time of shifting threats and shifting demographics.

Risk Aggregation and a Total Solution

The biggest fear of insurers is dozens or even thousands of policyholders making claims after a mass event, like a hurricane coming up the coast. That concentration of risk is just as relevant in the world of cyber threats, where a data breach can implicate scores of consumers. The issue for insurers is that cyber risk is so amorphous that it is hard to quantify or qualify.

In this context, having a preventative tool that can evolve with the threat can give insurers the confidence to create a broader solution around cyber — one that helps customers feel secure no matter how many devices they have and without their ever having to deal with the scare tactics used by all those faceless threat actors.

Read More