Cyber Attacks Against Insurance Institutions

Cyber-attacks against insurance institutions are becoming increasingly frequent and often very sophisticated. 2015 and 2016 have seen some of the biggest cyber-attacks ever on Global Insurance Providers.
Data breaches at healthcare insurers such as Anthem, Premera, Blue Cross, and CareFirst, resulted in a total loss of personal information of over 100 million US policyholders.

At a time of unprecedented cyber-attacks on insurers and an expanding cyber insurance market, US insurance supervisors have taken
the lead in addressing insurers’ cybersecurity risks.
Stuart Collins

All insurers share with third parties

All insurers, regardless of their size, complexity, or lines of business, collect, store, and share with third parties (e.g., service providers,
reinsurers) substantial amounts of private and confidential policyholder information, including in some instances sensitive health-related
Information obtained from insurers through data breaches or data loss may be used for financial gain through extortion, identity theft, misappropriation of intellectual property, or other criminal activities. Exposure to private data can potentially result in severe and lingering harm for the affected policyholders, as well as reputational damage to insurer sector participants. Similarly, malicious cyber-attacks against an insurer’s critical systems may impede its ability to conduct business.
The objective of this paper is to raise awareness for insurers on how to approach the risks presented by cyber-attacks based around
the ARM (Assess, Remediate, and Monitor) method of securing data and prevent cyber incidents.

“From criminal syndicates to terrorist organizations, to foreign intelligence groups, to disgruntled employees and other malicious intruders, the range of entities that stand ready to execute and exploit cyber-attacks has never been greater.”
U.S. Attorney General Eric H. Holder, Jr.

The ARM Method

The ARM methodology for protecting and preventing against cybersecurity attacks is a three-pronged circular methodology for employing cybersecurity practices at any insurance institution regardless of size.

In practice, the ARM methodology employs the continual use of Assessments, Remediation, and Security Monitoring to paint a picture of the security posture.

Each step of the methodology is an important piece in the protection of the critical assets of an insurance institution.

The process is deployed in a circular format always starting with the Assessment to allow for building a complete and overall picture of the organization security posture. Following the assessment is a detailed remediation plan for correcting any vulnerabilities or security holes that are found in the assessments.

The final step
The final step in the process starts with the continual security monitoring of the insurance institutions infrastructure to continually identify any possible breaches or security incidents and act to correct them.

The ARM method is circular, meaning that the process continually runs in a circle and becomes a cycle of continual assessment, remediation, and monitoring. In today’s ever-changing landscape of cybersecurity threats creating this cycle allows for the Insurance institutions to stay in front of any potential vulnerabilities, incidents, security breaches, or loss of data.

The Assesment

The assessment starts the ARM method by assessing the current state of the network, business, and security policies of an insurance
For any insurance institution to assess the risk they need to know what assets they have, what assets are authorized to be on their network, and what assets are most important to protect.
Assessments are recognized as a crucial component of network security and are the critical first step in the ARM… method.
The assessments are performed to determine the actual security posture of the network environment.
They are designed to explore whether an attack that could potentially bypass defenses and find an exploitable element in the network that could be used to steal information.


Assessment consists of:

  • Penetration Testing (also called pen testing), is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit.
  • Vulnerability assessment is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
  • Security Policies and Procedures Assessment is the practice of looking at the business or policy and procedure side of an organization to determine if they are using the correct policies and if those policies are being followed.

Regulation and Compliance

As the insurance regulatory landscape becomes increasingly complex with many States and Jurisdiction creating their own sets of regulation the risks associated with noncompliance increase and grow costlier.

Many insurance organizations and their security staff are required to show compliance with internal policies, federal and state regulation, and industry standard.

Current best practices indicate that a vulnerability assessment should be performed a minimum of four times per year, with penetration testing done yearly.


Insurance institutions should be conducting regular assessments and using those assessments to identify all cybersecurity risks associated with firm assets then they should plan to prioritize their remediation of the risks.
Remediation is the second phase of the ARM method and as such take the assessments and works with the stakeholders to identify the most important assets and the most critical vulnerabilities to fix. Each assesses/vulnerability that is identified to be updated/fixed will be completed during the remediation process and rescanned to validate that the vulnerability has been addressed.


Continual Monitoring is the final step in the ARM methodology for dealing with cybersecurity breaches. The GBMS Tech, Ltd. SOCaaS provides insurance institutions with the ability to have continuous monitoring of their network and security infrastructure without the need for additional FTEs or security staff to their organization.
Due to ever increasing sophistication and persistence of malicious cyber activity combined with the sheer complexity and volume of security information, detecting security breaches requires an insurance institution to have a monitoring strategy in place to deal with the
potential for malicious cyber activity. The GBMS Tech, Ltd. SOCaaS has been developed and created to work with the institution to develop a strategy and deal with any breaches or incidents that are identified.

Once a potential breach has been identified, response timing is critical in the monitoring process.
The process, people, and technology that will respond to any breaches in accordance with the incident response plan of the insurance institution must have already been identified.


This guide does not address all areas of security; however, it does provide a proven method for cyber risk reduction that could allow an insurance institution to withstand or identify any potential cyber threats.
For further information, please contact us.





Submit a Comment

Your email address will not be published. Required fields are marked *

Get protected now with
Trident CMP™

+44 207 096 0554

Get In Touch!

+44 (0) 207 096 0554


1 Berkeley Street, London W1J 8DJ


About us

GBMS Tech products and services are at the endpoint layer of your Defense In-Depth Security Strategy.