Sensitive data resides on mobile devices used for property and casualty insurance work. Captured claims photos and geolocations, customer identity information, financial data, employee data and internal agency communications on devices are of potential value to hackers and cybercriminals. Device, network and application (or “DNA”) cyberattacks have become so prevalent across all industries that insurers are now indemnifying enterprises with standalone cyber-insurance policies, for an estimated $3.25B in gross written premiums for 2016. Here are the top reasons why mobile security is challenging for insurance companies:
Privacy vs. Security
When customers and agents increasingly bring their own devices (BYOD) for both personal and work purposes, the insurance firm cannot legally maintain the same level of surveillance they once imposed on corporate-issued equipment. Even when mobile devices are issued by the company, security policies become difficult to enforce in the field, because if an employee can see sensitive personal information, hackers can as well.
Agents and customers using mobile insurance apps and mobile web portals can log onto untrusted Wi-Fi networks for internet access. This opens the door for Man-in-the-Middle (MITM) attacks that intercept messages and emails, and sensitive account information passing between the user’s device and the insurer’s mobile app or site. Network attacks can be easily executed and may even install code or malware on the device to allow root-level control.
Application and Device-level threats
Many P&C insurance apps are designed to interact directly with the device’s hardware and OS to enable native capabilities like camera and geolocation for claims assistance. Relying on the base level security of the phone’s OS creates a high-value attack surface for hackers to apply malware or install code on the device, since users can run the app on an outdated Android or iOS operating system with known vulnerabilities.