By Isha Marathe

June 27 - (The Insurer) - After several insurers suffered system outages resulting from information security events in June, cybersecurity experts warned that the industry is at high risk and should be on the lookout for social engineering attacks.

The network disruptions at Tokio Marine's Philadelphia Insurance Companies and Erie Indemnity's Erie Insurance entered their third week of recovery in late June.

And Aflac on June 20 disclosed a cybersecurity incident in which personal information of its customers may have been compromised. The health and life insurer said the attack on its U.S. network, which was identified on June 12, was caused by a "sophisticated cybercrime group", but did not specify a name.

For cybersecurity experts like Adam Malone, global head of acute events in Kroll's cyber risk practice, the recent events should be a clarion call to other insurers.

"(I'm) not surprised," Malone said. "Every major organised crime group across the world has pivoted to ransomware. It's their de facto economic hardship tool. It's their moneymaker."

The insurance industry, like any sector that interacts directly with customers, is a prime target because it collects sensitive or regulated data that is especially susceptible to a ransom, Malone said.

John Hultquist, chief analyst within the threat intelligence group at Alphabet's Google, said on June 16 that "at least two" insurers were targeted by Scattered Spider, which the group said is “a financially motivated threat actor characterised by its persistent use of social engineering and brazen communications with victims”.

Hultquist did not disclose whether Philadelphia Insurance and Erie were those two insurers.

In a later post on LinkedIn, Hultquist commented: "Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centres."

Cyber Risk Insurer exclusively reported that at least the Philadelphia Insurance disruptions were likely to have been carried out by Scattered Spider. But neither Erie nor Philadelphia Insurance disclosed the name of the entity responsible for their system outage.

This publication exclusively reported on June 17 that Philadelphia Insurance was offering flat renewal rates applied against exposure change on policies renewing through June 20 due to the ongoing disruption caused by its IT systems outage.

SCATTERED SPIDER TARGETS COMPANIES IN SAME SECTOR

Christina Powers, a partner in West Monroe's strategic cybersecurity consulting practice, said Scattered Spider is notorious for targeting companies within the same sector, having hit casinos and the hospitality sector in similar ways in 2024.

Scattered Spider is also reported to have been behind the disruptive attacks on UK retailers Marks & Spencer and Co-op Group.

If the perpetrator of the June attacks is in fact Scattered Spider, the hackers are likely to go after more insurance companies in the coming days, if they have not done so already, Hultquist, Malone and Powers said.

Typically, these hackers enter a company's network, steal data and then deploy ransomware so as to gain two angles to negotiate with the victim. The first is payment to not post the sensitive information, and the second is a decryption key to decrypt systems that have been locked by the bad actor, Kroll's Malone said.

The former is particularly high stakes for a highly regulated industry like insurance.

"I don't know yet if (Philadelphia Insurance and Erie) have been publicly shamed and had this information posted on the dark web," Malone said.

"But I would expect that that's absolutely something that they would do should their extortion demands not be met."

Erie said in a post on June 23 that while there was "no evidence of ransomware and no indication of ongoing threat actor activity" at that time, its investigations were ongoing.

Malone expects the insurers to have brought in incident response teams and law enforcement – as both Philadelphia Insurance and Erie confirmed they had – to answer questions like, "When did they get in? How did they get in? What did they do?"

The next piece is looking into what the bad actor may have taken and what obligations they have to notify people based on the specific data breach regulations.

"Both of those (things) are probably still happening, because it can take a while, because, remember, when the environment gets taken down, you don't even have the systems to investigate," Malone said.

The final piece of work is looking into how the companies can resume business and start servicing customers.

"The first thing you have to bring online is all of your internal systems that make the customer-facing systems work, oftentimes in a ransomware attack, you're rebuilding those from scratch because you can't trust backups … you may have to build them stronger than they were before," he added.

EXPLOITING SOFT SPOT

Hackers like Scattered Spider have learned about sector-specific vulnerabilities and distributed workforce models within the insurance sector that include agents, brokers, third parties and regional operations.

That knowledge, combined with the group's ability to partner with other ransomware groups, makes Scattered Spider particularly skilled at exploiting soft spots within verticals like insurance, experts said.

Malone thinks of the insurance industry now as a particularly rich target environment, with many firms having acquired smaller companies over the years without having necessarily integrated all of their departments into the main business, thereby opening up various vectors of entrance.

"I would expect, based on past performance, that Scattered Spider is going to continue to target the insurance sector because the companies tend to use the same products, the same kind of people, the same subcontractors, so they'll find weaknesses," Malone said.

"I don't expect it to stop or slow down now."

While the impact of such an attack varies case by case, Malone said companies tend to recover to peer level within "six to 12 months", with the direct cost of the incident ranging from "hundreds of thousands into the millions".

Powers at consulting firm West Monroe also noted that litigation and reputation harm are further consequences that companies should expect from such system outages, especially if policyholder data has been accessed.

She said that other insurers should buckle down on training and awareness, especially around social engineering tactics that groups like Scattered Spider use.

"We know that they like to target the help desk to either impersonate users who need assistance, or potentially reaching out to users and pretending to be the help desk," Powers said.

"Be wary of calls or requests that you get that are out of the ordinary. What should you do to verify those? Maybe end that call and call back at a legitimate number, or escalate (it)."