Industry Focus: Finance, Insurance and Real Estate

The week Advisen looks at cases in the finance, insurance and real estate industry—the second-largest industry segment for cyber cases.

Public administration leads all industries in terms of relative cyber-case occurrence rate, as shown in the chart below.

The US Department of Labor says the finance portion of the finance, insurance and real estate industry grouping is comprised of depository institutions, non-depository credit institutions, predominantly non-operating holding companies, other investment companies, brokers and dealers in securities and commodity contracts, and security and commodity exchanges.

The insurance portion covers all types of insurance and insurance agents and brokers.

Real estate includes owners, lessors, lessees, buyers, sellers, agents, and developers of real estate.

Recently we have seen a single data breach incident—at retailer Target—possibly affect all three segments of the finance, insurance and real estate industry, which is second to the service industry in cyber-related cases in Advisen’s database.

The late 2013 data breach at Target, which exposed about 40 million payment card records as well as 70 million other personally identifiable records with customer information, triggered the retailer’s insurance policy, had banks scrambling to replace payment cards and some say the breach could trickle to the real estate market—affecting transactions due to damaged credit files and credit scores.

The industry segments are each vulnerable to cyber attacks. After a spike of nearly 300 cyber-related cases in 2009, cases fell but rose again in 2013.

Most recently the life insurance and retirement plan firm VALIC suffered a data breach. The company says a former employee, who left in 2007, may have accessed the personal information of thousands of people, but VALIC says only one account suffered any financial impact.

Oregon’s Cole Taylor Mortgage informed customers in April of a data breach that occurred due to an error by one of their third-party vendors. Information was inadvertently made accessible to employees of another federally regulated bank. (privacyrights.org)

In September 2013 State Farm said it became aware of fraudulent charges on a customer’s credit card shortly after the card was used to pay for insurance policies. The insurer said a former employee at an after-hours call center was found to have misused the credit card information of at least 11 customers.

Recently the Federal Financial Institutions Examination Council said it expects financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability of the “Heartbleed” bug.

Depository institutions and insurance companies appear to be particularly targeted. Cases from these segments of the industry outpace others.

According to Advisen, cases involving “digital data breach, loss, or theft” account for nearly 43 percent of all cases in the finance, insurance and real estate industry. “System/network security violation or disruption” is next.

Thirteen percent of global data breaches recorded since 2005 by the Privacy Rights Clearinghouse were in the financial sector, exposing 256,217,888 records, according to a June 2013 report by the nonprofit consumer education and advocacy group.

Though “digital data breach, loss, or theft” cases continue to make up a majority of all cases in the finance, insurance and real estate industry, the category of cases making the biggest move since 2005 is “system/network security violation or disruption,” as shown in the chart below. Cases from improper handling of printed records (orange) is making up less and less of the overall cases in this industry, presumably as industries move more and more to electronic records.