How Aflac defends itself against ransomware

The recent WannaCry ransomware attack that took the world by storm didn't claim any notable victims in the insurance industry. That can perhaps be attributed to the sector's increased attention to cybersecurity in the wake of the several health insurance data breaches in 2015, as well as the NAIC's establishment of a cybersecurity task force last year. But it underscores the need for increased vigilance by IT leadership.

Aflac CISO Tim Callahan says that the best way for insurers to avoid having their systems compromised by such an attack is to stay on top of patches. Microsoft, he notes, sent out a patch earlier this year that prevented the damage -- if it was installed.

But there are further steps that CISOs can take in case something does squeak through, he adds. Aflac received a list of malicious IP addresses early in the crisis, and Callahan's team was able to block traffic coming in from or going out to those IPs.

"We have a few sources, some we pay for, some that come along with a membership, that give us active pushes on any bad IP addresses," he explains. ""The Department of Homeland Security, for example, has an automated indicator sharing program, if we get that information and it passes a certain confidence factor, then we can auto-apply a block."

Aflac is also a member of several other consortia with which it shares data that it finds in its own, Callahan says,

di-aflac-032017
Exterior of the AFLAC headquarters in Columbus, Georgia on Wednesday January 28,2009 Photographer: Chris Rank/ Bloomberg News
Chris Rank

All of these solutions are subject to review by Aflac, which uses analytics to come up with a score of how confident it is that a patch will work or an IP address block is worth it -- the "confidence factor" Callahan referred to.

For example, patches can sometimes have negative downstream effects on systems. So, Callahan says, Aflac tests patches in controlled environments before pushing them out to their end users.

"We have a protocol where we have test beds with partners in the business where we have a list of computers we can test things on to see if we find ill effects," he says. But most often, "if it’s critical with a high confidence factor, we can push it out."

Ultimately, Callahan says, attacks like WannaCry can be mitigated by strong IT security fundamentals, like installing patches and training employees on what to do if they recieve a suspicious e-mail.

"Not everything is going to be prevented based on fundamentals, but most of the time we see when you do the forensics it’s the lack of hygiene that allowed it to affect you," he says. "It prevents enough that it’s worth doing."

For reprint and licensing requests for this article, click here.
Cyber security
MORE FROM DIGITAL INSURANCE