AI for Cybersecurity in Insurance – Current Applications

Niccolo Mejia

Niccolo is a content writer and Junior Analyst at Emerj, developing both web content and helping with quantitative research. He holds a bachelor's degree in Writing, Literature, and Publishing from Emerson College.


The insurance industry is responsible for a multitude of sensitive financial data concerning both its customer base and staff. Any breach to an insurance company’s CRM or other claims database could compromise the personal data of multiple people at once, which puts the company at risk as well.

However, there are always new cybersecurity innovations, and this includes AI and machine learning-based solutions.

In this article, we explain how artificial intelligence applications can help insurance companies protect their networks and databases from cyberattacks.

We cover how predictive analytics and anomaly detection can be instrumented within a large enterprise network’s security system and how it can counteract these threats. The types of solutions explained include:

  • Predictive Analytics for Detecting Malware and Suspicious Network Behavior: How it can recognize individual users and detect suspicious activity within a network.
  • Advanced Visualizations for Network Cybersecurity and Incoming Threats: These solutions serve as detailed user interfaces connected to AI solutions so that human security employees can grasp the nature of a cybersecurity threat in real-time along with the software.
  • Using Anomaly Detection to Detect Cybersecurity Threats: Insurance companies can take a more typical approach to introducing AI into their cybersecurity, and this method is similar to how a company would use it to detect fraud in insurance claims.

Our explanation begins with predictive analytics for detecting cyberattacks such as hacking and use of malware.

Predictive Analytics for Detecting Malware and Suspicious Network Behavior

Predictive analytics software has numerous applications that insurance companies can use to protect their network. The machine learning models used to build them are usually trained on large sequences of user activities within a network.

This network activity data contains information that indicates exactly what type of action it is. These actions are also labeled “acceptable,” or “normal” by the client company so that the machine learning model can gain a sense of regular activity. 

This results in the model’s capability of discerning which actions are most likely to be fraudulent. The predictive analytics software could then recognize inconsistencies and abnormalities in user activity in real-time.

Many of these solutions can also determine whether a network action is performed by a human user or a malware program. 

For example, a hacker would have to interface directly with a client company’s cybersecurity system to perform an attack or inject malware to do it for them. However, there are certain actions only a program could take once it has infiltrated an insurance company’s database.

This could be as straightforward as transferring data out of the network, or opening the network up so that any accomplices may access it as well.

This type of predictive analytics software can sometimes recognize new malware bots, programs, and their new iterations as hackers keep innovating.

Insurance database experts can direct the software on certain fraudulent actions so that the system can eventually make that distinction by itself. This may allow the machine learning model to pick up on smaller aspects of network activity that indicate potential fraud.

FireEye offers a pre-trained solution for potentially fraudulent activity and use of malware. An insurance company considering a FireEye solution would only need to integrate the software into their current cybersecurity infrastructure.

However, this may still require time and resources and may require the insurance company to hire data scientists.

Insurance companies may benefit from this type of predictive analytics solution, but new cybersecurity threats are being discovered all the time. This can pose a challenge for business leaders that have adopted a solution like this because the pre-trained software may not be able to keep up with an influx of unique cyberattacks.

We spoke to Owen Hall, CEO of Heliocor, about the strengths and weaknesses of AI for fraud and risk mitigation. When we talked about the more traditional rules-based systems, Hall made an observation that can be true for pre-trained solutions as well:

As people go through their daily lives, they leave more and more ‘breadcrumbs’ about themselves and those become open for people to use in the areas of defrauding people of their money. You’ve…got a whole area in terms of the banks looking at ‘how do I really know that the person who sat online doing a transaction is the person I really think they are.’ I think AI will [factor] into there.

All of our online activity can be traced back to the person or program that performed it. This results in numerous data points that surround each potentially fraudulent action that could be used to track cyberattacks. An AI solution pre-trained on only the most common types of attacks may require additional time to be able to discern smaller changes in normal activity. 

Insurance companies can make use of FireEye’s current predictive analytics solutions to protect multiple digital channels simultaneously. They focus on analyzing malware activity and investigating each threat individually. FireEye’s current solutions include:

  • NX: For protecting the network from web-based threats such as remote system commands and internet-facing holes in the cybersecurity system.
  • EX: Protects the network from emails containing malware made for infiltration.
  • HX: Protects each computer, tablet, or other human access points called “endpoints” by monitoring their usage across the entire network.
  • PX: Helps the client healthcare company respond to network intrusions by capturing data on the intruder that may be helpful in getting them out.

The following 5-minute video from FireEye explains how their EX, or Email Security solution, works with its latest update to cloud technology.

The demonstrator covers how the software checks for and detects threats, how it can be deployed within a network, and what the company claims sets this solution apart from similar ones. It is important to note however that FireEye does not specifically claim their technology is fully unique from that of other vendors.

FireEye claims in one of their case studies that they helped a client insurance company catch cyberthreats with more certainty than they had previously. However, it is important to note that the client chose to remain anonymous.

The case study states that the client conducted a proof of concept test for FireEye’s solution along with that of two other vendors they were considering. The company forwarded their live environment sample emails to each of the solutions in order to see which one would detect the threats within them most accurately. 

FireEye EX was purportedly more accurate than the other two solutions and had significantly less false positives. The client company now routes all of their emails through headquarters in order to scan them for threats.

Advanced Visualizations for Network Cybersecurity and Incoming Threats

Some predictive analytics-based cybersecurity solutions are combined with a detailed user-interface focused on providing the user accurate visualizations of network threats. This might allow a cybersecurity team to investigate individual attacks more thoroughly.

All information related to one attack would be grouped together and labeled as one “event.” These instances of an active thread include information on each computer accessed by the attackers and which malware they were using.

Cylance is an example of an AI vendor claiming to offer a solution like this. In addition to their predictive analytics solution, Cylance PROTECT, they offer a threat visualization and user interface product called Cylance OPTICS.

Cylance claims their OPTICS software can create incident reports for each threat and contain them while Cylance PROTECT works to end the threats permanently. 

The software then analyzes the attack to determine where it came from and how it was able to breach the system. Cylance OPTICS can purportedly review the suspicious behavior and compare them to historical security breach data.

Cylance claims that this can help users find new patterns in network behavior that could be signs of a security breach. A client company’s cybersecurity team could discover a weak point in their system through a Cylance visualization. 

From there, the team could retrain the machine learning model on all recorded instances of this type of activity. Otherwise, the software can also alert users of any issue with the database architecture that a subject-matter expert may be able to fix. 

Cylance claims to have improved upon Cylance OPTICS, by including an API that facilitates integration with existing cybersecurity systems.

Users can lock down selected devices and endpoints while checking them for suspicious activity, which can block a hacker in the middle of an attack. Some of Clyance’s clients purport to have seen positive results in the PROTECT software’s ability to recognize malicious files in their protect their numerous endpoints. 

In one case study, Cylance relays this statement from Taylor Lehmann, CISO of Wellforce, regarding endpoint security:

Endpoints and endpoint security are where all the action is…It’s the things that happen on those devices that need the most amount of focus if you want to disrupt an attack, even a sophisticated attack. Signature-based antivirus can’t keep up with emerging attacks we see and antivirus software that needs to be online…to receive updates will fail. These facts create issues that prevent these solutions from performing well with attacks and never before seen threats.

Lehmann claims securing each endpoint within a company’s network is just as important as cataloging differences in types of cyberattacks. He claims most threats can be retraced back to just one breached endpoint. 

Below is a graphic from Cylance that describes the OPTICS solutions as a prevention-first EDR (endpoint detection response) solution. The company emphasizes the software’s ability to contain and segment threats so that users can prioritize threat response more accurately:

Cylance claims in another case study to have helped a large insurance company fix a prominent security breach within their system and fortify their cybersecurity for the future. Before contacting Cylance, the client had been notified of a large breach in their security during an assessment. 

They sought assistance right away and began evaluating Cylance and their competitors for a solution that would best fit their problem. The insurance company not only needed to block the malware from the initial attack but also needed to check for any other breaches and secure every endpoint.

After the evaluations, the insurance company chose Cylance and began working to implement Cylance PROTECT.

Within 45 minutes of implementation, Cylance PROTECT purportedly recognized 30 unique malware programs in real-time. This was discovered on an endpoint that was already running two other endpoint security solutions that had not recognized any.

The company tested the software again with a large archive of malware samples, and CylancePROTECT was purportedly able to detect all of them. This was an unprecedented amount of security for the insurance company, and they claim the integration was smooth and user-friendly.

Using Anomaly Detection to Detect Cybersecurity Threats

Insurance companies may also protect their sensitive data and networks with anomaly detection software. Using this type of software would be similar to how an insurance company would use it to solve more typical fraud detection problems such as detecting fraudulent insurance claims.

A machine learning model for cybersecurity would need to be trained via direct installation to the client’s network, where the client would allow it to analyze digital activity in real-time.

For example, insurance claims are usually stored within an insurance company’s database to be accessed in the future. An employee can review these claims by accessing the database and viewing them from an endpoint.

The software would be able to begin scanning for activity within the network as soon as it is installed. It could also track where each user navigates within the network or any linked databases. These databases could include:

  • Insurance Claims data
  • Non-claims related customer data
  • Tax Figures and other enterprise financial data 
  • Staff’s personal information and/or banking information

As the machine learning model continues to analyze this activity, it can begin to discern a baseline of normal network activity and use that to determine the likelihood of fraudulent activity or cybersecurity threats.

If any network activity strays too far from the machine learning model’s sense of normalcy, it will flag that activity as anomalous. Some solutions can also shut out the fraudulent user from the network. If the software flags an activity the insurance company actually thinks is normal, they can reject the notification. This allows the software to factor in that type of activity as acceptable moving forward.

One machine learning vendor offering anomaly detection software for insurance cybersecurity is  Darktrace. Their Enterprise Immune System solution purportedly prioritizes system breaches instead of locking them out. New cyberattack methods are always being developed, but attackers will always be navigating the same network infrastructure to get to the sensitive data.

The following video is a demonstration of how Darktrace’s Enterprise Immune System works. The demonstrator shows the software’s threat visualizer or the system’s user interface. The system keeps a log of all activity that the user can navigate to investigate recent attacks for their methods and access points:

Darktrace uses the metaphor of the human immune system to explain how their solution works. They claim the two are similar because their software reacts to potentially malicious anomalies in real-time just as the body’s reaction to bacteria. Advanced malware such as ransomware can act faster than a human employee can react to it and leave them with few options for combating it. 

They also claim the software can slow down ransomware to give human employees a chance to react, but how this exactly works is unclear. The Enterprise Immune System most likely shuts down the endpoint where the ransomware entered the network. This could allow human employees a longer amount of time to diagnose and respond to the issue.

Even though a solution like the one Darktrace offers can counteract cyberattacks in real time and notify human employees of new breaches, hackers have multiple methods of navigating sensitive databases.

We spoke about this with Justin Fier, Director for Cyber Intelligence and Analytics at Darktrace. When we asked for a good example of what suspicious network or database activity looks like, Fier said, 

every network is different, it acts as a living organism. So the challenge with a lot of networks is just monitoring all those different pieces…and the question is, how do I monitor al of them (end points), how do I decide if they’re acting in a normal way…

…a malicious actor is going to try and exploit something to do something on his behalf, and most of the time it’s going to stand out amongst other devices on the network, and it’s finding those subtleties…it’s gotten much harder to find those anomalies, it truly is a needle in a haystack…

Fier emphasizes how the Darktrace software tries to monitor all of the business’ endpoints and use them as a guide for what malicious activity might look like. Using this as a baseline allows the software to recognize when a bad actor is trying to manipulate the system. Though this may become more challenging as cyberattack methods become more and more sophisticated.

According to a case study from Darktrace’s website, the company helped the South Korean company KB Life Insurance secure their widely accessible database and protect against more advanced threats than they were previously prepared for.

Darktrace claims KB Life Insurance used the software to gain a new grasp of their “pattern of life,” or broad array of acceptable network activities. 

KB was susceptible to insider threats because their database was shared to multiple third-party companies, and the system also scanned for “unknown unknowns,” or unique malicious activities the company had not yet encountered.

The case study states that Darktrace’s software was able to identify a real attack within just a few weeks after deployment. KB’s security team was purportedly able to stop the attack before any sensitive data was lost.


Header image credit: Genpact

Stay Ahead of the AI Curve

Discover the critical AI trends and applications that separate winners from losers in the future of business.

Sign up for the 'AI Advantage' newsletter: