American Family Insurance, one of the largest property and casualty insurance companies in the United States, suffered a major cyberattack in October 2023 that brought down many of their key IT systems and impacted customers across the country. This article provides an in-depth look at the cyberattack on American Family Insurance, the impact it had, and the company’s response.
Overview of the American Family Insurance Cyberattack
On October 21st, 2023, American Family Insurance publicly confirmed that they were the victim of a cyberattack after customers had been reporting widespread outages of the company’s online services and phone systems since the previous weekend.
The company said in a statement that its technology teams had detected “unusual activity” on its network and reacted quickly by shutting down several business systems to protect data and resources. However, the shutdown led to outages that prevented customers from being able to file claims, pay bills, or conduct other business online or over the phone.
American Family Insurance did not provide any details on the specifics of the cyberattack, such as how the attackers gained access or what methods or malware may have been used. The company said its investigation was ongoing with help from internal and third-party experts.
Early signs pointed to the possibility of a ransomware attack, which is when cybercriminals infiltrate a network, encrypt data and systems, and demand a ransom payment in order to decrypt them. American Family Insurance did not confirm whether ransomware was involved but said that, to date, it had not detected any compromise of critical data.
The attack clearly had a major impact on American Family’s operations, with outages persisting for several days across online services, phone support, and internal systems. The company was forced to shut down not just externally-facing systems but also key infrastructure on the backend that supported operations company-wide.
Scope of the Disruptions
The cyberattack on American Family Insurance caused problems ranging from inconvenient to severe for customers, employees, and agents. Here are some of the ways American Family’s systems being down disrupted operations:
Customer website and online services – Customers reported widespread outages when trying to access American Family’s website and online customer portal for services like paying bills, filing claims, and checking policy information. Error messages cited “maintenance downtime” and advised calling instead.
Customer service phone lines – With the website down, American Family directed customers to call for assistance. However, phone systems were also negatively impacted by the attack. Long wait times were reported with some unable to reach agents at all.
Online payments and billing – Customers were unable to pay bills or manage payments online. American Family informed customers they would not be penalized for late payments during the outage.
Claims processing – Customers could not file new claims online or check the status of existing claims, causing delays in the claims process. Only critical claims were being handled manually.
Internal systems and communication – Email, internet access, and other internal systems were disrupted for American Family employees, severely impeding communication and daily workflows.
Third party integrations – External partners, vendors, and agents who integrate with American Family’s systems also experienced outages and disruptions.
Physical building access – Some American Family offices and buildings had systems down, impacting building access systems such as keycard scanners and WiFi networks.
The outages prevented American Family Insurance from conducting business as normal across nearly all operations for several days. The company could not provide estimates on when systems would be restored and advised those impacted to keep checking for updates.
American Family’s Incident Response
According to its statements, American Family Insurance took the following steps in response to detecting the cyberattack:
- Detected unusual network activity indicating a potential security incident.
- Quickly moved to shut down external access to several business systems across the enterprise.
- Disconnected additional internal systems to contain the attack’s spread.
- Commenced an investigation using internal security teams and third-party forensic experts.
- Began bringing systems back online cautiously once confirmed malicious activity was removed.
- Provided updates to customers and the public on service outages.
The company did not publicly share many details about the nature of the attack or their response. However, the steps they did disclose indicate that American Family likely followed standard incident response procedures:
- Detect – Monitoring systems alerted American Family’s security team to suspicious activity.
- Respond – They took swift action to isolate and power down affected systems.
- Analyze – Cybersecurity forensic experts were engaged to investigate the attack’s root cause.
- Remediate – Systems were cleaned, restored, and hardened before turning them back on.
- Recover – Business processes were resumed after ensuring systems were secure.
American Family acknowledged that restoring systems safely would be a gradual process. As a precaution, systems were being brought back online slowly with priority given to the most critical services first.
Potential Long-Term Impacts
In the short term, American Family Insurance customers faced accessibility issues and disruption to services. There could also be some longer-lasting impacts that result from the cyberattack:
Ongoing remediation efforts – American Family will likely continue work to fully restore all systems, monitor for residual issues, and improve security controls going forward.
Increased mitigation costs – The attack may cost American Family Insurance substantially in terms of investigation, remediation, and improving defenses against future incidents.
Tighter security measures – New cybersecurity processes and policies will likely be implemented, such as stronger access controls and system monitoring.
Loss of revenue – Major business disruptions often correlate to short-term dips in revenue as well as costs attributed to mitigation.
Reputational damage – Large-scale cyberattacks can hurt brand reputation among customers. American Family may need PR efforts to maintain trust.
Legal liabilities – If investigation determines customers had personal data compromised, American Family may face regulatory fines, lawsuits, etc.
While American Family indicated that critical data was unharmed, the full impact remains to be seen. The company will need to thoroughly audit for potential data theft, infrastructure damage, and vulnerabilities introduced. Insurance firms also face strict data security regulations that could mean heavy fines if American Family is found non-compliant.
Lessons from the American Family Insurance Cyberattack
The cyberattack on American Family Insurance provides some important lessons for enterprises about cyber incident preparedness and response:
Assume you will be attacked – Have robust plans in place for likely attack scenarios instead of thinking it won’t happen to you.
Limit access – Only provide system access to those who truly need it to reduce pathways for attackers.
Monitor vigilantly – Use advanced tools and analytics to watch for any unauthorized or abnormal activity.
Isolate quickly – At the first sign of intrusion, isolate affected systems to prevent lateral movement.
Control privileged accounts – Adopt the principles of zero trust and least privilege for admin accounts.
Backup regularly – Ensure current backups of critical data and systems are available for restoration.
Inspect backups – Confirm that backups are uncompromised and can fully recover damaged data.
Plan for the worst – Document playbooks for response/recovery of core business functions during outages.
Practice and test – Run cyber incident simulations to evaluate and improve response readiness.
Inform proactively – Communicate early and transparently with customers, partners, and stakeholders when resolving cyberattacks.
American Family Insurance was likely following many standard security best practices but still fell victim to a major attack. All organizations should continually re-evaluate their own cyber resilience and have plans to rapidly detect and respond to security incidents.
Impact on Insurance Industry Security Standards
The cyberattack on American Family Insurance may influence wider security improvements across the insurance industry. Insurance companies hold extremely sensitive customer information and financial data. As a result, they are heavily regulated when it comes to cybersecurity controls and disclosures.
Major security incidents often prompt insurers and regulators to reassess the current standards and practices. In particular, two areas may receive greater scrutiny:
Sharing of cyber threats – Insurers may cooperate more on sharing cyber threat intelligence and risk data to help identify emerging attack trends.
Security control audits – Insurance regulators may increase oversight and auditing to validate company compliance with data protection regulations.
Insurers will also likely evaluate their current cyber insurance coverage. The American Family attack reinforces the growing cyber risks faced by enterprise. It demonstrates that even companies with advanced defenses can suffer major compromises. Businesses of all sizes may seek cyber insurance to mitigate potential costs of security incidents.
At the same time, the insurance industry is still adapting how cyber policies are structured and priced. Insurers continue working to properly model cyber risks in order to set adequate premiums. Expect American Family’s experience to factor into actuarial data used to develop new standardized cyber insurance options.
In October 2023, a major cyberattack brought down key systems for American Family Insurance. The company is still recovering and working to determine the full effects of the incident. This illustrates the serious threat ransomware and other cyberattacks pose to modern enterprises.
American Family Insurance outage
Why are American family insurance systems down?
Why is American family insurance so expensive?
Who is CEO of American Family Insurance?