Insurance Companies

Home / Blog / Cyber Security / Cyber Security Risks Facing Insurance Companies in 2017
DECEMBER 1, 2017

Cyber Security Risks Facing Insurance Companies in 2017

Today’s heightened climate of cyber-threat mitigation has left no industry untouched. Insurance companies, much like the legal, healthcare, and financial sectors deal with a great deal of personal and often sensitive client information. This requires diligence on the part of the company and a commitment to protecting these sensitive assets in a reliable and compliant manner.

Ironically, insurance companies deal with risk on a day-to-day basis. It’s what they do. But the kinds of risks they deal with are somewhat more tangible – and these risks aren’t in a constant state of flux like today’s cyber threats are.

In order to instill confidence and protect their business continuity, insurance companies must recognize the inherent perils and do their best to bring their cyber security up to modern standards to protect theirs and their clients’ interests.

International business auditing firm KPMG reports that according to a recent study, only 20% of insurance CEOs believe that their firm is prepared for a cyber security event. 42% realize that cyber security is their most serious concern – outweighing regulatory risk by a significant margin.

Slow adopters, big risk
The insurance sector has lagged far behind other financial-sector industries in its adoption of cyber security technologies, perhaps because they have not (so far) been aggressively targeted by cyber thieves. As banks and other financial institutions were among the first under fire, they are now among the most secure. Since they are no longer easy targets, cyber thieves will move on to the low-hanging fruit and this is where the risk lies.

Insurers retain large amounts of personal and financial data, property information, and more. Regulators are no longer satisfied with vague responses to security concerns. They are pushing for transformation, but it’s been a slow start. Insurers are now actively creating cyber insurance policies for their client, but to walk the walk they need to start getting their own ducks in a row.

Primary cyber-risks to insurance companies today include:

Infrastructure vulnerabilities and unpatched or last-generation security software provide easy fodder for hackers who can potentially do a great deal of damage through theft and other malicious activity. If the company has not yet begun its digital transformation they may be inadvertently be leaving themselves open to attack.

The solution: Speak to an IT consultant about migrating some or all of your systems to the cloud. It may be necessary to upgrade workstations and servers, but the result will be increased operational efficiency and next-generation security.

Identity theft can occur as a result of client account breaches. Files that are stored on local servers may not be adequately protected.

The solution: cloud storage provides a range of industry-compliant secure storage solutions that allow for the use of credentials to access sensitive data. Client portals may be implemented as well, supporting improved operational efficiency while ensuring client data is secure. Multi-factor authentication can also be implemented, giving clients peace of mind and providing greater in-house security.

Automated threats such as denial of service (DoS), credential cracking, and vulnerability scanning have the potential to shut down all systems, virtually overnight.

The solution: the implementation of the appropriate security protocols, software, and appliances will effectively shield systems and data from automated threats. Combatting the threat goes beyond technology solutions, prompting firms to educate their employees and partners on how to recognize malicious or suspicious activity.

Systemic infection from malicious code could bring a company to its knees very quickly. Ransomware can exist on your system for a good deal of time before it completely takes hold, so often nobody will notice anything different until it is too late. Ransomware demands may be small or monumental, but even if you do pay, there is no guarantee your systems will be fully restored to its pre-attack state or that files will not be damaged in the process.

The solution: cloud storage and backup solutions offer a range of cyber security features that can prevent malicious code from invading your systems. In addition, the establishment of a disaster recovery plan (DRP) is crucial, ensuring that you can restore your systems and experience a minimal interruption of service.

Lawsuits from clients may ensue if the company experiences a breach that leaves client data vulnerable. You have a legal responsibility to protect all information that is collected and stored for the purposes of doing business. In some cases, you may be governed by HIPAA regulation, or the GDPR, if you do business with EU citizens and it is your responsibility to comply.

The solution: To avoid a potential business and financial disaster, it is always in your best interests to ensure all client data is protected, not just behind a firewall, but with a detailed security policy that is enforced by all employees, partners, and stakeholders.

The time is now for cyber security transformation
Loss of business continuity and loss of reputation may be the least of your worries if sensitive client data is leveraged for nefarious purposes. To those insurance companies who have not yet begun their digital transformation – take this as a sign to begin today.

Outdated computers, servers, and software are not compliant with today’s cyber security needs. While you may have been unaffected up to now, you may soon become the low-hanging fruit cyber-criminals are in search of.

Straddling a number of different sectors, insurers face a unique regulatory landscape because of the breadth of sectoral laws they are subject to, such as HIPAA and the Gramm-Leach-Bliley Act. Additionally, just like every other company in the U.S., insurers are already subject to state and territorial laws on data breach notification, and nearly every state insurance commissioner has imposed cybersecurity breach reporting requirements on the insurance companies they regulate.

Recent data breaches targeting the insurance industry have shown that cyber criminals are no longer limiting their targets to information that can quickly be monetized, such as credit card information. Hackers are increasingly looking to assemble comprehensive data portfolios on their victims that can be used to commit more lucrative, and troubling, forms of identity theft. In January 2015, Anthem Inc. disclosed that nearly 80 million current and former members of its affiliated health plans in several states may have been impacted by a cyberattack on its systems. The information that was potentially accessed may have included Social Security numbers and health care ID numbers. Later in 2015, several other insurers disclosed similar cyber intrusions affecting tens of millions of consumers, including Excellus Health Plan in New York, Premera Blue Cross Blue Shield in Washington and the UCLA Health System.

Depending on the breadth of their portfolios, insurance companies have a wide range of data on individuals from health history to financial data (including credit, payment card and bank account information) to driving history. Anthem and the other industry events serve as a reminder that cyber criminals and, perhaps, nation-state attackers have realized that insurance companies typically store and process significant amounts of personal data from which the attackers may benefit.

Unlike the financial and health care sectors, whose cybersecurity preparedness has been scrutinized by federal regulators for a number of years, insurers may have been able to avoid this intense focus until more recently. As a result, many insurance companies may be leanly staffed in cybersecurity and perhaps less mature than their counterparts in banking and health care.

Going forward, insurers need to keep a close watch on how the NAIC model law develops and whether it is enacted in a state where they do business. In addition, companies can take action now by updating their incident response plans to implement the more noteworthy provisions of the law, such as the short notice period and requirement to provide credit monitoring or other identity theft protection.

Finally, in the current cyber threat environment, resources spent shoring up cyber defenses and preparedness will most certainly be wisely spent.

The NAIC Task Force followed the Cybersecurity Principles and Cybersecurity Roadmap with a proposed “Insurance Data Security Model Law” (the “2016 Model Law”). Unlike the Cybersecurity Principles and Cybersecurity Roadmap, the 2016 Model Act will, once finalized, provide a template for uniform, enforceable obligations for insurance companies with respect to cybersecurity. State insurance regulators will be able to adopt the 2016 Model Act or, at a minimum, use it to modify their existing regulatory frameworks.