In the wake of the massive data breach at health insurer Anthem, research from the New York Department of Financial Services indicates that insurance companies generally do a good job of containing cybersecurity breaches.
Though 42 percent of the 43 insurers surveyed reported that their systems had been compromised at least once in the past three years, less than five percent said that data integrity was compromised and none reported identity theft.
The most common tactic that hackers use to gain access to insurers’ systems is malware (33 percent of reported intrusions), followed by phishing (23 percent). Disruption to telecommunications networks and insider access were the most reported consequence of the breaches.
See also:
Eight in 10 insurers said their cybersecurity budget had increased in the past three years, and most respondents only spend between three and five percent of their total budget on cybersecurity. All insurers reported using firewalls, malware scanning software, intrusion detection software, encrypted files in transit and anti-virus software in their enterprises, and about 95 percent said they encrypted files in storage.
Most insurers (44 percent) perform penetration tests annually, with one in five performing them quarterly and 30 percent monthly. Two-thirds do their own penetration tests, while 95 percent use a third party for some portion of their tests.
Eighty-one percent of insurers have a dedicated information security executive, including all life insurers. When asked what the primary barriers were to ensuring cybersecurity in their organizations, most insurers (81 percent) cited increasing sophistication of cyber threats and emerging technologies (72 percent).
“Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses,” Benjamin Lawsky, Superintendent of Financial Services, says in a statement. “Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”
See also:
The Department of Financial Services will “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the Department's examination process; put forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and examine stronger measures related to the representations and warranties insurance companies receive from third-party vendors, among other measures,” the statement also said.
