As ransomware strikes, many insurers still lack dedicated CISOs

DI-MitchWeinNovarica_06282017

With businesses worldwide recovering from two high-profile ransomware attacks in as many months, insurers should be patching up older security systems and hiring full-time chief information security officers, according to Mitch Wein, VP of research and consulting at Novarica.

Many insurance providers, particularly mid-size carriers, are apt to have chief information officers (CIOs) or chief operating officers (COOs) double-dipping as CISOs, due to high salary commitments. But the job requires more than a low-level expert on security, Wein says. Today’s cybersecurity practices are more complex than just encryption and regulation, he explains: “Security is not a part-time job, as the [Petya and Wannacry] attacks attest to."

Wein says that security maintenance, security engineering, data security, app security and risk analytics are some of the things insurers should be working on regularly, not just when attacks are in the news.

“Insurers without a full-time CISO are not doing one or two of these things. And if they are, it is part time,” Wein said.

At minimum, CISOs should have a sizable understanding of how internal underwriting and claims work in order to scale the damage intruders could cause if they got in, he adds. The real danger for carriers is hackers exposing core systems and accessing customers’ personally identifiable information thereby causing major reputable damage to insurers.

New York State of cybersecurity

Further pressuring insurers to have a dedicated IT security position are New York Gov. Andrew Cuomo’s cybersecurity regulations, which he signed on March 1. The new rules require financial institutions operating in the Empire State to have a full-time CISO.

The statute takes earlier efforts by the National Association of Insurance Commissioners to set a nationwide standard for cybersecurity through its insurance data security model law and strengthens it, Wein notes in an executive report released Wednesday. It is believed other states will use New York’s guidelines as a template for future legislation.

“New York State looked at the NAIC rule from and didn’t feel it was strong enough,” he said. “It made it more rigorous for any company performing financial services in New York.”

Among its mandates, the law stipulates companies must encrypt customer information sitting in data centers, obtain certificates from third parties ensuring they follow state cybersecurity requirements and report any breaches to the department of financial services within 72 hours. Businesses have until March 2018 to comply.

“New York State took the lead in implementing aggressive cybersecurity regulations,” Wein wrote. “I believe most states will copy New York's regulations in the next few years.”

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Personally identifiable information Customer data Andrew Cuomo
MORE FROM DIGITAL INSURANCE