This past winter’s Anthem and Premera data breaches, in which hackers accessed the personal information of millions of consumers, has the insurance industry reevaluating its cybersecurity practices. Carriers are trying to gain a better understanding of their data, improve data protection controls, and implement stronger oversight programs to monitor third parties and vendors.
“For many years, insurers did not think they were as high on the priority list for malicious actors as other industries such as banking and retail,” says Adam Thomas, a principal with Deloitte Advisory’s insurance cyber risk services team. The massive healthcare insurance breaches have changed all that: Now, insurance companies realize security issues can turn into quantifiable operational and reputational risks — and the issues are related more to data than to infrastructure.
“It’s all about how you secure the data and who has access to that data,” adds Tom Dunbar, head of information risk management at XL Catlin. “Chief information security officers are discussing how to determine what is the most important data; where it is stored, and who can access it.”
The fact that the Anthem and Premera attacks were allegedly foreign, state-sponsored breaches as part of broad intelligence gathering has also given insurance carriers pause. “Perhaps the greatest impact of these events is the confirmation that we’re no longer dealing with just profit-motivated cyber threats,” says Amica CISO Gil Bishop. As a result, he says, “risk analysis has to become more sophisticated and move beyond simply considering the street value’ of given customer data.”
The National Association of Insurance Commissioners (NAIC) has significantly boosted its focus on cybersecurity issues over the past year. It adopted Guiding Principles for Cybersecurity in the spring, and the NAIC’s Cybersecurity Task Force recently announced several new initiatives to help educate the public about online security risks and secure their data. A draft Consumer Cybersecurity Bill of Rights is in review, and state insurance regulators are conducting exams to verify that carriers are taking appropriate steps to protect sensitive data.
In general, security-related mandates in the highly regulated insurance industry haven’t changed much, but the focus and enforcement is ratcheted up, says Tom Glassic, vice president of policy and government affairs at the Property Casualty Insurance Association. “It’s bringing a lot of needed attention to something that has been a concern for a long time,” he says. “People thought things were brighter than they are, so when they see these stories it raises questions. I think we’re far ahead of areas where there isn’t as intense a regulatory structure, like the retail space.”
What Insurance Gets Right
Experts agree that, overall, many insurers have made important strides regarding issues related to security, including:
1. Establishing executives who are accountable for security.
Most insurance companies now have a Chief Insurance Security Officer who is dedicated to and in charge of security. That executive almost always reported into IT or the CIO, according to Heidi Shey, a Forrester Research analyst who specializes in cybersecurity and privacy, but now more of these CISOs are getting pulled out from under IT. “Many are reporting up to the president or CEO, or even directly to the board,” she says.
2. Putting security risk programs in place.
Insurers have implemented formal security risk programs, including those related to educational awareness, ethical hacking and formal penetration testing, says Mitch Wein, a VP of research and consulting and Novarica. “Most insurers have also established investigation units, often populated with people who were in law enforcement,” he says. “And nowadays there is typically a partnership between the CISO and the investigation unit to make sure all technology elements are dealt with — ten years ago that would not have been the case.”
3. Sharing information with leadership peers.
According to Jim Routh, CISO of Aetna, the more IT leaders share information and intelligence, the more resilient each enterprise’s cybersecurity programs will be. He serves as chairman of the National Healthcare Information Sharing and Analysis Center (NA-ISAC), a collaborative organization of health sector IT leaders. “We participate in coalitions with companies, the data intelligence community, health care providers and others to constantly detect and share information about cyber threats,” he says. “We constantly consume cybersecurity intelligence through information sharing capability and through third-party service providers.”
What Still Can Be Improved
While significant steps have been taken to improve security efforts, there’s also agreement that challenges that remain, like:
1. Dealing with big data.
Big data is “perhaps the most significant technology trend I’m dealing with today at Amica,” says Bishop. But there is an “all-eggs-in-one-basket” risk involved with protecting the scope and volume of information stored in these massive data marts. “This static risk is difficult enough to mitigate properly, but then there is the greater challenge of facilitating secure user access via the business intelligence software tools which are used to generate value from these repositories,” he says. These business intelligence tools and dashboards are of greatest value, he says, when presented in real time on a user’s tablet, phone or other mobile device.
2. The demand for mobility and “always-on” access.
One of the biggest obstacles to securing data is mobility, says Dunbar, as everyone wants access to data from any device, anywhere and at any time. But controlling that data flow to balance access and protection is challenging: “You need the audit tools and trails that come with big data functionality to understand the vast amount of information that goes with data flow and mobility,” he explains. Carriers also express concerns about securing data in a multi-channel, cloud-based environment, says Monique Hesseling, partner at Strategy Meets Action, who adds that increased use of mobile devices for actual business transactions means making sure that people don’t misplace or lose devices with sensitive data stored on them.
3. The need to go beyond compliance.
If an organization’s approach to security is purely compliance-driven, “it doesn’t cut it anymore,” says Shei. “That’s because you can miss out on other types of data that don’t fall under compliance — for example, data from wearables may not currently fall under HIPAA compliance.” Highly regulated industries like insurance may be well-funded to handle security, but the mindset needs to move beyond compliance towards a corporate social responsibility, she adds.
Managing Risk, Managing Security
All this will expand into a renewed focus on privacy protection, especially with the new solutions and technologies around the use of unstructured data such as text, pictures and video, says Hesseling.
“One example of this is the use of drones; what data collected by drones can be used and what not, considering people’s privacy rights?” she asks. “It will be interesting to note how we balance our customers’ interests in cheaper and more individualized insurance propositions with the protection of our right to privacy, especially in and around our homes and in other private settings.”
Overall, the insurance industry is moving in a more security-focused direction than ever. According to Ash Raghavan, another principal with Deloitte Advisory’s insurance cyber risk services team, there is clearly increased investment and commitment from the C-Suite towards security programs. “Most organizations we have spoken to plan to significantly increase their overall spend on cybersecurity including getting the right resources and capabilities.”
And, the insurance industry may have an advantage of other industries when it comes to handling the uncertainties related to data security: Its natural understanding of risk. As Nationwide chief privacy officer Kirk Herath notes, “After all, insurers deal every day with risk of hurricanes, auto collisions and much more.”
Insurance companies understand this and are evaluating how cyber risk permeates all aspects of the business, including operations, processes, reputation and fraud, adds XL Catlin’s Dunbar. “Insurance companies can educate customers on these aspects of data and cyber security as they create new policies to reduce these risks.”
Those risks will continue to increase, experts agree, as access to mobile continues to boom and new devices like the Internet of Things emerge, so the challenge is just to stay on top of the potential for criminal activity. “At the end of the day, you’re always trying to get one step ahead of the bad guys,” says Wein.
