Insurers Still Have Lots to Learn About Cyber Thieves

After several high-profile hacks in 2015, the insurance industry and its regulators still find themselves learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories.

Roughly 112 million health records were illegally accessed last year, according to the Office of Civil Rights, a sub-agency of Human and Health services. Attacks on Anthem in February and Premera Blue Cross in March were the low points. Combined, the two reported nearly 90 million files were compromised.

In response, the National Association of Insurance Commissioners Cybersecurity Task Force has proposed a new Insurance Data Security Model Law. The initiative, introduced on Mar. 3, establishes new standards for data security, breach responses and the roles of the regulator.

“Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.”

For insurers, standards are one thing, but having a well-managed information security program is another. New NAIC guidelines adopted by all states will greatly simplify the compliance and reporting process, says Amica Mutual Insurance’s CISO Gil Bishop. But that doesn't prevent breaches in the first place, he adds.

“One needs to be cautious to never simply equate compliance with effective security, regardless of the standard applied,” he says.

According to BakerHostetler’s 2016 “Data Security Incident Response Report”, 31% of breaches in 2015 were a result of phishing, hacking and malware, followed by 24% resulting from mistakes by employees. The findings are based on more than 300 cases in insurance, education and financial services the law firm managed last year.

The inconvenient truth for regulators and insurers, however, is hackers are not just after one piece of data from one particular sector. All information is valuable.

“They want whatever data they can monetize,” said Tom Dunbar, XL Catlin’s head of information risk management. “Executives better understand that breaches can happen to anybody. There is no such thing as 100% security, no matter the education or tech you throw at it. It is just a question of how we handle it, if it happens.”

Insurers witnessed a shift in interest by hackers from the financial sector to their industry two years ago, says Mark Ford, Deloitte’s leader of healthcare cyber risk services. And as Dunbar points out, the variety of data available to hackers makes it very appealing.

Currently, anti-malware and encryption stand as two big ways insurers protect information, according to Dunbar. Data loss prevention (DLP) tools also keep data from going anywhere it shouldn’t. But in theory, all lines of insurance are subject to hacks, Ford says. Insureds that have their life savings tied to investments instead of in a bank account put life/annuity companies at risk, while health data and medical histories, that provide a better overall picture of a persona for identity theft, endanger health providers.

“That’s why children’s hospitals would be a great place to hack into,” said Ford. “They keep it and have 18 years to get it right before they sell it.”

While protecting data is a top priority, the industry is cautious about adding many more security measures, including locks and controls around how data is transferred. The perception is insurers may not underwrite as much business if customers have to sign in to a site just to look at rates.

“It’s a mentality that really hasn’t changed that much in five plus years,” says, Julie Bernard, head of Deloitte’s insurance cybersecurity team. “Budgets for security programs have gone up significantly in recent years, but it creates friction.”

Nonetheless, protecting data going forward may be directly tied to CISOs ability to adapt to the changing roles of the position. The CISO is now a salesperson, Dunbar says.

“The role of CISO is very business driven now. There are so many avenues for hackers to come in that you can’t just focus on tech,” he said. "Yes, you will have a relationship with your CIO or CTO, but you need to understand the entire business and be able to talk to the CEO and the board as well.”

For reprint and licensing requests for this article, click here.
Security risk Compliance Law and regulation Data security Data and information management
MORE FROM DIGITAL INSURANCE