Cyber thieves' hacking strategy isn’t changing -- it’s expanding, industry experts say. And that's forcing changes in insurers' strategy as well.
At one time, insurers focused cybersecurity efforts solely on preventing theft of payment card systems, social security numbers and bank account records. But,
“While we still put a lot of time and resources into protecting the most critical and sensitive information, we’ve been steadily expanding our high-priority security controls to information which used to be considered low-risk,” Bishop said.
Cyber thieves like to try to gain access to sensitive data through third parties, placing greater emphasis on the part of
“It's now essential for all of our third-party service providers to treat Amica's information with the same level of sensitivity and care that we do ourselves,” Bishop added.
Despite potential risks, Bishop does not view third parties as liabilities, saying they are critical to the process of serving customers. Recent studies by the SANS Institute show vendors play a pivotal role in identifying breaches.
According to the firm’s “3rd Annual Endpoint Security Survey”,
“The question for third parties has always been" 'Is there a legal ethical responsibility to disclose breaches to clients when it happens to them?' The answer is yes,” says Jacob Williams, certified instructor of the SANS Institute and founder of Rendition InfoSec, a consulting firm. “Insurers need written language in contracts that mandate third parties to tell them when they’ve been breached.”
The reality is not all vendor contracts include these disclosure agreements, says Williams, whose clients comprise of insurers, financial firms and manufacturing companies. Instead they often include non-disclosure agreements.
“When I ask a client is there a disclosure agreement included in their contract and they say I don’t know. The answer is no,” said Williams. “A little due diligence goes a long way. Even before negotiating with a third party, check the reputation of the company and the organization. Have they been hacked before?”