Vendors' Cybersecurity is Insurers' Concern, Too

Cyber thieves' hacking strategy isn’t changing -- it’s expanding, industry experts say. And that's forcing changes in insurers' strategy as well.

At one time, insurers focused cybersecurity efforts solely on preventing theft of payment card systems, social security numbers and bank account records. But, today’s hackers are after all data. Data that by itself may be of little value, but when aggregated with information from other sources builds massive repositories for identity theft, according to Amica’s CISO, Gil Bishop.

“While we still put a lot of time and resources into protecting the most critical and sensitive information, we’ve been steadily expanding our high-priority security controls to information which used to be considered low-risk,” Bishop said.

Cyber thieves like to try to gain access to sensitive data through third parties, placing greater emphasis on the part of insurers to vet vendor relationships. In Amica’s case, all vendors are required to provide documentation on security policies, network infrastructure diagrams and report findings from independent information security audits or assessments.

“It's now essential for all of our third-party service providers to treat Amica's information with the same level of sensitivity and care that we do ourselves,” Bishop added.

Despite potential risks, Bishop does not view third parties as liabilities, saying they are critical to the process of serving customers. Recent studies by the SANS Institute show vendors play a pivotal role in identifying breaches.

According to the firm’s “3rd Annual Endpoint Security Survey”, more than a quarter of respondents said they were first notified of a breach by a third party for the second consecutive year. Additionally, 44% of the 829 IT professionals surveyed also said their endpoint systems have been compromised in the last 24 months.

“The question for third parties has always been" 'Is there a legal ethical responsibility to disclose breaches to clients when it happens to them?' The answer is yes,” says Jacob Williams, certified instructor of the SANS Institute and founder of Rendition InfoSec, a consulting firm. “Insurers need written language in contracts that mandate third parties to tell them when they’ve been breached.”

The reality is not all vendor contracts include these disclosure agreements, says Williams, whose clients comprise of insurers, financial firms and manufacturing companies. Instead they often include non-disclosure agreements.

“When I ask a client is there a disclosure agreement included in their contract and they say I don’t know. The answer is no,” said Williams. “A little due diligence goes a long way. Even before negotiating with a third party, check the reputation of the company and the organization. Have they been hacked before?”