Lessons for insurers from the Equifax cyberattack
Insurance carriers should concentrate on improving security governance, data protection and breach response strategies in the wake of the Equifax cyberattack, says Tom Benton, vice president of research & consulting at Novarica.
In a September report, Benton notes IT security has steadily become a top priority for insurers, with 11% of company IT budgets in 2017 dedicated to the business function. The same report, however, finds less than 20% of chief information officers view IT security a top three concern, as pressure to modernize operations intensifies for carriers.
One lesson the Equifax breach offers insurance companies is the need to keep up with patches and similar updates provided by IT vendors, Benton says. The attack also emphasizes the importance of conducting stronger assessments on IT security. More than 143 million U.S. consumers’ names, Social Security numbers, birth dates, addresses and driver’s license numbers were accessed by intruders in July, Bloomberg reports.
“It’s not a matter of if, but when you end up with an incident,” Benton says.
Mid-size insurers in particular are behind the eight-ball in cybersecurity due to a lack of resources available. While many large insurers have a designated chief information security officers and a team of IT security specialists, few mid-size companies can say the same, according to Novarica. That responsibility usually lands on the CIO’s shoulders.
As a result, a growing amount of insurance carriers are turning to IT services firms to conduct end-to-end assessments of their cybersecurity practices. Industry CIOs want to go beyond yearly audits and intrusion detection, Novarica says.
“Mid-size carriers do lots of preventative work, but may not have an updated incident response or communication plan,” said Benton. “When CIOs take on the responsibility, it can become a full-time job and if there’s an incident all their other work has to stop.”
Reviews orchestrated by third parties are designed to fill gaps in cyber defense, which are often caused by internal staff. These are largely preventable, however, through the implementation of awareness programs and security training. Vendors can also help carriers improve incident response training for employees and even outsource IT security completely.