According to a recent study, during a two year period over 100 million Americans had their personal information compromised through data breaches in the insurance industry.
Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims process. This personally identifiable information (PII) is entrusted to the companies by the customers.
To mitigate the risk of data breaches in the insurance industry, it is important to understand the threats in order to take actions to minimize vulnerabilities. The risks primarily stem from the nature of the insurance business, the data insurance providers collect and how the data is shared both internally and externally with thirds parties.
As a routine part of doing business, insurance firms collect and store massive amounts of personal, identifying data from their customers. This information ranges from general information such as social security numbers and addresses to more sensitive personal data such as health records and payment data. Critical information to protect include birth dates, social security numbers, driver’s license numbers, health records and financial data — these enable identity theft and fraud. Examples include attackers who have used such data to file fraudulent claims with insurers by combining patient identifying information with false provider data. A 2018 study conducted by the Ponemon Institute estimates the average cost to a company per stolen record to be about $150.
In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm. Additionally, 64% of insurers surveyed reported that "customers’ personal, identifiable information is the most valuable information to cyber criminals."
Insurance firms commonly use multiple service providers including law firms, banks, other insurers, subrogation companies, and related business vendors. Each of these relationships could potentially lead to a data breach. In 2019 alone, HSBC Life Insurance, Humana, Highmark BCBS, Aetna, and United Health were all compromised through a third-party breach.
Insurance firms must not only make certain their cybersecurity programs are maintained according to industry best practices, but also ensure that any third-party vendors are equally secure. According to one expert: "…even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize."
Providing customers with a positive digital experience without compromising on security is key for insurance firms in today’s market. Attacks on insurance firms can result in significant, tangible damages such as lawsuits, legal fees, fines and fraud monitoring costs. For example, following a data breach one organization was obliged to provide affected customers with free credit monitoring for one year, and to reimburse all resulting damages.
In addition to substantial immediate costs to the organization, longer term intangible costs include the loss of customer trust from compromised personal data and potential reputation damage that could impact the insurer’s brand and market value.
There are several trends in the insurance industry that are creating additional complexities for securing customer data and mitigating risk of cyberattacks:
Cybercriminals know that insurance companies use and store a large amount of personal information on their policyholders. These data pools will continue to be a target of cyberattacks.
According to a 2019 report by European Insurance and Occupational Pensions Authority (EIOPA), some the most frequent types of cyber incidents against insurers are:
In addition, authentication of customers identity and the customers' increasing demand for integrated digital interaction results in sensitive data on numerous end points that must be protected.
The data breaches of First American Title Company, Premera Blue Cross, Ameritas, and Anthem Inc. are four examples of recent cybersecurity breaches in the insurance industry.
On May 24, First American Financial Corp. suffered a data breach compromising 885 million files related to mortgage deeds - the second-largest reported in history at the time. The documents compromised, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to the public because the company used a standard URL format for document addresses. A hacker with knowledge of at least one document link and any web browser could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible online. A major class action lawsuit was filed against the company on May 24, 2019.
In May 2014, an attack on Premera Blue Cross exposed data on customer claims, including clinical information, banking account numbers, social security numbers, birth dates and other personal information. While Premera admitted the breach occurred, the company denied evidence that the “stolen information has been used for malicious purposes."
The attack, reported by the company one year later, exposed private records of over 11 million customers who were primarily Washington state residents. In 2019, Premera agreed to pay $74 million to settle a consolidated class action lawsuit related to the breach.
In order to remain in compliance with regulation, insurance companies must have more cyber security protections than required by most other industries. The New York Cybersecurity Regulations and the NAIC Insurance Data Security Model Law are two examples detailed below. but the South Carolina Data Security Act, the Ohio Insurance Data Security Law, and the Michigan House Bill 6491 are three other notable examples of compliance standards currently regulating the insurance industry.
Established by the New York Department of Financial Services (NYDFS), the New York
Cybersecurity Regulations went into effect on March 1, 2017 and applies to insurance companies, banks, and other financial institutions. The regulations affect “covered entities,” operating under the New York laws governing the banking, insurance, or financial services sectors. The NYDFS developed the regulation to establish adaptable and flexible compliance standards that would allow businesses to assess their risks and implement cybersecurity programs.
One particular regulation specific to the US is 23 NYCRR Part 500, a mandatory regulation requiring "covered entities to calibrate their cybersecurity programs by using periodic risk assessments to determine criteria to identify, evaluate and mitigate risks by establishing appropriate controls and technological developments."
The New York Cyber Regulation uses a risk-based approach versus a complex standards-based approach. It has also set the tone for the development and enactment of new national laws and regulations.
In 2017, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law, dubbed "the Model Law," which establishes compliance standards for data security, investigation, and reporting protocols.
As of August 2019, eight US states have adopted the NAIC Insurance Data Security Model Law. Platforms like OneSpan, a multi-factor authentication system, are already being used by insurance companies to comply with the NYDFS Cybersecurity Regulation.
Of note, cybersecurity-related trends in the United States insurance industry include the
emergence of new state-level laws that insurers should comply with when they design
cybersecurity systems. This is especially important with the emergence of cybersecurity solutions that are enabled by artificial intelligence or machine learning.
The emergence of data breaches and cyber-attacks as the most important risk insurers face. A growing number of CEOs consider cybersecurity as the most important emerging risk. That is the purpose behind the development of CyLogic’s flagship offering: CyCloud - The Secure Enterprise Cloud. We deliver a higher level of security than any public cloud provider. Our team would be happy to discuss how to mitigate the complex challenges the insurance sector faces.
While every industry can be the target of a cyberattack, the insurance industry is under a unique constant threat. In fact, cybersecurity is a significant and growing concern for the insurance sector.
FedRAMP - The Gold Standard of Cloud Security
Security has always been about identifying who or what can be trusted accessing data, and what they can do with that access
The last few years have seen a series of high-profile breaches against large institutions, particularly in the banking industry. Many firms have been accused of being stuck in a “90’s” cybersecurity mentality believing that on premise networks, strong firewalls, and anti-virus software were sufficient to ward off most cyber-attacks.
READ more >
Compliance Made Easy With CyCloud
Cybersecurity compliance is complex with a multitude of standards, regulations and tools to understand which can make it overwhelming to manage and consistently maintain. It can be challenging to adopt a system that not only complies with the highest levels of current cybersecurity but can adapt as future requirements are mandated.
READ more >
Financial Institutions are Vulnerable to Cybersecurity Threats
The Banking and Financial Services Industry is targeted by cybersecurity attackers 300 times more frequently than other industries. Financial firms are spending on average $3,000 per employee on cyber security reflecting a three fold increase in the last four years to combat the surge of state level attacks on their data. Cybercriminals and state sponsored attacks targeting banks are becoming increasingly sophisticated, stealing sensitive customer data for a variety of fraudulent activities.
READ more >