Strengthening Cybersecurity in the Insurance Industry

According to a recent study, during a two year period over 100 million Americans had their personal information compromised through data breaches in the insurance industry. 

Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims process. This personally identifiable information (PII) is entrusted to the companies by the customers.

Cybersecurity Risk Factors for Insurance Providers

To mitigate the risk of data breaches in the insurance industry, it is important to understand the threats in order to take actions to minimize vulnerabilities. The risks primarily stem from the nature of the insurance business, the data insurance providers collect and how the data is shared both internally and externally with thirds parties.  

The comprehensive scope of customer data

As a routine part of doing business, insurance firms collect and store massive amounts of personal, identifying data from their customers. This information ranges from general information such as social security numbers and addresses to more sensitive personal data such as health records and payment data. Critical information to protect include birth dates, social security numbers, driver’s license numbers, health records and financial data — these enable identity theft and fraud. Examples include attackers who have used such data to file fraudulent claims with insurers by combining patient identifying information with false provider data. A 2018 study conducted by the Ponemon Institute estimates the average cost to a company  per stolen record to be about $150.

In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm.  Additionally, 64% of insurers surveyed reported that "customers’ personal, identifiable information is the most valuable information to cyber criminals."

Widespread use of third-party vendors

Insurance firms commonly use multiple service providers including law firms, banks, other insurers, subrogation companies, and related business vendors. Each of these relationships could potentially lead to a data breach. In 2019 alone, HSBC Life Insurance, Humana, Highmark BCBS, Aetna, and United Health were all compromised through a third-party breach.

Insurance firms must not only make certain their cybersecurity programs are maintained according to industry best practices, but also ensure that any third-party vendors are equally secure. According to one expert: "…even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize."

Trust is vital, especially online

Providing customers with a positive digital experience without compromising on security is key for insurance firms in today’s market. Attacks on insurance firms can result in significant, tangible damages such as lawsuits, legal fees, fines and fraud monitoring costs. For example, following a data breach one organization was obliged to provide affected customers with free credit monitoring for one year, and to reimburse all resulting damages.

In addition to substantial immediate costs to the organization, longer term intangible costs include the loss of customer trust from compromised personal data and potential reputation damage that could impact the insurer’s brand and market value.

Industry Trends Increase Challenges

There are several trends in the insurance industry that are creating additional complexities for securing customer data and mitigating risk of cyberattacks: 

Common Vulnerabilities in the Sector

Cybercriminals know that insurance companies use and store a large amount of personal information on their policyholders. These data pools will continue to be a target of cyberattacks. 

According to a 2019 report by European Insurance and Occupational Pensions Authority (EIOPA), some the most frequent types of cyber incidents against insurers are: 

In addition, authentication of customers identity and the customers' increasing demand for  integrated digital interaction results in sensitive data on numerous end points that must be protected. 

Recent Insurance Sector Data Breaches

The data breaches of First American Title Company, Premera Blue Cross, Ameritas, and Anthem Inc. are four examples of recent cybersecurity breaches in the insurance industry.

First American Title Company

On May 24, First American Financial Corp. suffered a data breach compromising 885 million files related to mortgage deeds - the second-largest reported in history at the time. The documents compromised, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to the public because the company used a standard URL format for document addresses. A hacker with knowledge of at least one document link and any web browser could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible online. A major class action lawsuit was filed against the company on May 24, 2019.

Premera Blue Cross

In May 2014, an attack on Premera Blue Cross exposed data on customer claims, including clinical information, banking account numbers, social security numbers, birth dates and other personal information. While Premera admitted the breach occurred, the company denied evidence that the “stolen information has been used for malicious purposes."

The attack, reported by the company one year later, exposed private records of over 11 million customers who were primarily Washington state residents. In 2019, Premera agreed to pay $74 million to settle a consolidated class action lawsuit related to the breach.

Regulatory Environment Remains Complex

In order to remain in compliance with regulation, insurance companies must have more cyber security protections than required by most other industries. The New York Cybersecurity Regulations and the NAIC Insurance Data Security Model Law are two examples detailed below. but the South Carolina Data Security Act, the Ohio Insurance Data Security Law, and the Michigan House Bill 6491 are three other notable examples of compliance standards currently regulating the insurance industry. 

New York Cybersecurity Regulations

Established by the New York Department of Financial Services (NYDFS), the New York

Cybersecurity Regulations went into effect on March 1, 2017 and applies to insurance companies, banks, and other financial institutions. The regulations affect “covered entities,” operating under the New York laws governing the banking, insurance, or financial services sectors. The NYDFS developed the regulation to establish adaptable and flexible compliance standards that would allow businesses to assess their risks and implement cybersecurity programs.

One particular regulation specific to the US is 23 NYCRR Part 500, a mandatory regulation  requiring "covered entities to calibrate their cybersecurity programs by using periodic risk assessments to determine criteria to identify, evaluate and mitigate risks by establishing appropriate controls and technological developments."

The New York Cyber Regulation uses a risk-based approach versus a complex standards-based approach. It has also set the tone for the development and enactment of new national laws and regulations. 

NAIC’s Model Law

In 2017, the National Association of Insurance Commissioners (NAIC) approved the Insurance Data Security Model Law, dubbed "the Model Law," which establishes compliance standards for data security, investigation, and reporting protocols.

As of August 2019, eight US states have adopted the NAIC Insurance Data Security Model Law. Platforms like OneSpan, a multi-factor authentication system, are already being used by insurance companies to comply with the NYDFS Cybersecurity Regulation. 

Of note, cybersecurity-related trends in the United States insurance industry include the

emergence of new state-level laws that insurers should comply with when they design

cybersecurity systems. This is especially important with the emergence of cybersecurity solutions that are enabled by artificial intelligence or machine learning. 

The Time to Prepare Is Now

The emergence of data breaches and cyber-attacks as the most important risk insurers face.  A growing number of CEOs consider cybersecurity as the most important emerging risk. That is the purpose behind the development of CyLogic’s flagship offering: CyCloud - The Secure Enterprise Cloud. We deliver a higher level of security than any public cloud provider. Our team would be happy to discuss how to mitigate the complex challenges the insurance sector faces.

While every industry can be the target of a cyberattack, the insurance industry is under a unique constant threat. In fact, cybersecurity is a significant and growing concern for the insurance sector.

Related Posts

Get Started

Contact Us

Get In Touch

Fill out the form below and we will contact you shortly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.