What does cybersecurity look like for an insurer?

What does cybersecurity look like for an insurer?

Last month, American Family announced that it experienced a cyberattack. The company said it had detected unusual activity in a portion of its network but that there were no compromises to critical business or customer data processing.

Insurance carriers, with their wealth of data, are potential targets for cybercriminals and many aren’t willing to discuss their internal practices for fear of highlighting that. 

Linda Betz, acting CISO and insurance sector lead at FS-ISAC, an industry consortium dedicated to reducing cybersecurity risk across financial services, said in an emailed response that many insurance carriers are focused on complying with the New York State Department of Financial Services amended cybersecurity regulations for financial services companies.

“They are also diving deeper into company resiliency, including a specific focus on ransomware responses that allow for recoverability and continued operations in case of a prolonged IT outage,” Betz said. “The evolution of artificial intelligence has also prompted organizations to investigate for potential to advance their business, as well as put measures in place to better defend against cyberattacks and protect stored data.”

Betz added that insurance companies have been engaging in tabletop cyber incident exercises for years.

“The scenarios are increasingly complex to account for the changing threat landscape, such as new zero-day vulnerabilities, third-party outages or geo-political conflicts that drive cyber risk,” Betz said. “Insurance companies have teams focusing on identifying risks and defining plans based on these practices, as dedicated experts are needed to explain these cyber risks to executive management and the board. New risks can emerge quickly, and cyber teams are always educating their organizations on best practices to ensure they are staying on top of risks.”

See also  Do Insurers Wrongfully Deny Claims Based Upon the Vague Wear and Tear Exclusion?

Tari Schreider, strategic advisor, cybersecurity practice at Datos Insights said, however, that many U.S.-based insurance carriers are actually small businesses. 

“Of the over 5,900 insurance companies operating in the U.S., most are small and have the same cybersecurity needs as small to mid-size companies,” Schreider shared via email. “Their priorities are budget-driven but focus on protecting client data with the generally minimal IT staff they have. Insurance industry margins are slim for the smaller insurance companies, so they are very budget-conscious.”

Recent research from Datos Insights with financial services CISOs shows their concerns include modernizing workforce identity and security, cloud security, zero trust fundamentals, ransomware defenses, data loss protection, API security, CIAM, enterprise risk management, and third-party risk management.

“They just don’t have the resources and their margins are so thin and it’s so competitive. Regulators don’t spend a lot of time looking at them because they are so small,” Schreider told Digital Insurance in an interview. “Based on the size of the company, how much should they invest in cybersecurity? There’s really no sound model and it’s hard to force a company to spend x amount of dollars. … We have USAA, I’m not really concerned about them but I have a smaller insurance policy for my wife’s Rolex watch, with a company that’s very specialized, and I’m more concerned about that one because I know they don’t have the resources to protect their data the way somebody else does. … We all have to accept risk somewhere.”

Schreider added that most data needs to be encrypted. 

See also  Ineos Automotive creates Arcane Works bespoke division for the Grenadier

“You have to live in a world of assumption of breach, somebody is in your network. There are only two types of companies out there, those that have already been hacked and those that don’t know they’ve been backed,” Schreider said. “The infiltration is there and it’s very real. So, the best way to operate is to encrypt anything even if your data is stolen, it’s going to be encrypted and [they] won’t be able to do anything with it.”

Betz said that most organizations are focused on figuring out what personally identifiable information they hold and implementing controls like data masking or encryption. She said that insurance companies also engage in cyber training annually, if not more frequently. 

Shiraz Saeed, vice president cyber risk product leader at Arch Insurance, said reputable insurance carriers are looking to support organizations that are best in class when it comes to cybersecurity. 

“People are looking to carriers for guidance on best practices,” he said. He shared several critical security controls that organizations should deploy including multi-factor authentication, end-point detection and response, 24/7 system monitoring, email security, a vulnerability management program, having plans and policies, employee cybersecurity training and third-party risk management.

Vannessa Smith, vice president within the professional & cyber solutions at CAC specialty, said that there has been a continued focus for businesses on good cyber hygiene. 

“Two years ago, MFA was trending. … We’re seeing a continued focus but it has been taken a step further. You have MFA, but what kind of MFA are you using? Are you using it across all avenues of your operation? Do you have MFA implemented for privileged access?” Smith said. “We’ve seen a shift in focus from the insurance marketplace on privileged access management, with carriers expecting to see privileged access accounts locked down. Most of our clients are trying their best to move to a least privileged access model, only giving those people who absolutely need that access for the amount of time they need it and not keeping what we call, constant privileged access for users within the organization.” 

See also  Who Is The Policy Holder For The Insurance Covered By An Employer?

Smith added that you can have the best policies and procedures in place but the human firewall must also be strong.

“It’s getting the education to your employees, making sure they can see a suspicious email and say, ‘Well, this kind of looks fishy,'” she said. “When people fail, it’s the follow up, ‘Why didn’t you realize that this could have been a potentially harmful email?’ It’s all about education and training.”