Insurance companies in New York face additional cybersecurity requirements under a new law
At some point in recent history, hackers set their sights on a new and potentially game-changing target – the insurance industry. They realized what consumers have known for some time, that everyone and every company at some point or another need insurance. And the companies that provide that insurance serves as the hubs into which all data flows.
Why hack an individual bank or retail chain when you can go for the mothership? Why settle for bits and pieces of a person’s digital life, when you can have much of it in one place?
Tip of the iceberg
For most hackers, insurance isn’t the endgame. It’s the opening act.
Criminals are well aware that insurance companies keep scads of policyholder PII on their servers, essentially shining a giant bat signal into the sky that says “All the data’s over here!”
PII is the bread and butter of these companies and it acts as the gateway to your entire digital footprint, including bank accounts, Social Security records, medical history, passports, and drivers’ licenses. With these nuggets of data gold, shady characters can secure credit cards, bank loans, withdrawals, and all manner of fraudulent transactions in your name.
It’s incredibly convenient for an insurance company to have all of your information in one place. It’s also convenient for hackers.
But wait, it gets worse. An insurance hack can give criminals specific tools, such as answers to commonly-asked challenge questions, to access other personal accounts. These questions often are similar to those asked for a bank account or personal email. Once that hacker is inside your email, all it takes is a simple click on “I forgot my password” to bring all of your digital properties to heel.
A rough recent history
In anticipation of these security concerns, the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee established the Cybersecurity Working Group in late 2014 (it has since been absorbed into their Innovation and Technology (EX) Task Force). This body adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance. Their goal was to create a regulatory framework for cybersecurity within the insurance industry.
Alas, while well-intentioned, these measures weren’t enough to stop the recent onslaught of breaches and compromised systems, including:
- In 2015, criminals pummeledAnthem Blue Cross Blue Shield and Premera Blue Cross with breaches that exposed the PII of roughly 78 million customers. The costs to these companies for remediation expenses alone are staggering: $115 million paid by Anthem in July of 2017, along with $230 million for the company to actually respond to the initial incident, and another $128 million to beef up their security system against future attacks.
- Excellus Healthcare suffered a huge breach between 2013-2015 that exposed as many as 10 million records. This has resulted in a class action lawsuit alleging the group’s umbrella of “companies failed to protect customer information, waited too long to tell customers about the breach and did not give customers adequate information about how to protect themselves in the wake of the breach.”
Of the many lessons learned from these attacks, one stands output fences up around access to policyholder information. Examples of such protocols include:
- Practice safe file exchange with dedicated, encrypted solutions that can react quickly to protect user information.
- Encrypt data storage options and limit outside access.
- Secure mobile access. Many insurance companies rely on paper-thin password systems which hackers can easily slice open, though the industry has begun to move towards full device encryption that is monitored 24/7. In addition, it remains too easy for hackers to compromise secure file-sharing systems used within these companies, such as Google Docs, Copy, or Dropbox.
- Protect customer portals. A simple fix such as the addition of HTTPS protocols is a great start but eventually, every insurer will need a dedicated security solution that monitors all company data.
- Backup and encrypt data in the cloud. Other possible solutions include two-step verification and data encryption of individual files.
- Implement a secure payment system. It keeps credit card information out of the wrong hands.
The way forward
As has been discussed previously on this blog, a lot changed for the financial services industry in March of 2017, when regulation 23 NYCRR 500 took effect and ushered in a new era of cybersecurity standards in New York State. It affected business across the financial services spectrum, including insurance companies.
Cybersecurity awareness must become more integrated into the company culture, through a combination of training, awareness, and involvement at the highest level. Insurers will need to apply these reforms while they also remain under intense pressure to lower costs and create new products and services to boost revenue.
When a New York State insurance company modernizes its IT system, it now must consider cybersecurity an essential component of that process, including the proper staffing to maintain it. This may require a third party to ensure preparedness and proper monitoring.
Cyberguard360 stands ready to help uncover your system’s vulnerabilities and threats, and use that assessment to drive your program and policies.
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.