The Privacy Protections (H) Working Group session at the NAIC Fall Meeting held in December 2023 offers exciting news and updates. Jennifer Neuerburg and Shana Oppenheim provided updates on the state and federal legislative activities, respectively. Neuerburg summarized that in the absence of a federal law on privacy legislation relating to insurance practices, many states have enacted data privacy laws or are about to tackle this critical issue. Thirteen states have comprehensive data protection laws. Oppenheim reported that Chairman Patrick McHenry, head of the financial committee, is working on the Gramm-Leach-Bliley Law, which is expected to be evaluated shortly.
Eric Ellsworth, a data scientist from Consumers’ Checkbook, provided an educational and informative update on the consumers’ increasing concerns about data privacy, costs of data breaches, and risks in legacy systems. Central to the consumers’ heightened concerns included the lack of authority, accountability, and skills to protect their data. Ellsworth gave some staggering numbers relating to the cost of a breach:
- The average ransomware attack cost is $4.65 million, with some incidents costing insurers as much as $40 million.
- The average time to resume normal operations is 22 days.
- Additional cost to brand and reputation
Ellsworth predicted over 50% of the large insurance carriers are three times at risk of experiencing a data breach incident. Unfortunately, audio technical difficulties precluded Mr. Ellsworth from addressing the risks of data breaches of legacy systems. Judging from his presentation and the audience, the issues surrounding data privacy protection are a hot topic and have the attention of the NAIC.
The presentation highlighted the rise in cost and impact of cyber incidents are forcing many organizations to evaluate their current cybersecurity insurance coverage. However, having insurance alone does not exempt organizations from the pains of a cyber incident. A comprehensive cyber safety and readiness plan is not only prudent, but effectively essential for insurance companies.