After several major insurer cyber breaches, many insurance company owners and executives are asking, “How can I protect my company from a cyber breach?” Let’s first quickly define the term, note the National Association of Insurance Commissioners’ (NAIC) response to the threat, and then look at several ways to help reduce its likelihood.
What is a cyber-breach?
A computer-related intrusion of personal, proprietary, or confidential information, whether intentional or accidental.
Myth: large companies are the actual target for cybercriminals.
Some insurers assume their company is too small to be a target of cyber-crime. Unfortunately, hackers view smaller entities as easy prey because their data is just as valuable as larger companies, and their network typically has a weaker defense.
The NAIC and the U.S. Treasury Department are concerned about cyber breaches and the impact on insurers.
The NAIC adopted the Insurance Data Security Model Law seeking “to establish data security standards for regulators and insurers in order to mitigate the potential damage of a data breach.” So far, eight states have adopted the law. Additionally, the U.S. Treasury Department has urged prompt action by all states within five years, or they recommend Congress act to implement data security regulations. You can read more here.
So, how can your company protect itself from cyber breaches?
To help our clients and prospects shore up their defenses and prevent cybercrime from impacting their business, we have compiled twenty ideas to mitigate the chances of a breach. Keep in mind that every item listed below deserves further detailed guidance; this article is intended as a checklist.
- It all starts at the top, or with upper management. Embrace a security-focused culture and train your entire staff. Educate them in good cybersecurity practices, and they can effectively become additional security personnel. Foster an open and communicative environment. Learn to recognize phishing and other attempts to breach your security.
- Identify, assess, and monitor the cyber-risks. Know the threats and respond accordingly.
- Segregate your IT and cybersecurity staff. Their basic responsibilities can be contradictory, so the functions should be split.
- Not all cyberattacks come from outside your company. Conduct background checks for employees in sensitive positions. Monitor the internal risks and vet key employees.
- Identify and locate your sensitive data and encrypt it. Policyholder data, including personal information, must be safeguarded. Develop and implement a robust and systematic routine that stores data off-site. Cloud-based backups are a good option.
- Limit those who have access to sensitive data. Enforce restrictive data permissions.
- Implement reputable anti-virus, anti-ransomware, anti-malware, firewall, and VPN software.
- Apply any security updates for both the operating system and software applications as soon as possible.
- Develop and use a reasonable data retention policy to help minimize exposed data.
- Enforce strict strong password procedures.
- Use two-factor authentication wherever possible to add another layer of security. Biometrics is another class of security to consider.
- Determine if your company is subject to certain special rules or requirements. Insurance companies are undoubtedly subject to special regulations and requirements in reviewing your cyber-risks. Designing and implementing a cybersecurity strategy will provide comfort to both regulators and rating agencies.
- Develop a plan to monitor and audit your company’s data security and conduct periodic intrusion or penetration testing.
- Carefully evaluate and monitor any 3rd-party providers’ safeguards. Any weaknesses in managing general agents, third-party administrators, payroll processors, and others’ systems could be a door into your data.
- Secure/safeguard/protect the physical hardware. This includes servers, computers, flash drives, and various “BYOD” (bring your own device) such as personal cellphones and tablets.
- Use Virtual Data Rooms to store sensitive data. This could include claims information, regulatory filings, etc.
- Review the FINRA cybersecurity checklist.
- Consider using a cybersecurity firm or specialist to provide additional guidance.
- Develop a response plan to control exposure and recover from any cyber-breach.
- Purchase cyber-liability insurance.
Cybersecurity is a multi-faceted concept.
It begins with a “tone-at-the-top,” or a security-conscious environment. It continues with identifying and assessing risks, designing, implementing, and monitoring appropriate controls, training employees, and obtaining additional assistance from experts as necessary. Using the proactive tips listed above can bring some peace of mind, and a measure of confidence that your insurance company is both protected and prepared.