A recent Insurance Journal article reported vague details regarding a “data privacy event” affecting a Texas insurer in October of 2022. Such events are becoming more common, and insurance companies are finding themselves as targets, left to deal with the fallout when sensitive policyholder data is compromised or stolen.
There is good news. With some effort, insurance companies can protect themselves by proactively assessing their organization from a cyber stance, creating a plan, and offering ongoing training.
How do insurance companies prevent a data privacy event from occurring?
A data privacy breach is often a result of poor cybersecurity practices. While it is impossible to thwart all cybersecurity incidents, it is possible to reduce the risk by considering the ABCs of a sound cybersecurity strategy.
- Assessment – Start with assessing the organization’s cybersecurity policy, practice, and preparedness level. A cybersecurity assessment should include not just policy and procedure review but should also integrate hands-on penetration testing. Penetration testing is an active test of an IT network’s ability to defend against attacks. A properly conducted penetration testing campaign should reveal a network’s security posture. When vulnerabilities are uncovered, companies can remediate them before the “real” adversary shows up.
- Be ready – An organization should be prepared and anticipate disaster. Therefore, it is essential to have both a disaster plan in place and routinely conduct tabletop exercises. In a tabletop exercise, key stakeholders exercise hypothetical scenarios by answering “what if” questions. It’s a low-cost approach to test the controls and team response to a potential cyber incident.
- Continuous and comprehensive training – Many organizations require employees to take annual cybersecurity training, focusing on phishing emails, malware, and social media use. While this is a good start, companies should also extend cybersecurity training requirements that cover other information security topics, including data protection, data governance, reporting, and social engineering.
Although the above ABCs should be implemented to reduce the likelihood of a data breach or cyber event, cybercriminals are always at work, looking for the next opportunity to take advantage of vulnerabilities, which often feel like a moving target.
What should an insurance company do to minimize fallout if they are the victims of a data privacy or other cyber event?
According to the Federal Trade Commission, organizations facing a cybersecurity incident should consider the following:
- Immediately fix the vulnerabilities with patching and software upgrades and isolate the affected systems
- Mobilize a cross-discipline team consisting of forensics, information security, legal and communication practitioners
- Monitor logical and physical entry and exit points of the network
- Update credentials while simultaneously reducing remote access
- Preserve all evidence
- Notify clients and affected parties
In summary, organizations should be prepared to identify the source and extent of the breach, establish a task force to address the breach, perform and validate security fixes, and inform authorities and affected clients. While it may take months, if not years, to fully understand the impact of a data breach incident, organizations that are prepared and execute a pre-planned and routinely rehearsed response are significantly less likely to experience extreme fallout from a cybersecurity incident.