Top Security Considerations for Insurance Companies
When it comes to cybersecurity, the insurance industry is subject to a range of regulatory issues. Thanks to the wealth of sensitive data they handle, they're also popular targets of hackers. How can insurance firms best mitigate cybersecurity risks? We asked 20 experts.
20 Security Pros Reveal the Top Security Considerations for Insurance Companies (& How to Mitigate Risks)
Companies in the financial services sector, including insurance companies, are heavily targeted by cyber attackers due to the large volume of personally identifiable information – including ultra-sensitive consumer financial data – these businesses handle. As such, they're also highly regulated, and more states are adopting the Insurance Data Security Model Law (most recently, Alabama), requiring insurance companies and other entities (those licensed under the Department of Insurance) to implement and maintain an information security program to better protect consumer data.
But what are the most pressing security considerations facing insurance companies today? To find out, we reached out to a panel of security pros and insurance industry executives and asked them to answer this question:
"What are the top security considerations for insurance companies & how to mitigate?"
Meet Our Panel of Security Pros & Insurance Executives:
Read on to learn more about the top security considerations insurance companies should be aware of and how to mitigate those security risks.
Will Ellis is a Senior Technology and IT Security Consultant and Owner of the Advocacy Group Privacy Australia.
"The first thing to come to mind are data breaches, but it's important to look beyond those towards GDPR-centric legal issues..."
Lawsuits from clients may ensue if the company experiences a breach that leaves client data vulnerable. You have a legal responsibility to protect all information that is collected and stored for the purposes of doing business. In some cases, you may be governed by HIPAA regulation, or the GDPR if you do business with EU citizens, and it is your responsibility to comply. The solution: To avoid a potential business and financial disaster, it is always in your best interests to ensure all client data is protected, not just behind a firewall, but with a detailed security policy that is enforced by all employees, partners, and stakeholders. Pro Tip: Don't be like Facebook and store passwords in plain text. All sensitive data should be cryptographically hashed.
As CIO of Digital Defense, Tom is charged with key industry and market regulator relationships, public speaking initiatives, key integration and service partnerships, and regulatory compliance matters. Additionally, Tom serves as the company's internal auditor on security-related matters.
"There are two primary security considerations for insurance companies to keep in mind as the conduct their daily business..."
Given that many insurance companies conduct a vast majority of their business in an online fashion, it is imperative that their online portals are regularly tested for security both before and after they go live. This means a code review and security testing prior to going live to ensure that there are no software errors present that could place the portal at risk. The testing between releases helps ensure that as new vulnerabilities are discovered "in the wild" that they have testing conducted to make sure that their portal is secure and protected from the vulnerability, either through patching or through mitigating controls such as a web application firewall that can "virtually patch" the portal until the "real" patch is available from the development team to address the matter.
User Security Training
While the technical teams are addressing issues that may arise with the online portal, there is still a place for the CISO or ISO to ensure that the internal end users, often called the weakest link in the security chain, are properly trained so that they don't inadvertently place the organization at risk by clicking on a bad link or opening a malicious attachment. Without this security training, internal end users run the risk of doing potentially more damage than an exploit of the web portal. They could infect the network with remote control trojans or even ransomware, which could cause the insurance company to have to shut down some or all of their operations, depending upon how bad the infestation of the malware is. The security training should address strong password construction, how to recognize phishing attacks, as well as social engineering attempts. Failure to train the internal user base leaves the insurance company in a very precarious spot and likely puts them on the road to being in the news for all of the wrong reasons.
Douglas Crawford has worked for almost six years as senior staff writer, security researcher, and resident tech and industry expert at ProPrivacy. He has been widely quoted on issues relating to cybersecurity and digital privacy both in the UK national press (The Independent and the Daily Mail Online) and international technology publications such as Ars Technica.
"Insurance companies face a unique challenge when it comes to collecting and handling customers' (and potential customers') data..."
This is due to both the sheer volume of it, and the fact that the information stored is often of an extremely sensitive and personal nature.
Not only can this make the consequences of a data beach very severe, but it also makes the data a highly attractive target for thieves. Insurance companies therefore need to take extra care when performing risk assessment on their own security systems.
As with all data security, security comes down to designing and effectively implementing robust systems in order to minimize the company's attack surface to hackers. This includes strictly limiting employees' access to sensitive records and deploying robust security measures such as biometric two-factor authentication for personnel who are authorized to access sensitive records.
It also includes deploying a thorough auditing system to monitor files that have been accessed, and which thoroughly investigates any anomalies or violations that are discovered. When staff members are discovered to have breached security protocols, meaningful sanctions must be enforced to ensure that protocols are followed correctly.
Jason Fisher is the owner of BestLifeRates.org, a national and independent consumer resource for life insurance, and a multi-state licensed insurance agent.
"Within the life insurance industry, there are growing concerns for..."
Security and data breaches, especially as the industry as a whole is moving towards a substantially growing number of data fed entries by the consumers on the front end. As the insurance companies are seeking to make more accurate and significantly faster decisions, even using Artificial Intelligence to do so, it involves consumers inputting more data into the pipeline even before they make contact with a live agent, which is now preferred by both the insurer and consumer making the purchase.
One thing to note about the life insurance industry right now is a push towards what we call no exam life insurance products, which, by the name, mean they can be approved without the typically required medical exam. While it seems less intrusive, it can actually require much more data being utilized by the carrier in-house in order to make these near-instant decisions. If there were a breach, there is quite a bit of personally identifiable information available, and an even greater layer if there were to be a breach where medical records, MVRs (Motor Vehicle Records), MIB (Medical Information Bureau) records, and financial information were to be lost.
Lillian Hardy is a Partner at Hogan Lovells who has managed incident response, remediation, fact investigations, and notification and reporting obligations in breach incidents for Fortune 500 companies.
"Insurance companies need to be implementing a..."
Comprehensive data protection strategy that includes training employees across departments, appointing internal cybersecurity representatives, vetting third-party partners, and deleting unnecessary consumer data.
Bret Cohen is a cybersecurity attorney at Hogan Lovells.
"Insurance companies would be well-advised to..."
Examine whether their cybersecurity practices and policies may subject them to regulatory action by the FTC in the event of a data breach. According to Bret, on a case by case basis the FTC considers it an unfair practice for companies to fail to maintain reasonable and appropriate technical standards.
Scott Terrell is the Senior Vice President and Chief Information Officer of HealthMarkets, one of the largest independent health insurance agencies in the U.S. that distributes health, Medicare, life, and supplemental insurance products from more than 200 companies. Scott has more than twenty years of experience in the IT field and received the Corporate CIO of the Year ORBIE Award in 2018.
"Ensuring that the data we have on customers is safe and secure is absolutely critical..."
There is nothing more personal or important than one's health, and we are very conscious that we protect information associated with that. To that end, we work hard to ensure that are no breaches with our customer data.
Allan N. Buxton is the Lead Forensic Examiner of Secure Forensics. Allan is a key component to what makes Secure Forensics an industry leader in the computer forensic and cybersecurity sector. Over his 17+ years of experience, Allan has logged nearly 600 hours of training in computer and mobile forensic software and techniques.
"I think the top cybersecurity risk to an insurance provider is still inadvertent disclosure of customer data..."
In an age where consumers expect an app and possibly a plugin for their car as well as connectivity options, attack vectors only increase. The best way to avoid that is to spend the time conducting a vulnerability assessment of any apps or devices as well as the network assets related to them prior to making it a consumer offering.
Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple IT environments internationally. He is currently CEO of OM2 TECH Consulting Solutions.
"The top security considerations for insurance companies are..."
Data integrity, the intrusion prevention structure inside their security departments and data availability at the highest level. Data integrity means all the data from customers should be structured, with multiple contingencies and at the highest level of security.
Intrusion prevention, in this case, means, all possible detection systems and software, as well as a good and muscular ISEC program to process the security.
Data availability means having customers' and internal processing data at the most possibly organized structure, diminishing any data theft risks, by covering all data by the previous two items.
Joshua L. Davis has over 20 years of software and security experience. He began his career as a Research Scientist at the Georgia Tech Research Institute on efforts primarily for the U.S. Department of Defense and federal government. Joshua recently left academic research and joined Circadence, a cybersecurity gaming company, where he is applying his expertise globally.
"The top security considerations for insurance companies right now are..."
Ransomware attacks and a company's likelihood of being targeted. The company can mitigate this by knowing what their workforce's resiliency is to a targeted attack and by having a strong workforce security posture.
Steven Solomon is a business and technology leader with over a decade of sales experience in the information technology field. Mr. Solomon is actively a guest speaker at information security forums and holds technical certifications in this field.
"Insurance companies face security challenges similar to most organizations today..."
Having a multi-layered security strategy helps insurance companies reduce the risk of data breaches that result in the theft of intellectual property, customer information, business information, and/or other sensitive data. A holistic approach to securing insurance company systems begins by adopting the requirements of the National Institute of Standards and Technology (NIST) Cyber Framework. Insurance companies need to identify and inventory their IT assets for better management and maintenance, and then protect those assets by prioritizing mission critical systems and implementing best-of-breed security products and services. Some protections may include access control, network security, endpoint security, data encryption, and event monitoring. Insurance companies will also need to detect systems that are compromised or vulnerable to exploitation and create a response plan that is process-oriented to reduce the recovery time of all affected assets across the organization. The best security plans are those that are iterative, process-oriented, and agile to a dynamic threat landscape where new attack vectors and techniques require insurance firms to stay alert at all times.
Zohar Pinhasi is a counter cyberterrorism expert and cyber intelligence threat specialist with nearly 20 years of experience in cybersecurity. A former IT security intelligence officer for the Israeli military, he is now the founder and CEO of MonsterCloud.
"A top security concern for every insurance company these days is ransomware attacks..."
If you're looking for a reason, look no further than the massive amount of data nearly every insurance company stockpiles – it's a gold mine for cyber criminals.
Ransomware attacks are hardly new; the tactic employed by both domestic cyber criminals and foreign operatives uses a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a significant fee to the attacker.
Insurance and healthcare facilities are priority number one for cyber criminals because of the sheer volume of data they store on patients and customers. If one gig of data could be worth as much as $10,000, can you imagine how much 500 TB would be worth? These are the numbers that ransomware attackers take into consideration.
The best way to mitigate such a risk is to protect yourself before it happens. It is very difficult to decrypt hacked files, and it can be even trickier navigating a negotiation with a cyber criminal. Your best bet is to prevent the situation in the first place. I recommend bug bounty programs and hackathons, where you put skilled hackers on your payroll and pay them to try and breach your systems. In this way, you'll be able to identify vulnerabilities BEFORE they can be exploited.
Michael J. de Waal
Mike de Waal is president and founder of Ottawa-based Global IQX, a leading software provider of web-based sales and service solutions to employee benefits insurers. He has deep experience in both software development and business management skills.
"The top threats facing insurance companies are..."
Trojans, worms, viruses, professional hackers and cyber-extortionists, disgruntled current and former employees, and user errors and carelessness. To mitigate these risks:
- Use VPN, virtual private network.
- Secure your devices. Be mindful of every app you install and the permissions and access you give them. If an app is free, you're usually paying with your data. Remove pre-installed apps you don't use – so called bloatware. Consider turning off cookies and tracking.
- Secure your messaging. Consider Signal, BBM, or Whatsapp (if you trust Facebook).
- Don't use public Wi-Fi.
- Stay aware of the threats. Potential data breaches lurk around every corner. You can stay aware of the changing threat environment and protect yourself with a system such as McAfee or AVG, but you also need to occasionally read tech blogs to understand what new threats are emerging.
- Control your user permissions. With employees coming and going, people working remotely, and more smartphones accessing company networks, it's more important than ever to tightly control user permissions within your brokerage. Limit the access offsite employees have and make sure to revoke unnecessary permissions when employees leave or change positions. Software such as Varonis can assist you.
- Update passwords regularly and frequently. One of the easiest ways for a hacker to breach your system is by cracking your password – which is increasingly easy to do when the most popular passwords include password and 123456. Make sure you and each of your employees changes passwords several times a year. You can use programs such as Dashlane Business to manage passwords, generate unique passwords, and create two-factor sign-in authentication for device access.
- Stay safe in the cloud. Brokers are increasingly relying on cloud-based data storage solutions, but not every cloud is created equal. Make sure the clouds you use have features such as encryption when files are being transferred as well as when they're not. Secure clouds use data file sharding – a process in which data is broken up into several different portions, each of which is encrypted separately.
- Create a post-breach action plan. None of us ever intends to be breached, but even if we do all we can to avoid it, we could still become victims. If we do, we need to act quickly. That's why it's good to have a post-breach action plan as part of your general disaster planning.
- Choose the right collaborative software. Whether you have employees working remotely or you have online meetings and webinars, you need to choose collaborative software that minimizes your risk of data breach. Choose tools that encrypt messages and have two-factor authentication at sign-in.
Gerry Bosco is a finance expert who has experience from client-facing roles through working in management levels within one of the largest global financial institutions, Adelaide Broker.
"Data security is essential for any insurance firm..."
With the sheer amount of personal, health, financial and identity information on file, the inter and intra distribution of data should be set within a documented process to avoid inconsistencies creating vulnerabilities. Any insurance company should have encrypted storage of all client sensitive data, secure encrypted intranet access for distribution within the organization and secure encrypted external access – whether this is via a portal, email distribution, etc.
Alexander Miasoiedov is a Product Engineer at Mav.farm and former Software Engineering Manager and Head of CV Backends at Ring.
"I would characterize the root cause of the most recent data breaches as..."
Insufficient network or system security of cloud infrastructure. The security issues with unauthorized access to publicly available databases with insurance records have been documented in various media over time and have been discussed by a number of industry groups on a variety of fronts. In some notorious cases, the database hosted on AWS was not even secured by a password or SSL. I think it's important to have a strong and secure network and database configuration. Likewise, instrument a protection from network port scanner on any Internet-facing gateway or software defined networks. The most common practice is to deploy a honeypot for database/SSH/admin panel to your cloud provider and distract attackers from real resources. Your security team can track and get signals from such attack sources and automate security procedures.
Mika Edword is passionate about customers and building products to change the way people run their business. She is also a big supporter of the startup community and contributing her skills, knowledge, and experience to assist people pertaining to insurance back office matters.
"As compared to other financial industries, the insurance sector is still far behind in the adoption of cybersecurity..."
The cyber thieves are more focused on banks and other financial institutions, but now, these institutions are well secured in terms of cybersecurity. Now they are not an easy target, so cyber thieves are targeting insurers, a low hanging fruit where the risk lies because insurance firms contain large amount of information about personal, financial, property, and more.
But insurance firms are now starting to create cyber insurance policies for customers, but first, they need to secure their cyber area.
Major cyber risks:
- Use of outdated security software provides an easy way in for hackers. They should opt for cloud systems or talk with an IT consultant if they need to upgrade workstation servers, which results in increased efficiency and next-generation security.
- Threats like credential cracking and vulnerability scanning can shut the whole system down overnight virtually. To overcome this threat, first educate your employees and partners to identify malicious or suspicious activity. Also implement security protocols, software, and appliances which can guard the data from threats.
- Systemic infection. We all know about ransomware; it exists in systems. The solution is to use cloud storage and have backup solutions with a wide range of cybersecurity features that can guard the system from malicious code.
Over his 25-year career in enterprise software, Jack Kudale has built a successful track record in hyper-growth strategies, global sales execution, and entry into new verticals and markets. He is currently the founder and CEO of Cowbell Cyber and previously held executive roles at Cavirin, Lacework, and SnapLogic.
"Beyond the current lifecycle of prediction, identification, and remediation..."
Financial services companies, including insurance companies, should focus on response, recovery, and residual in the aftermath of cyberattacks. Cyber risk transfer is one of those tools enterprise risk managers can leverage to plan for a standalone, comprehensive, and individualized cyber insurance coverage that will protect them from financial losses and regulatory fines caused by evolving cyber events.
Joe Kelly is the CEO of Business Network Consulting.
"For insurance companies, client information, payment processing, and online portals contribute to the hacking stories that make headlines daily..."
It's of the upmost importance to secure the aforementioned assets to mitigate risk.
Insurance companies also need controls over sharing client information. Not everyone needs access to all data, and sometimes confidential and PII needs to be shared with external sources such as other insurance companies. A safe file sharing services is needed – absolutely not email. Insurance companies house a myriad of ultra-sensitive data and owe it to their clients to secure this valuable data properly.
As a founder of Vestige, Greg has been involved in the digital forensics field since 2000. He is responsible for the creation of Vestige's infrastructure and continues to oversee the process of standardizing and streamlining Vestige's forensic analysis to provide consistent high-quality results in a timely basis.
"It starts with insurance companies understanding what data they have and what regulations govern how that data is protected..."
Because of the type of data that insurance companies hold, a security incident for them may cause a different response than the same security incident for another company. For example, if a company that doesn't have any electronic data governed by some regulation (such as HIPAA) gets infected with ransomware, their only concern may be getting their data back. However, if an insurance company gets infected with ransomware, they may have to consider a forensic examination to verify that no protected data was accessed or taken. The very nature of a ransomware attack means that some unauthorized entity gained access to your network, and therefore an insurance company may find it necessary to verify that the unauthorized entry into the network was solely just for the purposed of planting ransomware.
Mitigating this security consideration would involve having protections in place for their protected data such that any forensic examination as to unauthorized access or taking of the data can be better confined to specific devices or processes. Not having control of the protected data can lead to more wide-reaching forensic examinations or forensic examinations that can't definitively answer whether protected data was accessed or taken because the proper controls are not in place.
Gabe Turner is the Director of Content at Security Baron, a website dedicated to keeping people safe and secure both in person and online.
"One of the biggest security considerations that insurance companies are concerned with is break-ins..."
That's why many insurance providers offer discounts for home security systems and deadbolts. Discounts can be as high as 20%, particularly if you sign up for 24/7 professional monitoring. 24/7 professional monitoring will be alerted whenever any of your alarms go off and, after calling the homeowner, can call emergency services if necessary. Companies that provide discounts for security systems include Allstate, Safeco, and NJM Insurance Group.