Today any reasonable person has insurance to protect them from potential risks. We insure our car and home in case something unexpected and damaging happens to them. We also invest in life insurance in case something bad happens to us. After all, we want to have a safety net for us and the family in the worst-case scenario. And for that, we trust and pay insurance companies.
Most of the big names in the insurance industry have been around for decades. Similar to the key players in the financial sector, they had to evolve in recent years to meet the demand of the users to go digital and provide more access to services online. That has led to many benefits for customers but also has created numerous new challenges. Going digital has significantly increased the risks of various cyber attacks for insurance companies. And it will keep getting worse.
If you have an insurance policy you are aware of the types of sensitive data you provide when purchasing insurance. Data of millions of people is stored and processed by insurance companies. All of this information is a very attractive target for hackers worldwide. To go even deeper, insurance companies keep data such as:
- Personal information;
- Financial information;
- Information about your health.
It is correct to say that not even banks know so much about their clients. With the growing risk of cyberattacks, it is reasonable to wonder how prepared are players in the insurance industry to protect themselves from those types of threats? And more importantly – who is ensuring the cybersecurity of insurance companies?
Cybersecurity in the insurance sector
If we have to compare the cybersecurity challenges of the insurance companies to any other type of business the banks are the closest we can get. The difference is that in insurance, even more, sensitive data is stored. To understand better the whole picture, we have to take a closer look at the challenges and regulations that insurance companies have to comply with. We will also explore some tips and good practices that are applied.
Cybersecurity challenges for insurance companies
As we already mentioned, it is expected from the sector of insurance to go digital and be more accessible to the customers. However, many challenges go along with better access and usability for the end-users. Ekran System soon reminded us of some of the biggest breaches in the sector:
- State Farm in the USA was the victim of a credential stuffing attack that led to a breach in their data. However, no further harm was done to the clients of the insurance provider;
- Phishing e-mail attack got the better of Pacific Specialty Insurance Company. Unfortunately, here there was data leakage of sensitive client information;
- Sometimes a flaw in the system may put the information out there. Such was the case with First American Financial. The company unintentionally put in jeopardy data for over 800 000 000 records, both personal and financial.
Insurance companies face the same threats as all other businesses out there that handle sensitive data. An article by Munich RE focuses on the most common cyberattacks that happen. On top of the list are the following:
- Data breaching;
- Ransomware attacks;
- Compromising business e-mails.
Insurance companies have a lot to figure out when it comes to their cybersecurity. They have to store and work with huge data clusters of information and have the big responsibility to keep it safe.
Regulations in the insurance industry regarding cybersecurity
As you will see, institutions don’t rely on the conscience of the companies in the sector of insurance. At least, not when it comes to cybersecurity. There are several regulations in place, and new ones are coming into force soon. The goal is to mandate that insurance companies put more effort into protecting the sensitive data of their clients.
However, the intention might be good, but the result can be mediocre legislative work. Talking about regulations, we can take a closer look at the US and the EU. These are the two main places where insurance companies have to comply with regulatory measures. The best ones support the implementation of technology and cybersecurity solutions that work. The worst ones create more difficulties with no result in improving cyber protection.
A good example from the USA is the NYDFS Cybersecurity Regulation that requires financial institutions to adopt a series of practices that help prevent cybercrimes. This state law can be (and probably will be) the foundation of new nationwide legislation for the states. And on the other hand, there are US states where the state law about cybercrimes prevention is vague. At best.
In a recent article, Ekran Systems outlined the main data protection regulations that insurance companies must meet:
- GDPR – for EU countries;
- Health Insurance Portability and Accountability Act (HIPAA) – for healthcare data (USA);
- Gramm–Leach–Bliley Act (GLBA) – for financial data (USA);
- Sarbanes–Oxley Act (SOX) – for financial data (USA);
- Payment Card Industry Data Security Standard (PCI DSS) – for financial data (USA).
It is important to note that there are a lot of other regulations on the state level (USA) and national level (EU) that affect insurance companies. The companies themselves have internal procedures for these types of things. And if they don’t comply? Well, they bear the risk of huge fines, damage to their business reputation, and potential lawsuits from clients that have had their data exposed and/or stolen.
Good practices and ideas for improving cybersecurity in insurance companies
It is fair to say that insurance companies are adapting to regulations and are adopting the latest trends and good practices in cybersecurity. A lot of them are hiring external experts to handle this sensitive task. Even state institutions have a similar approach. We at 3 Cyber-Sec have consulted and trained staff of the National Revenue Agency (NRA) of Bulgaria, for example.
What insurance companies do (and can do) is related but not limited to the following good practices:
- Improve cybersecurity awareness of the employees on all levels and provide constant training in the area;
- Conduct penetration testing to map out the potential risk of a breach;
- Check for common mistakes other companies do, that lead to breaches;
- Communicate to the customers that cybersecurity is important and that the insurance company is responsible for their data.
Truth be told, good cybersecurity can turn into a competitive advantage for insurance companies in the future. Not to mention all the trouble it can save them too.
Before we say goodbye
As we saw in this article, cybersecurity is crucial for insurance companies. The same is valid for all other financial institutions that handle our money and sensitive data. For some people in the sector, cyber crimes are still something they have seen only in movies. And those are the people that will suffer the most as they are not prepared. We should all be cautious- cyber attacks are only going to increase in the years to come.
The best way to prevent losing a lot of money in the future is to invest in cybersecurity now. We at 3Cyber-Sec are available to discuss any needs that your company might have. Our proven expertise has resolved issues for a lot of clients and helps them sleep better at night. Don’t hesitate to reach out to us!