Combatting Cyber-risks in the Insurance Industry

May 19, 2022
Data Protection, IT Security, IT Services

When it comes to risk, what business sector knows it better than the insurance industry? After all, insurance companies are in the business of assuming and diversifying risk, and insurance policies are used to hedge against the risk of financial losses.

Unfortunately, companies in the insurance industry have their own risks to face – including those posed by cybercriminals. That’s because these companies have something hackers want: personally identifiable information (PII).

Insurers collect, process and store a wide variety of information on individuals. Depending on the type of insurance services provided, that information could include anything from Social Security numbers and credit reports to prescription histories and driving records. Most of it could be used to identify specific individuals, which is why it’s considered PII.

This wealth of personal data makes insurance companies popular targets for cybercriminals, and frequent victims of data breaches. That same data also makes them subject to numerous laws, regulations, industry standards and contractual requirements related to data privacy and security.

Free eBook: Data Security and Data Privacy in the Insurance Industry

The Compliance Landscape

Companies in the insurance industry have long been heavily regulated, and subject to regulations at the federal, state, and local levels. With the increasing use of digital technologies and data analytics, along with increases in cyberattacks, the list of requirements specific to data security and privacy is expected to grow. Failure to comply can subject insurance companies to significant penalties, among other negative effects.

Among the requirements insurance companies may be subject to are:

• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Gramm–Leach–Bliley Act (GLBA)
• The Sarbanes–Oxley Act (SOX)
• The Payment Card Industry Data Security Standard (PCI DSS)
• Federal Information Security Modernization Act (FISMA)

An increasing number of states are also adopting the NAIC Insurance Data Security Model Law. It requires insurance companies and other entities (those licensed under the Department of Insurance) to implement and maintain an information security program to better protect consumer data.

Cybercrime Pays

No one gets rich on noncompliance penalties (although they’re costly to the organizations that have to pay them), but they do on cybercrime. The 2022 cybercrime economy is worth at least $1.2 trillion, according to economists. That makes it the 15th largest economy in the world, by International Monetary Fund estimates.

The opportunity to steal or hijack personal data is the big motivator, as well as the potential for insurance fraud. Not surprisingly, nine out of ten insurance industry data breaches are financially motivated.

Where the Risks Are

There’s no shortage of cyberthreats facing insurance companies. Here are some of the most common – and costly.

• Cloud Exploits. Despite its built-in security advantages, the cloud is still susceptible to threats such as DDoS, injection attacks, misconfiguration and account hijacking
• Patch Management. Failing to update software patches makes an organization vulnerable to numerous data breaches.
• Ransomware. Ransomware is malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. They don’t always follow through with decryption, and once a ransom is paid, victims set themselves up for future attacks.
• Social Engineering. Social engineering takes advantage of human psychology to compromise victims’ information. Common attack types are phishing, pretexting, baiting, quid pro quo, and tailgating.
• Third-party Exploits. Hackers can use malware to access sensitive data through a company’s third-party providers. It’s imperative to understand each of vendors’ cybersecurity posture and ensure they employ best practices for data protection.

Data Security and Privacy Tactics

As can be expected, there’s no single solution that can protect insurance companies against every kind of cyberattack ─ or ensure compliance with data privacy and security regulations and requirements. However, layering on various defense mechanisms can help. It’s an approach known as defense in depth (DiD).

The idea is to use multiple cybersecurity solutions to provide protection at the perimeter, application, endpoint, and physical security layer. If one mechanism fails, another is available to thwart an attack. And if an attack is successful, you can at least contain the threat and mitigate potential damage.

The use of several layers of security technologies, along with numerous security protocols, can also help meet many of the technical and process requirements associated with various data privacy and data security laws and standards.

The US Signal Approach Advantage

US Signal has extensive experience in working with companies across a wide range of industries, insurance included. We understand the value of DiD strategies in meeting data privacy and data security needs. We have the services, resources and expertise to help organizations in the insurance industry – and any other industry for that matter – implement them.

We also know that insurance companies often must strike a balance between technologies that drive innovation and transformation and their legacy IT systems and applications. By taking the time to understand each customer’s unique systems, challenges, and plans, we can devise solutions and options that best meet their specific needs – whether it’s a cloud service, colocation, data protection, or a combination of the various services we offer.

Contact US Signal at 866.274.4625 or [email protected] and speak to a solution architect.