Cybersecurity Importance - Insurance Industry
Three of the top reasons why cybersecurity is important for insurance firms include the massive amounts of identity data that insurers collect on their customers, the widespread use of third party vendors and business partners, and the heightened regulatory requirements for security of insurance firms.
Massive Amounts of Identity Data
- The most important reason for insurance firms to have top-notch cybersecurity capabilities is that insurance firms by nature collect and store massive amounts of personal, identifying data from their customers.
- This information ranges from the basic, like social security numbers and addresses, to the more complex, like health records and payment data.
- In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm.
- Additionally, 64% of insurers surveyed reported that "customers’ personal, identifiable information is the most valuable information to cyber criminals."
- In most known security breaches at insurance companies, this personal customer data has been obtained, including the breach of a US health insurer in July 2016 where 3.7 million customers and health care providers had confidential data stolen, a breach of a different health insurer in 2015 where the personal data of 78 million users was obtained, or another IT breach of a different insurer in 2015 where identifying data for 1.1 million members was compromised. These are just some of many examples.
- If consumer data is compromised, consumer confidence in the insurance brand is damaged and there can be severe financial consequences.
Widespread Use of Third-Party Partners
- Insurance firms also make use of many third-party partners like subrogation vendors, law firms, and other business partners.
- As such, insurance firms must not only make certain their cybersecurity programs are state of the art, but also that those of any third party vendors they utilize are on-par. In the words of the experts, "even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize."
- Currently, this does not seem to be happening. When surveyed, only 41% of insurance companies stated that they held their partners to "the same cybersecurity standards as they do their own business."
- If a data breach were to happen within one of an insurance firms business partners or contractors, the fallout in terms of business reputation, consumer trust, regulatory fines and financial losses could be the same as if the breach occurred at the insurance firm itself.
- Just in January of 2019, a third party vendor of HSBC Life Insurance was breached, Humana insurance was breached via a business partner, and Highmark BCBS, Aetna, Humana, and United Health were all breached due to their use of a third-party administrator.
Increased Regulatory Requirements
- In order to remain in compliance with regulation, insurance companies must have more cyber security protections than required for many other industries.
- One regulation specific to the US is the 23 NYCRR Part 500, a mandatory regulation established by the New York State Department of Financial Services (NYDFS) requiring "covered entities to calibrate their cybersecurity programs by using periodic risk assessments to determine criteria to identify, evaluate and mitigate risks by establishing appropriate controls and technological developments."
- All health insurers in the US are regulated under HIPAA laws.
- Additionally, many of the top US insurers like AIG, Berkshire Hathaway, MetLife and The UnitedHealth Group all work internationally, including in the European Union. Therefore, these insurers must also comply with EU General Data Protection Regulation (GDPR), which has strict data protection requirements.
- Failure to comply with these regulations can result in regulatory fines, especially if data was found to have been compromised.
- Experts have stated that "regulation is one of the key differentiators driving cyber insurance uptake in different geographic regions."
Reasons selected were identified as most important based on the fact that they were mentioned by multiple experts across different media.