The Obama Administration has started to reach out to the insurance industry on the topic of cybersecurity in the wake of an executive order signed by President Obama in February.
The U.S. Department of the Treasury will host a non-classified cybersecurity briefing for the insurance sector, inviting both industry and state regulators as well as National Association of Insurance Commissioners (NAIC) staff, on Aug. 22, via a Webcast.
The intent is to share information about cybersecurity threats and vulnerabilities so that insurers can put in place better defensive measures against an attack. This sharing of unclassified information was contemplated in the Executive Order on improving cybersecurity. So was the voluntary adoption by companies of the so-called “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure,” known as “the framework.”
“I would expect that the framework is kind of a baseline,” said Alex M. Hageli, director of personal lines policy, the Property Casualty Insurers Association of America (PCI). As a government document, it will become like a measuring stick he said, even though it is voluntary.
Some companies are likely already doing what the framework suggests, and PCI hopes it is flexible and very adaptable to what is going on since the nature of cyber activity is changing every day. Cyber security is a moving target — as you adjust, you come into parallel with the framework, he said.
Not many are immune to hacking, however.
Last October, Nationwide Mutual Insurance and its Allied Insurance affiliate were hit hard by a cyberattack when hackers stole names, social security numbers and other identity information from over one million people in its databases. Some argued that information and identification of the people whose information was compromised was slower than it should have been. The company promptly initiated an investigation of the attack, which occurred Oct. 3, 2012, and on Oct. 16, 2012, determined that the criminal perpetrator had likely stolen personal information from their systems. On Nov. 2, 2012, Nationwide received confirmation of the identities and addresses of the individuals whose personal information was likely compromised.