Close Close

Retirement Planning > Social Security

What New York says about insurers' cyber failings

Your article was successfully shared with the contacts you provided.

Most insurers say they take data security very seriously.

Regulators at the New York State Department of Financial Services are wondering whether insurers are as well-prepared to defend their data and systems as they say they are.

The department released a summary of results from an insurer data security survey less than a week after Anthem Inc. (NYSE:ANTM) announced a breach that may have affected as many as 80 million people, and just a few days after officials reported that con artists have filed a wave of requests for tax refunds using stolen identities.

New York regulators found that 95 percent of the 43 insurers that participated in the New York survey said they believe their companies have enough information security staff, and that all but one said they have an information security framework in place.

Regulators said “having an information security framework in place” should mean that an insurer has a written information security policy, security training for employees, information security audits, cyber-risk risk management, and incident monitoring and reporting. 

But the regulators also found signs that some insurers may be wrong about how secure their information systems are.

See also: 3 things you CAN’T know about IRS PPACA problems.

For a look at some of the findings that made New York regulators uneasy, read on. 

Isolated figure

1. Some insurers are trying to handle data security on their own

Only 84 percent of the insurers said they participate in data security information-sharing organizations.

Sixteen percent of the insurers said that they did not participate in such organizations or that they were unable to answer the question. Or, they left that question blank.

See also: Watchdog: We’re grading IRS PPACA data.

Executives in a conference room

2. At some insurers, the buck (usually) stops somewhere down in the ranks

Only 14 percent of the participating insurers said their companies’ chief executive officers receive information security updates on a monthly basis or more frequently.

See also: Cyber demand increasing as senators mull legislation.


3. Most insurers say the financial impact of recent security breaches has been small

Only 42 percent of the insurers reported being aware of any recent breaches in data security, including failed breaches. Only 4 percent, or two insurers, said they were aware of breaches that had caused more than $250,000 in monetary damages in the previous 12 months.  

Only 72 percent of the insurers affected by breaches said they had notified a regulatory agency, and just 67 percent said they had notified law enforcement. 

See also: Small breach, big lesson in backpack.