Cybersecurity breaches are a greater threat to the insurance industry than ever before. In fact, 720 online data breaches were recorded in 2015 alone, and the top seven attacks left 193 million personal records open to fraud and identity theft. Moreover, the average cost of a data breach in 2014 was $5.9 million, up 9 percent from the prior year. From accidental data leaks to malicious cyberattacks, there are plenty of opportunities for providers and brokers to lose precious client data.
Not surprisingly, regulators have tightened controls and raised penalties related to the loss of personally identifiable information. The SEC has created new fines for failing to safeguard client data, and 47 states have passed legislation that requires private firms and government entities to notify individuals following potential breaches.
Despite these risks, many agents and advisors are still unaware of the best practices for staying compliant with data security regulations. Even more are surprised to learn that compliance standards aren’t enough to keep up with these rapidly evolving risks. To protect their clients and businesses, insurers need to better understand common security risks; the legal landscape of data loss; emerging practices for managing breaches; and reinsurance policies that specifically cover cybersecurity threats.
Exposures and Risks
What types of data do you have, and where and how are those data stored? These are the key risk control questions any reinsurer is going to ask an agent as they assess their cyber liabilities. Different standards apply to different types of data, and there are overlapping but separate requirements for handling personally identifiable information (PII), protected health information (PHI) and payment card industry information (PCI). Given the sensitivity of certain files, even a slight breach can lead to major losses.
Similarly, agents need to assess how they limit access to the data they collect. IT controls, firewalls and encryptions need to be in place, but so do software patches and antivirus updates. Failure to update software not only puts clients at risk, it often gives reinsurers an opportunity to deny coverage. To satisfy HIPAA regulations, insurers and health care providers also need to limit access to data on a need-to-know basis.
Third-party access is just as critical a consideration. Many insurers have moved to the cloud, and anyone granting access to IT vendors needs to assess those vendors’ risks. Even if a contracting third party isn’t a threat, a breach in its security may ultimately lead to a breach in yours. Contracts should outline specific security measures on the part of the vendor, and they may even include provisions for two-way back-end access for investigative purposes in the event of a breach.
Finally, agents and brokers need secure procedures for removing both people and data from their information systems. Internal attacks comprise a large portion of security breaches, and roughly 40 percent of claims involve data that were no longer needed for business purposes. Given the sensitivity of insurance and health-related information, allowing old data to fall into the wrong hands can have severe ramifications.
The Legal Landscape
State and federal entities have created myriad cybersecurity regulations in the last decade. On the federal level, the most important new law is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which strengthened HIPAA’s data breach requirements and introduced rules for breach notification. The Omnibus Final Rule of 2013 extended these requirements so that insurance providers, their agents and the companies that manage their data would all be responsible for breaches that lead to HIPAA violations.
At the state level, every state but South Dakota, Alabama and New Mexico now requires notice to customers, law enforcement and credit-reporting agencies following unauthorized access to PII and PHI. These laws vary by state, however, and each agency needs to familiarize itself with its jurisdiction’s requirements. Some states’ definitions of “protected information” are far broader than others’, and notification requirements may be triggered by different events.
For agencies that accept credit cards, Payment Card Industry Data Security Standards (PCI DSS) include stringent but commonly misunderstood requirements for protecting customer information. In the event of a breach, failure to comply with these requirements allows banks — not regulatory agencies — to apply fines of up to $500,000 per incident.
Complying with these rules is a twofold endeavor. Privacy rule compliance requires a variety of companywide policies for protecting consumer information, as well as training programs, authorization forms, breach notification systems and disciplinary procedures. Risk assessments are also a must for any firm that handles sensitive information, as are written agreements with business associates who will share and use that information.