Cybersecurity breaches are a greater threat to the insurance industry than ever before. In fact, 720 online data breaches were recorded in 2015 alone, and the top seven attacks left 193 million personal records open to fraud and identity theft. Moreover, the average cost of a data breach in 2014 was $5.9 million, up 9 percent from the prior year. From accidental data leaks to malicious cyberattacks, there are plenty of opportunities for providers and brokers to lose precious client data.
Not surprisingly, regulators have tightened controls and raised penalties related to the loss of personally identifiable information. The SEC has created new fines for failing to safeguard client data, and 47 states have passed legislation that requires private firms and government entities to notify individuals following potential breaches.
Despite these risks, many agents and advisors are still unaware of the best practices for staying compliant with data security regulations. Even more are surprised to learn that compliance standards aren’t enough to keep up with these rapidly evolving risks. To protect their clients and businesses, insurers need to better understand common security risks; the legal landscape of data loss; emerging practices for managing breaches; and reinsurance policies that specifically cover cybersecurity threats.
Exposures and Risks
What types of data do you have, and where and how are those data stored? These are the key risk control questions any reinsurer is going to ask an agent as they assess their cyber liabilities. Different standards apply to different types of data, and there are overlapping but separate requirements for handling personally identifiable information (PII), protected health information (PHI) and payment card industry information (PCI). Given the sensitivity of certain files, even a slight breach can lead to major losses.
Similarly, agents need to assess how they limit access to the data they collect. IT controls, firewalls and encryptions need to be in place, but so do software patches and antivirus updates. Failure to update software not only puts clients at risk, it often gives reinsurers an opportunity to deny coverage. To satisfy HIPAA regulations, insurers and health care providers also need to limit access to data on a need-to-know basis.
Third-party access is just as critical a consideration. Many insurers have moved to the cloud, and anyone granting access to IT vendors needs to assess those vendors’ risks. Even if a contracting third party isn’t a threat, a breach in its security may ultimately lead to a breach in yours. Contracts should outline specific security measures on the part of the vendor, and they may even include provisions for two-way back-end access for investigative purposes in the event of a breach.
Finally, agents and brokers need secure procedures for removing both people and data from their information systems. Internal attacks comprise a large portion of security breaches, and roughly 40 percent of claims involve data that were no longer needed for business purposes. Given the sensitivity of insurance and health-related information, allowing old data to fall into the wrong hands can have severe ramifications.
The Legal Landscape
State and federal entities have created myriad cybersecurity regulations in the last decade. On the federal level, the most important new law is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which strengthened HIPAA’s data breach requirements and introduced rules for breach notification. The Omnibus Final Rule of 2013 extended these requirements so that insurance providers, their agents and the companies that manage their data would all be responsible for breaches that lead to HIPAA violations.
At the state level, every state but South Dakota, Alabama and New Mexico now requires notice to customers, law enforcement and credit-reporting agencies following unauthorized access to PII and PHI. These laws vary by state, however, and each agency needs to familiarize itself with its jurisdiction’s requirements. Some states’ definitions of “protected information” are far broader than others’, and notification requirements may be triggered by different events.
For agencies that accept credit cards, Payment Card Industry Data Security Standards (PCI DSS) include stringent but commonly misunderstood requirements for protecting customer information. In the event of a breach, failure to comply with these requirements allows banks — not regulatory agencies — to apply fines of up to $500,000 per incident.
Complying with these rules is a twofold endeavor. Privacy rule compliance requires a variety of companywide policies for protecting consumer information, as well as training programs, authorization forms, breach notification systems and disciplinary procedures. Risk assessments are also a must for any firm that handles sensitive information, as are written agreements with business associates who will share and use that information.
Security rule compliance is a more pressing issue in the insurance industry, as regulators are becoming more interested in enforcing agencies’ PHI and PII protection. No single set of standards applies to every firm, but compliance generally requires companies to implement administrative, technical and physical safeguards to address the vulnerabilities they identify in their risk assessments. The National Institute of Standards and Technology’s Cybersecurity Framework provides guidance for assessing risks, setting goals and developing the plans necessary to comply with federal and state regulations.
Where, why and how do breaches occur? Malicious insiders, former employees and accidental loss account for roughly one-third, while malicious outsiders make up most of the remainder. Internally, the most common causes are accidental loss of information, misplaced devices and theft, both by employees and consultants. Externally, hackers vandalize, steal information and extort businesses through system shutdowns. Phishing campaigns are also a major cause for concern in the health care industry, since possessing PHI allows hackers to manipulate consumers into giving up even more information.
Cloud computing has created additional threats. Outsourced data hosting leads to increased exposure and reduces agencies’ control of their data. Bring-your-own-device (BYOD) programs likewise make it more difficult to control the flow of data into and out of organizations. Most companies don’t control their employees’ tablets, smart phones and laptops, most of which are easily lost and equipped with weak security features.
In response to these risks, the National Association of Insurance Commissioners issued its “Principles for Effective Cybersecurity Insurance Regulatory Guidance,” which apply to insurers, producers and their third-party contractors. The principles relevant to producers include calls for flexibility and scalability, risk-based guidance, incident response planning and periodic cybersecurity training. Ultimately, these recommendations will lead to a variety of requirements for insurers and providers, including cybersecurity policies, a chief information security officer and cyber staff, security audits and immediate notice to the appropriate state regulator following a breach.
Cybersecurity Insurance Policies
Given all of these rules, regulations and risks, the critical question for agents is, “How do we protect ourselves?” Traditional reinsurance policies tend to cover the publication of information that violates privacy rights, but they rarely include the loss of data and other intangible property.
Coverage for those eventualities begins with security and privacy liability insurance — coverage for data breaches and the regulatory actions that may follow. A close second in importance is event management insurance, which covers the costs of notifications, public relations campaigns and other initiatives used to mitigate cybersecurity incidents.
Beyond these basic coverage types, agents need to look for a few important details in their cybersecurity policies. Government enforcement actions should be covered, but not all policies include them. A broad definition of “computer systems” is also key since so many agencies house client data in third-party clouds. Other important coverage considerations include civil fines and penalties; PCI DSS assessments; cyberterrorism; and voluntary first-party notification costs.
Ultimately, the best practice for any firm is to conduct an annual insurance review that covers the following questions: Do existing policies cover cybersecurity events? Which events are insurable in the current environment? What coverage will a new or enhanced policy provide, and what will it cost? And finally, are those costs worth the potential savings in light of the firm’s current risk management approaches? A kitchen sink policy may provide ironclad coverage, but it comes at a significant cost.
Cybersecurity breaches are a greater threat to the insurance agency than ever before, and regulators have taken decisive action. Unfortunately, most agents and brokers haven’t followed suit. To protect their clients, reputations and bottom lines, insurers need to better understand the threats they face. From malicious attacks to accidental leaks, even small data losses can cause severe financial repercussions. With the right knowledge, however, agents can effectively protect their firms from the financial and legal ramifications of cybersecurity breaches.
Click here to view the on-demand webcast.
 10Fold Communications
 2016 Hinshaw & Culbertson LLP, an Illinois Limited Liability Partnership. All rights reserved.
 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0. National Institute of Standards and Technology, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
 2016 Hinshaw & Culbertson LLP, an Illinois Limited Liability Partnership. All rights reserved.