How secure am I? How secure do
I need to be? These are questions
that have occupied the minds of
CIOs, CSOs, and CTOs for years.
However, recent high-profile
security breaches have prompted
these questions to be contemplated
beyond the conference room and
into the boardroom.
CEOs and board members
are now asking: How secure are
we? How secure do we need to
be? And with good reason. The
year 2014 saw more sophisticated
exploitations on large and small companies alike.
According to the 2015 Internet Security Threat Report from
Symantec, there were 317,000,000 new pieces of malware created in 2014. Ransom-ware attacks grew by an astonishing 4,000
percent. In these attacks the victims’ files are encrypted and held
hostage for a ransom. Ransoms are normally paid in bit-coins, a
decentralized virtual Internet currency, and can amount to $250
or more per locked file.
To further complicate matters, companies are only as secure
as their business partners. A BitSight Technologies study reported one-third of U.S. retailers that experienced a data breach
were compromised through a partner relationship.
Insurance companies are not immune. Even those companies that do not transact business online are finding their
security posture weaker today than it was just a year ago. Two
emerging factors play a significant role in assessing an insurance
company’s security.
First, there is a stark realization that it is impossible to
protect against every cyber-criminal or cyber-attack. As hard as
companies have tried, a determined, sophisticated cyber-criminal will eventually breach raw defenses. Therefore, insurers
must invest equal focus and emphasis on knowing when a
cyber-criminal gets in and limiting the impact they may cause.
Second, Personally Identifiable Information (PII) and
Personal Health Information (PHI) have eclipsed credit card
numbers in criminal value. PII and PHI can yield as much as 10
times the value of a credit card number when used effectively by
a cyber-criminal.
In the past, companies have primarily defended against
hackers, individuals or small groups that have either malicious
or criminal intent. Today, insurance companies not only need
to defend against hackers, but according to the Department
of Homeland Security, they must also prepare a cyber-defense
strategy against foreign governments, terrorists, industrial spies,
organized crime, and hacktivists. These groups’ motives range
from low-level nuisance web page defacements, to direct finan-
cial and trade secret theft, all the way to espionage and serious
regional or national disruption.
A company becomes the victim of a cyber-attack for three
primary reasons:
1 Because of what they have: Insurance companies are a rich
source of PII and PHI, as well as credit card transactions.
2 Because of who they are or what they do: Because of a
public industry position, the insurance industry may make
individual carriers a cyber-target. Likewise, an individual
insurer may be involved in litigation, or other high-profile
event, making it a prime target for cyber-criminals.
3 Because of where they are: Cyber-crime may be a crime of
opportunity. Insurance companies transact business on the
Internet, store data in the cloud, and send external email
containing PII and PHI. Any of these activities may be
visible to cyber-criminals, making the company a target.
So what should an insurer do today to protect itself from
cyber-criminals? While the ultimate answer is different for each
company, I can recommend three best-practices:
K First, insurers must recognize cyber-security is not just an
IT issue. It is an enterprise risk. It must be understood and
managed corporately, just as any other risk that has the
capability to significantly impact company results.
K Second, insurers need to invest in a comprehensive security
program that protects the company not only with technology, but from social engineering targeted at the company’s
employees. The financial services industry, in aggregate,
invests approximately 12 percent of its IT spend toward
security. The insurance sector invests approximately seven
percent. That gap in investment will need to close.
K Finally, in addition to response plans and capabilities, carriers need to ensure they have cyber-defense insurance with
coverages and capabilities matched to company needs. The
right capabilities and resources can significantly mitigate
longer-term negative impacts. ITA
(Shawn O’Rourke is CTO with Farmington Hills, Mich.-based
Amerisure Mutual Insurance Company.
Staying Secure with Cyber Security
Threats in the insurance industry have shown no one is immune from attack.
Shawn O’Rourke