Cyberattacks are occurring at an unprecedented rate. Rapid7’s 2022 Vulnerability Intelligence Report noted that the time between when a system vulnerability is disclosed, to when a cyber exploitation occurs is decreasing. In fact, of the many vulnerabilities studied, the exploitation of information occurs within seven days of their public disclosure, which reflects a 12% increase over the same 2021 period and an 87% increase over the same 2020 timeframe.
Insurance professionals need to be aware of this, as well as the new types of cyber threats that are continuously being detected. These developments are, of course, a concern for regulators, who are stepping up their monitoring of businesses and enforcement actions to ensure that businesses holding sensitive personal information comply with the various federal and state cybersecurity laws.
A Maze of Federal and State Cybersecurity Laws
Currently, there are numerous federal and state regulations and standards that demand the attention of businesses within the insurance sector. Some of these include:
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- System and Organization Control 2 (SOC 2)
- The General Data Protection Regulation (GDPR)
- The Federal Educational Rights and Privacy Act (FERPA)
- National Institute of Standards and Technology (NIST)
- Cybersecurity Maturity Model Certification (CMMC)
- New York Department of Financial Services Cybersecurity Regulations
- New York Shield Act
- The California Consumer Protection Act (CCPA)
Additionally, there are regulatory bodies such as the New York State Department of Financial Services, for companies located in NY, and the Financial Industry Regulatory Authority (FINRA) which have developed strict cybersecurity guidelines and requirements for businesses in the financial sector. They are intended to protect consumers and ensure the integrity of financial systems.
Most of these regulations follow a basic tenet which is that organizations maintain “reasonable” cybersecurity measures. This may mean different things to different organizations. There are, however, clear best practices that will demonstrate to regulators that an organization is taking their cybersecurity responsibilities seriously. Knowing and implementing them should be a top priority for any carrier, broker or agent operating in the insurance industry.
On the most fundamental level, insurance professionals/their organizations must implement a cybersecurity program that incorporates various measures, as well as instills a culture of cybersecurity with all members of the organization. These measures encompass: system vulnerability assessments and penetration testing performed by a third-party cybersecurity firm and not in-house staff or managed service providers. They also entail taking remediation measures to correct any system weaknesses identified through the vulnerability assessment or penetration tests. In addition, best practices include the adoption of advanced technologies and procedures such as multi-factor authentication, encryption of non-public information, intrusion detection technology, third-party vendor reviews of their cybersecurity practices, and the development of a sound incident response plan.
Employee training is also essential. Employees should be educated so they understand examples of cyberattacks that they could be subject to such as a phishing email and how to avoid compromising sensitive data. They should also understand the various types of cyberattacks (e.g., phishing, ransomware, social engineering attacks, denial of service, etc.) and be made aware of trends in cyberattacks on insurance companies. In addition to these best practices, many regulators also want to see annual certification of an organization’s cybersecurity program by a senior officer and the completion of regular vulnerability assessments and penetration testing. Further, it is a prudent cybersecurity practice to designate a Chief Information Security Officer to oversee the cybersecurity program. A strong incident reporting policy that includes prompt escalation of reporting a cyberattack to executives within the company, as well as other pertinent professionals such as outside counsel and, of course, regulatory bodies, is also essential.
According to Black Kite’s Cyber Insurance Risk in 2022, 82% of the largest insurance carriers are the focus of ransomware attacks from cyber criminals. That should be incentive for all businesses in the insurance sector to take cybersecurity seriously.