By Jennifer Overhulse
Toronto, ON (Mar. 16, 2015) – At the 2015 Insurance-Canada Technology Conference (ICTC2015), there was plenty of cyber risk recognition to go around in insurer, as well as agent/broker, circles. Apparently, even though breaches into the data and emails of Target, Sony, and Home Depot – or by Edward Snowden – were front and center recently, it took the Anthem exposure to really get the attention of insurance executives.
According to the experts on panels in Toronto, including individuals from IBM, Marsh Canada, Crawford Canada, SMA, CGI and Oceanwide, the insurance industry in North America is still very much in the “identify” stage when it comes to cyber risk. In fact, at this point, it may even be fair to say the industry “doesn’t know what it doesn’t know.”
Unfortunately, insurance and financial services firms are being increasingly targeted because of the personally-identifiable information (PII) such businesses utilize on a daily basis, the time is ripe for moving beyond identification to action. Very quickly, it will become imperative for insurance organizations to stop looking for potential intrusion points and invest time, energy, resources and budget dollars into solutions that can proactively prevent attacks.
Experts across ICTC panels unanimously agree that the “it won’t happen to me” mentality is akin to burying one’s head in the proverbial sand, and considering the average cost of a data or privacy breach, it’s a very dangerous way of doing business. Today, it is a question of when, and not if, your privacy will be breached, and insurance organizations are coming to that realization perhaps just a bit slower than everyone else.
If insurers had the luxury of time on their side, there are undoubtedly many lessons to be learned from recent breaches, but with the clock ticking insurers should be asking experts for some quick hits that will jump start the cyber security process. So, in the middle of a budget year in which extensive cyber security efforts were not accounted for, what can insurers do right now?
The first step, most experts seem to agree, is taking on the responsibility of a thorough cyber risk assessment which will evaluate not only an insurance organization’s IT infrastructure and current availability of technology tools, but also the skill level of existing employees and the company’s level of data mastery maturity as well.
Next step, shut the back door. The Target breach and the NSA debacle were both facilitated handily by third-party contractors run amuck. By auditing service-level agreements (SLAs) and tightening legal language around access to and responsibility for proprietary data, insurance organizations can gain a better understanding of potential exposures and possibly even prevent them.
Last, but not least, consider the company’s bring-your-own-device (BYOD) policies. The Anthem breach, as well as many breaches, occurred mainly as a result of lost or stolen devices, such as laptops with unencrypted data, unsecured USB storage devices, and portable hard drives containing information that should never have gone outside a secure company firewall. Questions should be asked about how well BYOD policies are being observed by employees and contractors, the viability of passwords, and even the security of workstations after hours. Strengthening BYOD policies is an easy way to potentially avoid disaster before it strikes.
With legislative bodies far and wide considering new compliance measures and regulatory changes to protect critical insurance data, insurance organizations would appear to have a clear directive to take steps toward cyber security. By taking proactive steps now, insurers can mitigate higher costs of cyber security that may be incurred once mandatory regulatory measures demand action in order to meet and maintain compliance.
About the Author
Jennifer Overhulse is principal owner of St. Nick Media Services. She can be reached for further comment or information via email at firstname.lastname@example.org.
Source: St. Nick Media Services