New Regulatory Guidance Affects Insurers, Producers
Producers, brokers and insurers are all targeted by cyber attackers looking for personal identifiable information (PII) that can be used to open fraudulent credit cards. To protect PII, in April the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) released Cybersecurity Insurance Regulatory Guidance.
The Principles for Effective Cybersecurity: Insurance Regulatory Guidance recommends state insurance regulators “ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks.”
Independent brokers, small insurance agencies and large insurance companies are being asked to heed security precautions. Although recently the media spotlight has been on two health insurance companies that were breached, affecting 1.1 million customers of one company and 80 million customers of another, other types of insurance companies have also been compromised. A couple of years ago a large mutual insurance company that sold both property/casualty and life and health insurance was breached. The records of more than a million customers and prospects were exposed.
Both independent agents and large companies are attack targets because they hold Personal Identifiable Information (PII) and, often, Protected Health Information (PHI).
Attackers sell this information on underground websites. Buyers use PHI to create fake IDs to buy legal drugs that they illegally resell. Buyers also purchase PII to open credit card accounts and accumulate email addresses. The latter are used to send victims “phishing” emails that contain links or attachments that are malicious.
Once unsuspecting receivers click on the malicious links or attachments, malware, or malicious software, is surreptitiously downloaded onto their computers. This malware gives attackers remote access to the victims’ computers. The attackers then can use the victims’ email contact lists to send out more phishing emails.
The cyberthieves can also download more malware onto the victims’ computers, including malware that can track the victims’ keystrokes, giving the attackers access to all the victim’s login credentials, including those for their online banking accounts.
It’s surprising how many agents as well as large insurance companies don’t do enough to protect themselves and their clients. This dearth of best security practices leads to breaches and class-action lawsuits. One of the healthcare companies that was recently breached had been breached twice before. It now is undergoing a class-action lawsuit. With the new NAIC guidance, agents and insurers will likely be held more accountable in court if basic precautions have not been taken.
Agents need to make sure their computers and mobile devices that contain any information on prospects or clients are password protected, so if devices are lost or stolen, anyone who picks them up would have a difficult time breaking into the computer.
Insurance agencies and companies should review the National Institute of Standards and Technology (NIST) Framework, which was developed in response to an executive order by President Obama and explains the steps that need to be taken to secure networks.
Successfully implementing the steps is difficult. Insurance agencies and companies should try to implement the steps on their own and then work with a cybersecurity consultant to review their work.
Bonnet is director of Small & Medium Business – North America at Dell SecureWorks, a global information services security company headquartered in Atlanta.