by Rich Flynn, ACORD
Just weeks ago, Anthem - the nation's largest health insurer - disclosed a database breach which put the personal information of 80 million customers and employees at risk. While the FBI says it's close to uncovering the perpetrators of the hack, but still deciding how much information to publicly reveal, Bloomberg News reports that three people familiar with the investigation say the evidence points to Chinese state-sponsored hackers. And while the FBI's Joseph Demarest told reporters that the majority of government-backed cybercrime groups the Bureau is tracking are Chinese, he acknowledged a concern that the ISIS terrorist group will continue to acquire more sophisticated hacking capabilities.
It's in this environment that the New York Department of Financial Services released its Report on Cyber Security in the Insurance Sector, based on a survey of 43 insurers from the health, life and property & casualty lines of business. The survey participants seemed confident in their cyber security measures - but is this comforting news, or are they underestimating the danger they're in?
"Insurance firms often possess large amounts of personally identifiable information and protected health information; safeguarding such information in digital format is technologically challenging and expensive," the report opens. "The decreasing cost of technology in general, while helpful to legitimate business entities, also makes it easier and cheaper for cyber criminals to disrupt systems and obtain access to protected data."
The report found that bigger insurance providers did not necessarily have the most sophisticated or comprehensive cyber security - which comes as no surprise in the wake of the Anthem breach. DFS identified a wide range factors which influenced how robust a company's cyber defenses are, including frequency of transactions, variety of business lines written, and the types of sales and marketing technologies used.
The statistics betray a relative lack of concern by the companies, with 95% stating that they already have adequate staffing levels for information security, and only 14% of CEO's receiving monthly cyber security briefings. "Recent cyber security breaches at financial institutions and other major corporations should serve as a wake up call for insurers to redouble their efforts to strengthen their cyber defenses - particularly given the level of sensitive consumer information that insurers are entrusted with handling," the report states.
While only 40% of the respondents reported a need to modify their cyber security strategies to address new and evolving risks, the majority of them did identify the increasing sophistication of threats and emerging technologies as the primary challenges facing their information security efforts. With everyone hoping not to find their names listed with Anthem in the next article about a data breach, it's little wonder that they're apprehensive about what form future threats will take.