Anthem, JP Morgan Chase, Target and Home Depot—if one trend is clear, it's that cyber criminals are aiming big.
And next on their list? Insurance firms, according to the New York State Department of Financial Services in its "Report on Cyber Security in the Insurance Sector." And this hypotheses is based on fact: 35% of insurers experienced between one and five breaches over the past three years, with an additional 2% reporting between six and 10 breaches, and 5% of carriers experiencing more than 10, the report says.
Carriers digitally possess large amounts of personally identifiable information and protected health information, which is attractive to hackers who can sell it on the black market.
The Department conducted a survey of 43 insurance carriers—21 health, 12 P&C, 10 life, with #3.4 trillion in combined assets—with respect to cyber security to determine the industry's efforts to prevent cyber crime and protect criminals.
While it may be expected that the largest firms would have the most sophisticated cyber security, the Department found that an array of factors affect the sophistication and comprehensiveness of the insurers' cyber security programs. Those factors include: assets, transactional frequency, variety of written business lines, and sales and marketing techniques.
Nearly all insurers (98%) have an information security framework in place that includes a written information security policy, security awareness and education, audits, risk management, and incident monitoring and reporting.
The surveyed carriers also employ specific use of security technologies. While all firms use anti-virus software, tools to detect malicious code, firewalls, intrusion detection and encryption, less than half, unsurprisingly, use biometrics—such as fingerprint or retinal scanning to authenticate identity—and 79% employ intrusion prevention systems.
(Click graph to enlarge)
Next page: The cost of a data breach
Penetration testing, where a simulated attack exposes system vulnerabilities—is commonly employed. However, just 44% of insurers conduct these tests annually, 19% quarterly and 30% monthly. Because of the cyber attacks' evolving nature, the Department recommends that penetration testing should be ongoing as the test can quickly become outdated.
Eighteen of the surveyed insurers experienced one or more breaches within the last three years through methods such as malware, phishing (e-mail scams), pharming (re-directing web traffic to a fake site) and botnets (gaining control of networked computers). Consequences of the breaches include telecommunications network disruption and account takeovers. Interestingly, none of the surveyed insurers reported data theft.
Most of these attacks inflicted little to no costs on the firms (less than $250,000), but one P&C carrier reported a loss between $6 million and $10 million. These costs include payments for detection software, loss of customer business, reimbursements, legal defense costs, brand damages, auditing and consulting services and court settlements.
(Click graph to enlarge)
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
