Playing it safe: 4 ways to secure policyholder data

Data breaches carry an average cost of $3.9 million per incident across industries, a recent report shows. But the price of a data breach extends beyond the expense of the initial exposure.

Findings from the “2019 Cost of a Data Breach” report indicate:

• The lifecycle of a data breach is longer than ever. It takes 206 days to identify a data breach, on average, and 279 days to contain one — a 4.9% increase over the 2018 figures.
• Data breach costs reverberate years after the breach occurs. More than a third of the costs associated with a breach accumulate in years two and three. These “long-tail costs” are higher for organizations in highly regulated industries.
• Lost business from a data breach can carry higher costs than the breach itself. Organizations that experience data breaches typically lose $1.42 million in business, with rates of abnormal customer turnover totaling 3.9%, on average. When customer turnover rates total 4% or higher, the average cost of lost business totals $5.7 million — that’s 45% higher than the cost of the breach alone.

Data breaches also have a deep impact on consumer confidence. Seventy-eight percent of consumers would stop interacting with a brand online after a data breach, and nearly half would not sign up for an online service or mobile app or use these services after a data breach, one survey found.

Sixty-four percent of insurers say policyholders’ personally identifiable information is the most valuable information cyberthieves seek. With the stakes so high, how can insurance companies protect themselves from a data breach during claim payment processing, when a policyholder’s personal data is collected in one place?

Here are four strategies to consider.

1. Strengthen your front-line defense

Eighty-two percent of insurers say the most common cause of data breaches they face involves careless actions from employees, such as responding to phishing emails, leaving their computer unlocked and unattended, taking sensitive files home, or failing to safeguard usernames and passwords. That’s why cybersecurity education for employees is critical.

Make sure employees know how to distinguish suspicious emails and web alerts and who to contact when a digital communication doesn’t seem legitimate. Teach employees how to properly destroy sensitive information and when to do so. Gauge employees’ level of cybersecurity awareness through an annual survey and base employee education programs on these findings. It’s also important to hold cybersecurity training regularly — at least once a year — so employees are aware of emerging threats and know how to respond.

2. Conduct a cybersecurity vulnerability assessment

This type of risk assessment can help you determine your company’s biggest cyber threats and vulnerabilities. Such an evaluation can be used to develop an action plan to safeguard policyholder data more effectively. Areas of focus include:

• Physical security controls
• Perimeter security
• Whether the company uses the latest encryption technology available
• How the company protects its networks from internal and external attack

A cybersecurity vulnerability assessment will also consider the company’s business continuity and disaster recovery strategy. Just as policyholders experience disasters that leave them disconnected from critical information during times of need, so do insurance companies — unless the right protocols have been established in advance. An experienced cybersecurity specialist will examine how often data is backed up, where backup services exist, and whether the company has invested in a cloud-based solution for data backup.

3. Assess your ability to detect a data breach

It takes most companies 206 days to identify a data breach — and by that point, policyholders’ financial health may already have been compromised. Testing your company’s ability to spot a data breach in real-time is critical. Contract with an outside cybersecurity firm to assess the strength of your wireless networks and your ability to identify and contain data breach attempts, including malicious attacks — the most expensive type of data breach.

4. Check the security credentials of third-party service providers.

The Insurance Data Security Model Law puts pressure on insurance companies to verify that third-party service providers are compliant with information security standards. That means insurance companies face liability when vendors expose policyholders to a data breach. Yet 60% of companies don’t verify third-party vendors’ ability to protect policyholder data, one survey shows.

For example, when selecting a third-party claim payment processor, make sure the company demonstrates its commitment to protecting sensitive data by maintaining the following credentials:

• Payment Card Industry (PCI) Security Standards certification, which supports protections for sensitive payment card information.
• Service Organization Control (SOC) 1 and 2 compliance, with SOC 1 focusing on financial audit controls and SOC 2 centering on operations and compliance controls.
• Nacha Certified, a voluntary accreditation program for third-party senders and those that send automated clearinghouse (ACH) payments.

It’s also critical to make sure you understand how much of your business will be outsourced to sub-vendors. Each hand-off creates another layer of risk. It’s important to know who will have access to your data and whether these companies adhere to best practices in cyber defense as well.

Taking these action steps can bolster the protection of sensitive policyholder data during claim processing — and protect your relationships and your business.

Jeffrey W. Brown (jbrown@vpayusa.com) is president of VPay, a leading turnkey claim payments platform focused on the property and casualty, workers’ compensation, healthcare and warranty industries.

Related:

• COVID-19 cyber threats: A checklist for a remote workforce
• More attacks are coming: 5 things to know about cyber in 2020
• Emerging cyber risks in a connected world