Insurance agency cybersecurity questions answered

Cybersecurity does not have to break the bank, says one insurance agency leader.

Troy Stairwalt

For roughly three years, Troy Stairwalt has served as chief information security officer at Westfield Insurance.

In that capacity, Stairwalt is responsible for setting the strategy and overseeing daily operations for the property & casualty insurance company’s cybersecurity program.

Below, Stairwalt answers six pressing insurance agency cybersecurity questions.

PropertyCasualty360: Please describe, in broad strokes, the cybersecurity issues facing insurance agencies.  

Troy Stairwalt: The good news is that cybercriminals generally are not targeting individual agencies or businesses.

The bad news is that they’re looking for economies of scale, which means, agencies and businesses are more likely to get caught up in a much broader cyberattack as collateral damage.

Here are three common ways an agency is most likely to be caught in a cyberattack:

  1. Ransomware
  2. Supply chain management
  3. Third-party vendors

All three represent real cyberthreats to agencies for several reasons including:

Cybersecurity insurance policies have required — and will continue to require — increasingly onerous qualifications simply to purchase an insurance policy. Candidly, I believe that cyber insurance underwriting requirements will define a mature cybersecurity program in much clearer terms than regulatory requirements.

Historically, the insurance industry has driven safety requirements in many aspects of our lives, and I believe cybersecurity requirements will follow a similar path toward maturity.

And here’s why: While ransomware has proven lucrative for cybercriminals, it can be a losing business proposition for cyber insurance carriers if the risk is not properly priced, which is why we can expect that minimum requirements for coverage will continue to increase, premiums will increase, liability limits will be lowered and exclusions will be added as actuarial models continue to mature to reflect appropriate risk-based coverage, exclusions and pricing.

PC360: How are insurance agencies impacted by cybersecurity compliance concerns?

Stairwalt: Industry, state and federal regulations have been — and will become — increasingly onerous in response to cyberthreat level activity, which incidentally, since the pandemic, has consistently been at all-time highs year-over-year.

This means agencies will have to adhere to regulations or face repercussions, including fines and penalties. These regulations will require agencies to know where their sensitive data resides and who has access to it. Agencies will also need to show that they have implemented reasonable and prudent controls to effectively manage the risk and demonstrate adherence to regulatory requirements. Multi-factor authentication is simply table stakes in 2022. Expect those stakes to increase. Those who haven’t made reasonable and prudent investments along the way will need to spend a lot more time, energy and capital to simply catch up with evolving underwriting and regulatory requirements and, most importantly, to mitigate the ever-evolving cyberthreat landscape.

PC360: What should insurance agency owners and leaders know about protecting their businesses against a breach?

Stairwalt: The first thing agencies should know is that cybersecurity does not have to break the bank. There are cost-effective ways to protect against a breach. Basic hygiene is just the foundation. Additional layers/controls should be implemented based on the type of data and operational risk vulnerability. Scanning and patch management are also considered part of basic hygiene.

Agencies should properly configure and update their systems from the very start, keep them updated and avoid running unsupported computing platforms including operating systems, applications, databases, browsers and everything in between. It may sound like a lot, however, the administrative overhead is minimal if you keep up with it.

Think of basic cyber hygiene like brushing your teeth, taking a bath, eating right and getting plenty of rest. It costs far less to avoid cyber illnesses than to treat the symptoms or risk incurring a potentially fatal blow to your business operations from neglecting to do the basics daily.

Put anther way, it doesn’t take a lot of effort to keep your garage or basement clean from the start. However, if you let things pile up, it can become overwhelming.

PC360: How concerned should insurance agency leaders be about ransomware?

Stairwalt: Ransomware is big business for cyberattackers — it’s very lucrative — making the threat to agencies constant.

Unfortunately, most businesses don’t realize they have been attacked until it’s too late. When victims are notified that their systems are encrypted, backups have generally been targeted in advance and are rendered useless for recovery purposes. To add insult to injury, unless agencies remediate the vulnerable system and fix the root cause of the issue, they will most likely be attacked again. Some ransomware gangs even offer 50% off coupons to victims who pay ransoms knowing they won’t be able to mitigate the vulnerabilities and or implement effective controls before they will be compromised again.

PC360: What would most insurance agents be surprised to learn about cybersecurity?

Stairwalt: Three things:

PC360: What else do you think insurance professionals should know about cybersecurity?

Stairwalt: Moving to the cloud does not solve your security problems. You are still responsible for the security of your data.

And it’s a shared responsibility model: You can transfer your data to the cloud but you cannot transfer your liability. It’s important to have appropriate contract language in place to hold SaaS and all third-party vendors accountable.

If agencies don’t have multi-factor authentication implemented, it’s unlikely they will even be considered for cyber insurance coverage. Offline backups are another area of increased scrutiny.

Agents may also be interested to know that many of the ransoms being paid are used to fund research and development for the next evolution of cyberattacks.

Today, cybercriminals are better funded than ever before and have established their own “venture capital” funds to support new cybercriminal organizations. They run recruiting campaigns that offer rewards of $150,000 or more to the capable young hacker who can design widely used technology for economies of scale. They pool resources and many have “customer support” services that rival Fortune 100 companies.

In the end, taking a “head in the sand” approach to addressing cybersecurity in 2022 will leave agencies seriously exposed. Agencies will save time, money and their reputation by incorporating basic hygiene practices into their ongoing business operations.

See also: