Cybersecurity: Not if, but when

ICAE’s morning of crime continued with a panel discussion on cybersecurity—a critical issue for insurance professionals considering the amount of personal consumer information available—especially consumer affairs professionals.  And, for consumer service professionals, anything considered to be a critical topic for consumers must be considered to be a hot topic for all gathered. The panelists, led by moderator Erica Hiemstra, Director of Distribution and Consumer Affairs for Canadian Life and Health Insurance Association, were informative and insightful, sharing perceptions and solutions with attendees.

Dangers lurk
Information is an important strategic asset, especially in the insurance industry.  Big data allows for better business—but this data is also a liability.  The panelists agreed that cyber-threats are everywhere and can be found internally (employees going rogue), externally (the idle hacker just seeing if it can be done), locally and internationally (sovereign nations sanctioning hack activity to organized crime entities paying for data). It was noted that, sometimes, organizations expose themselves to risk by parking data on inferior third-party providers to leverage IT resources and to save money—but also creating an enormous enterprise risk.

Consumer services professionals are squarely in the middle of the information flow—insurance companies and regulators are information-rich targets for hackers. All but two states require notification if data is lost—hacking and subsequent notification is a logistical and public relations nightmare. This nightmare is solely digitally driven because the harsh reality is that digital data is just easier to lose in bulk; in the past, the same amount of paper data just couldn’t be moved.

What are the stats?

  • Employee negligence such as information thrown in a dumpster or lost laptops accounts for 10 percent of all breaches.
  • Insider theft—employees going rogue—is also 10 percent of the breaches.
  • Third-party vendors—payroll processing, collections—15 percent of all breaches (but note the parent company is still liable).
  • Hacking attacks—Make up the majority of the remaining 75 percent of all breaches.  However, the experts noted that given the ongoing attacks, it is unreasonable to expect any company to have a 100 percent success rate at protecting themselves.

And now, the costs
Identity theft costs $19 billion a year in losses; hacking losses are estimated at more than $3 trillion.

The cost of a cyber-breach is broken down to about $200 per record. That figure includes indirect costs, such as damaged reputation, and direct costs, such as responding to a data breach, legal requirements, forensic firms, and recovery. Interestingly, the price to sell the information as stolen goods is about $6 per record.

The experts encouraged educating consumers on the option of locking credit as a viable prevention to identity theft. The panel noted this protection is not popular with the financial services industry generally.  For the insurance industry specifically, locked credit would be a major issue for insurance companies that rely on credit scoring information to determine rates. Additionally, financial institutions are more willing to absorb the cost of a breach than to disallow access to credit information for the instant access to credit cards—a consistent revenue stream.

The laws of the land
As a holder of big data, and a protector of citizens and industry, the federal government is working on the issue of cybersecurity, but what group is ultimately responsible for enforcement and standards? Currently, the Department of Commerce is working to bring the public and private sectors together to voluntarily review recommendations and best practices; determine and assess gaps and ultimately establish a future path so that industry has recourse when hacked.  Additionally, given the international aspect, the Department of Homeland Security is also working with cyber-risk analysis and risk management.  The Federal Trade Commission is making a case to have jurisdiction for data protection and is working hard to establish that jurisdiction, including enforcement.

Spy vs. spy…What can be done?
The panelists pointed out multiple common-sense ideas to help prevent hacking and identity thefts:

  • Know what you have (companies and individuals) and keep up with technologies
  • Companies need to fund IT solutions—it’s expensive, but not as expensive as breaches
  • Don’t be dumb—Educate employees, associates and others to be vigilant
  • Books are available on the secrets of the super hackers—read
  • Carefully review vendor contracts—ensure vendors with even small portals to company systems are fully vetted and have security methods in place
  • Do not give out information that you do not need to
  • Encrypt information
  • Have strong passwords (passwords taped to the back of a laptop are not passwords)
  • Minimize exposure in the event of breach—get rid of information no longer needed
  • Malicious software is everywhere, get autoshun software to combat

What should insurance companies do?
The panelists suggested the team approach to protecting companies and regulators—noting a team will always be stronger than a single unit.  An ideal working team would include associates from risk management, information technology, legal counsel, boards of trustees and/or directors and, especially, the front line of consumer affairs professionals.

As in life, they encouraged all to seek balance—big data is a real asset that must be protected as all assets must be protected.

  • Know prior to a hacking event what the corporate responsibilities are to the consumer—legally and ethically.
  • Have a communication plan in place so that law enforcement can be notified immediately and the flow of information to consumers and regulators can keep all informed.
  • Insurers were reminded to remember:  When talking with groups of consumers, regulators will learn about it.  Be proactive to keep the regulators in the loop—and enlist them as a part of the solution.

Angela Gleason
Associate Counsel
American Insurance Association (AIA)
2101 L Street, N. W., Suite 400
Washington, DC  20037

Erica Hiemstra
Director, Distribution & Consumer Affairs
Canadian Life & Health Ins. Assoc.
1 Queen Street East, Suite 1700
Toronto, Ontario  M5C 2X9

Michael Palotay
Sr. Vice President
NAS Insurance Services
16501 Ventura Blvd., Suite 200
Encino, CA  91436

Arturo Perez-Reyes
Cyber Practice leader & VP
HUB International
180 Sutter St, Suite 400
San Francisco, CA  94104


Print This Print This Email This Post Email This Post
| Home | Join | Members | Publications | Events | Contact Us |
Insurance Consumer Insurance Exchange © 2023
P.O. Box 892, New Hyde Park, NY 11040, Phone: 847.991.8454
Website by Marcy Design