Cybersecurity for the Insurance Industry
The Insurance industry is at high risk for cyber-attacks. The Big I and several insurance companies have been raising concerns about increasing attacks on agencies. Across the board, attacks have increased year over year – and it will continue to increase as long as hacking is lucrative.
Mitigate the Risk with Rigid Bits
Rigid Bits is here to help and works closely with Agencies, Carriers, and MGA’s that want to better understand and reduce their cybersecurity risks. As supporting members of groups like IIABA and ACT, as well as NetVU and Applied Client Network, Rigid Bits shares educational content and information that has been specifically put together to help the insurance industry learn how to overcome cybersecurity challenges. Services from Rigid Bits are highly adaptable to fit the varying needs of each office we support.
Learn more below about current threats to the Insurance industry and some simple steps you can take to better protect yourself.
The State of Cybersecurity and the Insurance Industry
Threats
- IIABA and various companies began raising the alarm in early 2021 about advanced threats targeting agencies and putting client data and business operations at risk.
- Major attacks on insurance companies and careful analysis of cyber liability policies have given hackers insight into how much a company can pay out for a ransomware attack and the quickest ways to incentivize payments of ransoms.
- There’s a hotbed of valuable data within each agency’s environment that attracts hackers that hope to profit from stolen information.
- With a shift to allow remote access for workers in 2020, the same remote access opens the potential for new cybersecurity threats.
Regulations
- New York’s Department of Financial Services passed a regulation in 2018 (23 NYCRR 500) that has been driving requirements downstream to offices of all sizes, even those that would be exempt.
- States are adopting NAIC sponsored model data security laws that implement requirements similar to those in NY. This includes the following states that have adopted an Insurance Data Security Law: AL, CT, DE, LA, ME, MI, MS, NH, OH, SC, and VA – with more to come.
- As companies and 3rd parties respond to their new requirements and elevated risks by imposing Third-Party Data Security Requirements, the expectations of business partners are raising the bar on what the bare minimum may look like.
- HIPAA, GLBA, and other regulations that include security rules are also forcing insurance related offices to take action.
The Impact of Cyber Liability
- As hackers begin to dial in their ransomware attacks, cyber liability policies are providing a great source of funding and incentivization for hackers to continue such attacks.
- NY recently released a recommended Cyber Liability Framework that lays out the importance of taking a stronger stance on understanding risks more proactively through activities like a Cybersecurity Risk Assessment.
- As demand for Cyber Liability grows, the industry will need to be cautious of efforts taken to mitigate risks or insurors could be in a position where they are unable to continue to pay out claims on what could be otherwise preventable attacks.
We’re here to support you! Take advantage of your free Cybersecurity Risk Consultation to learn more about your greatest areas of risk and the specific steps to take to put you on a path to a more cyber secure future.
Addressing Your Cybersecurity Risks
So, what do you do now? Here are some simple ways to think about your cybersecurity risk and how to implement a risk-based approach to protecting your non-public information.
1. Get to know your risks
Without understanding risk, businesses are missing the crucial information needed to make educated decisions about how to allocate resources like time and money. By not truly taking the time to understand this first step, risks may be overlooked and the actions taken can lead to fear-based decision-making that is often costly and less effective than risk-based decisions.
To get to know your risks, complete a Cybersecurity Risk Assessment that prioritizes risks based on their likelihood and impact. Be cautious here; Yes/No questions alone are not sufficient for a risk assessment.
Take our Quick Risk Questionnaire to see how you’re doing at a high level.
Is Your Trust Model Increasing Risk? →
Before we can answer that, let’s clarify what a trust model entails.
Unrealized Cybersecurity Risk →
Cybersecurity risks can be realized through risk identification exercises, but what about unrealized cybersecurity risk?
Learn more through our past webinars:
Cyber 101 →
Today’s IT and network capabilities have enabled the strategies that have kept many companies afloat during the pandemic. At the same time, cyber-attacks have increased and new data security laws continue to be implemented, adding new challenges for agencies.
Understanding Cyber Risks →
Dustin Mooney, a cybersecurity professional who specializes in computer forensics, will break down the concept of cybersecurity risk into easily understandable concepts.
2. Get to know your requirements
Agencies now have a wide range of requirements between Federal and State based laws as well as requirements being pushed down by 3rd party relationships. As complicated as it sounds, there are ways to satisfy all laws with one approach, but it takes planning and some initial research.
We’ve developed a quick guide intended to give business leaders and IT teams an initial direction on how to tackle these new regulations on their own, no matter which regulations apply.
Many agencies who provide Benefits products find that they fall behind on fully meeting their HIPAA requirements (often unbeknownst to them). If you maintain, manage, or even just collect Protected Health Information (PHI) on an application that goes to a company, then you have obligations under HIPAA.
To learn more of what goes into HIPAA compliance, start with our HIPAA Checklist.
Guidance For Approaching Data Security Regulations →
Every day at Rigid Bits, we are working to help businesses understand cybersecurity. As part of those education efforts, we’ve spent some time thinking about how companies required to abide by data security laws can best approach meeting requirements.
NAIC Cybersecurity Legislation – Maine Update →
Maine has adopted a recommended NAIC data security law for insurance companies titled LD 1995 SP 697. We’re seeing a growing trend where almost 20% of states have adopted some version of the NAIC data security model law.
New York Enacts Cybersecurity Regulations →
Companies doing business in New York may no longer have a choice; New York legislation “23 NYCRR Part 500” is now law and requirements for minimum cybersecurity practices must be in place.
Violations Issued Against 23NYCRR500 Cybersecurity Regulations: Part 1 → | Part 2 →
The New York Department of Financial Services (NYDFS) issued its first charges for violations against 23NYCRR500 cybersecurity regulations. Industry experts and legal professionals expect this trend to continue. Our expert Dustin Mooney wrote a technical breakdown.
3. Get organized by documenting and planning
It’s not enough to simply just implement best practices to address your risks. It’s a great start but your efforts must be documented to demonstrate your Due Diligence and Due Care or to be compliant with your requirements. Taking time to do this correctly also helps you plan accordingly.
- Build, implement, and test an Incident Response Plan that aligns with your requirements
- Write down your policies and procedures to demonstrate your Due Diligence and Due Care
- Align with a cybersecurity framework (best practices) that will guide you on the proper actions to put in place to reduce risk and meet your requirements
POA&Ms to Guide Cybersecurity Implementation →
One of the biggest challenges we see our clients struggle with is tracking the growth of their cybersecurity programs. That’s why our security program develop capabilities always include a plan of action and milestones (POA&M).
Remote Work Actionable Cybersecurity Recommendations →
We’ve put together a plan of action with some basic steps every business should implement to secure their web-based email and action items for working from home.
Guidance for Approaching Your Cybersecurity Program →
Thanks to the NIST Cybersecurity Framework, businesses can know where they stand and where they need to go by taking an objective look at their current cybersecurity posture.
The Cybersecurity Starter Pack →
A simplified package of documentation and exercises necessary for establishing and maintaining a written information security program.
4. Get the right help
Implementing a cybersecurity program is more like a journey than it is a destination. Having a guide can help you avoid costly mistakes and it can help you get back to focusing on other key aspects of your business.
Having the right kind of help can make all the difference. Cyber liability is important but it doesn’t prevent you from being attacked. IT can implement risk reducing measures but IT goals, education, and certifications are much different than those of a cybersecurity professional.
To be most effective, leverage a cybersecurity firm that has certified consultants that are trained in current cybersecurity practices and that are familiar with current hacking techniques and methods. This gives you the ability to implement checks and balances while building a stronger relationship with internal and external IT teams so they can focus on what they do best.
Rigid Bits is here to support you!
Take advantage of your free Cybersecurity Risk Consultation to learn more about your greatest areas of risk and the specific steps to take to put you on a path to a more cyber secure future.
