Tag Archives: data theft

7 Key Changes for Insurers’ Cybersecurity

Recognizing the need for better cybersecurity in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently published “Principles for Effective Cybersecurity: Insurance Regulators Guidance.” High-profile data breaches at several health insurance providers exposed data on 90 million consumers, revealing the industry’s vulnerability. So the NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks.

Thus far, U.S. banks and payment processors have led the way on cybersecurity, both because they have been frequent targets of cyber-attacks and because of strong regulatory enforcement (e.g., FFIEC, GLBA, and PCI DSS). It’s time for insurance companies to play catch-up, and the NAIC is spurring them on.

As a result, we anticipate seven changes:

  1. An increase in cybersecurity regulations;
  2. A focus on consumer privacy;
  3. An increase in cybersecurity spending;
  4. The growing importance of cybersecurity information-sharing and analysis groups;
  5. The board’s and management’s involvement in cybersecurity;
  6. The increased need to manage third-party risks; and
  7. The link between cybersecurity and risk management.

Background

The NAIC is the standard-setting and regulatory-support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. But individual state and territorial regulators oversee the insurance companies’ practices within their jurisdictions. Only a few states (e.g., New York, California and Massachusetts) have actually enacted data protection laws that apply to the insurance sector. Thus, most individual regulators have been left to their own devices when it comes to cybersecurity practices, particularly given that there is no central regulator defining industry standards and no uniform set of requirements. Consequently, individual regulators on the whole have been using different standards when examining cybersecurity practices, with cybersecurity requirements varying state-to-state.

The NAIC became involved to help both insurance regulators and companies. Specifically, it conducted a multi-state examination of a breached insurer’s cybersecurity practices and determined what actions the company could have taken to minimize its data loss. The NAIC then published two documents related to cybersecurity:

  • “Principles of Cybersecurity” – Created by the NAIC’s cybersecurity task force (formed in November 2014), the document is intended to (a) help insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to their covered entities and (b) promote cooperation between regulators and the insurance industry in identifying and addressing cybersecurity risks. The document applies to state regulators and insurers, insurance producers and other regulated entities (“covered entities”); and
  • “Annual Statement Supplement for Cybersecurity” – The NAIC’s property and casualty insurance committee created this document to establish requirements for insurers that provide cyber coverage. It requires insurers to report the range of limits offered on cyber insurance policies (both stand-alone and commercial, multi-peril packages), losses paid under each policy, earned premiums, whether policies are claims-made policies and whether tail coverage is offered.

Principles of Cybersecurity

Insurance regulators:

  • Should ensure that confidential and personally identifiable information (PII) that covered entities hold is protected from cybersecurity risks.
  • Should mandate that insurance providers have systems in place to alert consumers in a timely manner of cybersecurity breaches. Insurance regulators should collaborate with insurers, insurance producers and the federal government to achieve a consistent, coordinated approach.
  • Should protect covered entities’ confidential information and PII that is collected, stored and transferred inside or outside of an insurance department or at the NAIC. In the event of a breach, those affected should be alerted in a timely manner.
  • Should deliver flexible, scalable and practical cybersecurity regulatory guidance for covered entities that is consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.
  • Should make regulatory guidance risk-based and consider the resources of the covered entities, with the caveat that a minimum set of cybersecurity standards must be in place for all covered entities that are physically connected to the Internet, regardless of size and scope of operations.
  • Should provide appropriate regulatory oversight, including conducting risk-based financial examinations or market conduct examinations regarding cybersecurity.

Covered entities:

  • Should appropriately safeguard customer PII that is collected, stored and transferred inside or outside of a covered entity’s network.
  • Should implement incident response planning activities as part of a cybersecurity program, including conducting cyber incident response tabletop exercises.
  • Should take appropriate steps to ensure that third parties and service providers have controls in place to protect PII. This may include third-party assessments to understand service providers’ current controls environments.
  • Should incorporate and address cybersecurity risks as part of the enterprise risk management process. Cybersecurity transcends the information technology department and must include all facets of an organization.
  • Should have a board of directors or its appropriate committee review information technology audit findings that present a material risk to an organization.
  • Should participate in an information-sharing and analysis group to share information and stay informed regarding emerging threats or vulnerabilities.
  • Should consider periodic and timely training, paired with an assessment, to be an essential component of all cybersecurity programs.

What Should Insurance Companies Expect?

Over the next few years, we anticipate many changes in the insurance sector related to cybersecurity, including:

  1. Increase in Cybersecurity Regulations – According to PwC’s recently released “The Global State of Information Security Survey,” cybersecurity regulation within the financial services industry is only expected to increase in 2015 and beyond. Based on the NAIC’s guidance, we expect the various U.S. states and their insurance regulators to pass cybersecurity regulations to ensure that covered entities have adequate controls in place to protect consumer PII. Covered entities will be required to demonstrate resilience to cyber-attacks, including malware attacks, insider threats, data corruption and destruction and denial of service attacks.
  2. Focus on Consumer Privacy – In addition to cybersecurity regulations, covered entities will be expected to comply with privacy regulations. The Consumer Privacy Bill of Rights, which the Obama administration proposed, includes provisions mandating transparency, individual control, respect for context, focused collection and responsible use, security, access and accuracy and accountability. If passed into law, the Consumer Privacy Bill of Rights would require covered entities to provide transparent descriptions of their data collection practices, and to limit how and what data they collect. Additionally, global data privacy laws, such as the European Union’s General Data Protection Regulation, increase compliance obligations of U.S. insurance companies doing business globally.
  3. Increase in Security Spending – To implement adequate controls and comply with the regulatory requirements, covered entities will increase their cybersecurity spending. According to the New York State Department of Financial Services (NYDFS) study, “Report on Cyber Security in the Insurance Sector,” released in February 2015, 86% of insurers expect their security budgets to increase in the next three years. The study noted that only 51% of insurers had budgeted for cybersecurity incidents.
  4. Importance of Information Sharing Organizations – Information-sharing will be an essential part of insurance companies’ cybersecurity strategies. We expect to see more insurance companies join Information Security and Analysis Centers (ISAC), such as FS-ISAC, or the recentlyannounced insurance ISAO.
  5. Board and Management Involvement – For organizations to better address cybersecurity threats and regulatory guidance, we anticipate a push to increase senior management and board involvement in cybersecurity issues and decision-making. According to the NYDFS study, only 30% of boards receive updates on cybersecurity issues on a quarterly basis.
  6. Managing Third-Party Risks – Concerns will grow around third-party risks and potential cybersecurity threats that can arise when sharing networks with business partners. Covered entities will be expected to demonstrate adequate oversight of their service provider relationships.
  7. Link Between Cybersecurity and Risk – As cybersecurity incidents continue to proliferate, organizations must reposition their security strategies to align closely with their broader risk-management activities.

How Good Is Your Cybersecurity?

The country was rocked recently when three major enterprises, including the New York Stock Exchange, encountered cyber “glitches” that were serious enough to take them off line, leading to speculation that perhaps there was something more sinister at play. While contemplating the situation in real time, many enterprises undoubtedly engaged in a quick self-assessment of their own cybersecurity defenses and readiness and heaved a sigh of relief when the disruptions were reported to be resolved, unrelated and not caused by malicious outsiders.

But what if it had been different? How well would your company fare in the face of an attempted or successful cyber attack?

Recent events should serve as a wake-up call for all enterprises to shore up their defenses and formulate their game plan in the event of a cybersecurity incident.

Here are four key factors to consider:

1. Have you conducted a risk-based security assessment? The assessment, among other things, should determine if you’ve already been hacked, test your perimeter and scan for internal and external vulnerabilities.

2. Have you established and implemented effective employee training and awareness policies and programs? Studies repeatedly show that employees are at the heart of most security incidents. Employees should be educated about the crucial role they play in securing enterprise data, and they should be trained to recognize and avoid security threats.

3. Have you assembled an incident response team? No entity should put itself in the position of wondering what to do and who to call when it suffers a cybersecurity incident. Entities should build their incident response team and practice their response to various security incident scenarios before an incident ever happens. Companies that do this are in a better position to respond when an event occurs, thereby minimizing the financial, legal and reputational fallout of a cybersecurity incident.

4. Have you purchased insurance to cover cyber incidents? Enterprises routinely purchase insurance to transfer the risk of potential liabilities they might encounter in the course of their business operations. Cyber liabilities should be treated the same way. Cyber insurance can provide much needed financial and tactical support in the event of a cyber incident.

Takeaway

Thoughtful focus on these four steps can help companies protect against and mitigate the effects of a cybersecurity incident. As recent events have demonstrated, the risks are real, and they show no signs of abating.

How HR Can Stop Insider Data Theft

After Edward Snowden’s escapades, how could any company fail to take simple measures to reduce its exposure to insider data theft?

Yet large enterprises remain all too vulnerable to insider threats, as evidenced by the Morgan Stanley breach. And many small and medium-sized businesses continue to view insider data theft as just another nuisance piled on to a long list of operational challenges.

“I suspect too many companies are fixated on outsider threats, like malware infections and external hacking, to the extent that insider threats get overlooked,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET.

More: 3 steps for figuring out if your business is secure

A low-level Morgan Stanley financial adviser with sticky fingers allegedly tapped into account records, including passwords, for six million of the Wall Street giant’s clients. He got caught allegedly attempting to peddle the stolen records on Pastebin, a popular website for storing and sharing text files.

The financial services sector has long been very proactive defending against all forms of data breaches for obvious reasons, and Morgan Stanley was able to nip this particular caper early on. Big banks and investment houses typically have highly trained teams, using a variety of detection tools and monitoring regimes designed to flush out any indication of a breach.

“Often you have analysts in a security operations center hunting for abnormal activity,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “They can often spot suspicious data movement based on quantity, destination or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”

Organizations outside of the financial services industry, however, are still on the lower end of the curve understanding this exposure, much less taking even basic steps to reduce it.

Given the nature of the exposure, security and privacy experts say human resource officials need to be on the front lines of mitigating insider data theft. In particular, HR department heads should be integrally involved in working with a company’s tech and security teams to define and deploy access rights to sensitive company data.

“With this collaboration and the right tool sets, companies can apply access controls that restrict employees to just the information they need to perform their jobs,” says Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. (Full disclosure: IDT911 sponsors ThirdCertainty.)

It’s a balancing act, of course. Quick and flexible access to company records drives productivity gains. At the same time, it creates fresh opportunities for granting unnecessary access privileges — and for theft.

“Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage,” says Steve Hultquist, chief evangelist at security analytics firm RedSeal. “Using automation to analyze and ensure compliance with a security policy is essential for protecting customer and corporate data assets.”

There should also be a structured process for communicating changes quickly to ensure that a terminated employee or departed contractor does not retain access privileges, Coffman says.

“Many of the inside attacks are IT employees with elevated privileges and little oversight on how and when those privileges are used,” Coffman says. “The use of privileged accounts should be monitored and logged. Separation of duties should be required on certain functions, and an annual outside review is a good idea.”

Cutting off terminated employees and partners should be swift and sure. Better safe than sorry.

“Too often, organizations don’t have a complete picture of what access each employee has, particularly if they have been there a while,” ESET’s Cobb says. “Getting employee departures right involves a coordinated effort from HR, IT and legal.”

A disgruntled employee, who’s not planning on going anywhere, is another type of exposure that should be addressed. American Banker is now reporting that the alleged perpetrator of the Morgan Stanley breach was promoted to financial adviser from sales assistant about a year ago and gained access to records by manipulating the bank’s wealth management software. The lawyer representing the accused adviser insists in the American Banker report that his client did not post any of Morgan Stanley’s data on Pastebin.

“All managers need to be aware of morale among reports, and there needs to be a process for taking concerns to HR in a discreet way while increasing monitoring of use of IT resources,” Cobb says.

‘Smart’ Homes Can Have Stupid Features

Do people want faster response by the police to a burglar alarm, or do they want lights they can control remotely? That is a core question that the alarm industry faces as it undergoes seismic changes. Does the alarm industry sell security, including fast response by police, or does it sell the “connected” home?

Many are leaning toward an emphasis on the connected home. That’s why Google bought Nest, known for its smart thermostats, for $3.2 billion in early 2014 and then announced recently that Nest would buy Dropcam for $555 million. Dropcam uses small cameras to provide security services, though not as the alarm industry is doing. The alarm industry connects cameras to a central station, where feeds are monitored and police notified if there is a break-in. Dropcam uses motion sensors to alert the user to any possible problems; the user then checks the video feed from his phone or computer and, if necessary, contacts the authorities for help.

Whether the alarm industry chooses to emphasize fast police response or follows Google and tries to offer broad home automation solutions, there will be broad ripple effects, including for insurers.

From a risk-management perspective, there are two issues. The first is whether the home automation improves police response and reduces losses. Ultimately, however, the second issue is even more crucial: Do the new home automation services actually introduce new risks and enable high-dollar losses through remote vandalism, including frozen pipes and catastrophic water damage?

Concerning the first issue: At a time when declining budgets are forcing police to reduce the number of officers responding to property crimes, home automation has hijacked a large slice of the alarm industry and is minimizing police response. Catching burglars and reducing property crime has become secondary to lifestyle convenience features and home automation revenue streams.

Increasingly, alarm/security is proposed as just one more feature in home automation. But the new offerings generally use legacy alarm solutions, which have a false alarm rate of 98%. As a result, these alarms are only assigned a priority 3 by law enforcement, so police response is slow, if it happens at all. By contrast, new alarms – based on monitored video feeds, and with break-ins verified — are treated like a crime in progress, a priority 1. Responding officers run hot because they expect to make an arrest.

In an effort to confuse the issue and continue to sell legacy alarms, home automation suppliers sell the ability of the homeowner to remotely view cameras in the home as “video verification.” This claim is exploiting a naïve consumer. Home automation cameras are not monitored by the central station, and they do not provide faster police response. Remote viewing by the owner ends up being a glorified nanny cam.

Unfortunately for insurers, home automation has become the primary message of some of the historical burglar alarm companies, which have reengineered their companies. Security companies are now chasing smartphone thermostats and Wi-Fi-based lighting instead of focus on delivering police response to an alarm.

A joint study by the San Bernardino, CA, sheriff and police departments in 2011 found that the arrest rate for a traditional burglar alarm was only 0.08%. A five-year study completed by Pharmacists Mutual in 2013 found that, when police response was less than five minutes, the officers made arrests 21% of the time. This means that the likelihood of an arrest for monitored, video-verified alarms and priority police response is more than 250 times better.

Video-verified alarm systems monitored by a professional central station represent real loss control tforthe insurer. Video-verified alarms reduce claims. Monitored video alarms actually mitigate losses by delivering faster police response to an actual incident. Police make arrests and prevent the loss itself.

Concerning the second risk-management issue: Home automation introduces new threats for the insurer – catastrophic claims caused by remote vandalism. Imagine the damage to a Minnesota home whose furnace was turned off by malicious hackers while the owners were on a winter vacation. The costs for bursting water pipes and flooding the property for days would make most burglary claims seem paltry in comparison.

The problem is that home automation and the connected home create risks that have not been adequately identified and considered by insurers. Much has been written regarding identity or data theft caused by hackers exploiting weak computer networks for passwords and credit card info. The financial losses from this type of crime have had little impact on traditional property/casualty insurers, but home automation changes the risk exposure because now remote vandals can invade the network and take over the infrastructure and appliances of a homeowner to maximize damage without ever setting foot on the property. Home automation devices become a Trojan horse for vandals, and the more devices are connected, the larger the risk as each device introduces another potential hole.

The press is finally beginning to educate readers about the issue. A July 30, 2014, article in Computerworld headlined “Home Automation Systems Rife with Holes” explains, “A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave. Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.” Security Today published an article on July 16, 2014, about how hacked light bulbs can reveal a homeowner’s Wi-Fi password and actually give the hackers control over the home automation system itself. This excerpt describes the problem:

“It’s all the new craze: the connected or smart home, where at the touch of a button on your smartphone you can dim your living room lights, close the garage…. But, with sophisticated technology comes risk if you aren’t vigilant in applying the latest security updates to your smart home. In fact, the latest risk involves LED light bulbs that can be hacked to change the lighting and reveal the homeowner’s Wi-Fi Internet password.”

The entire home automation system is only as secure as its weakest link or device – devices that need to be kept updated with security patches as flaws are discovered. Unfortunately, many of these connected home devices are static and not even capable of being updated with new software patches. The connected home is now the Wild West of home security, and property/casualty insurers are likely going to be the ones left paying the bill.

The bottom line is that the home automation industry introduces threats that run counter to the risk mitigation insurers have traditionally found by using discounts to promote monitored alarm systems. In analyzing these risks, David Bryan, Trustwave researcher, states, “Anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization.” The proliferation of devices, protocols, apps and portals mean that the problem is getting more complex instead of calming down.

It is time for insurance companies to review their “alarm discount” and make sure that the discount encourages behavior that actually reduces claims. The alarm industry is promoting home automation to the consumer, but the features and benefits don’t actually reduce risk. Underwriters can reduce risk and minimize losses by encouraging their policy holders to install monitored, video-verified alarm systems that deliver faster police response. Any insurance policy that offers discounts for home automation systems is encouraging new and unexplored risks posed by remote vandalism, and possibly worse.