Tag Archives: new york state

IT Security: A Major Threat for Insurers

As the insurance industry changes in response to continued digitalization, IT leaders must continue to maintain and improve their ability to protect confidential data and customer information. While technological advances can streamline processes, they can also open the door for potential risks. Modern digital systems and procedures must be completely secure for agents and insureds to trust them, and to protect the companies from liability.

In a recent Novarica study, we found that insurers are enhancing security capabilities across the board. Nearly half of those we spoke to are enhancing capabilities in intrusion detection, application security and data encryption. Fewer insurers are enhancing their intrusion detection capabilities in 2017 than in 2016, but they remain among the most basic elements of IT security, and a critical component in ensuring a rapid response to any breaches. Most insurers have also already put in place application security measures to prevent security gaps, though this is an area that needs continual investment to stay current against evolving threats. And larger insurers are more likely than mid-sized insurers to be planning enhancements for data encryption capabilities. However, some midsize insurers are planning to pilot and launch encryption capabilities, in part due to encryption requirements within the New York State cybersecurity law and NAIC cybersecurity draft.

See also: 10 Cyber Security Predictions for 2017

Carriers still plan to enhance audits and procedures, but the volume focus has dropped somewhat in this area due to high investment in 2016, when many insurers adopted NIST for the first time. IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes need to be independently validated through a combination of sampling, gathering statistics from tools and holding discussions with people responsible for those procedures.

We also see some activity when it comes to security frameworks and regulations. Insurers are preparing for new regulations, with some taking a “wait and see” approach to recently loosened New York State cybersecurity regulations. However, the New York State regulations or the NAIC cybersecurity model law will be replicated across all of the states over the next two to three years. Carriers need to monitor the developments in this area and ensure compliance to minimize fines and reputational damage.

In terms of frameworks, we see a slight increase in the adoption rate for NIST, from 60% to 70%, and a lower rate of 60% for SSE-CMM. NIST is a framework that uses business drivers to guide cybersecurity activities, and supplements activities related to SSE-CMM, as it covers all aspects of an organization’s processes. SSE-CMM assesses an organization’s maturity with regard to secure software development. Many insurers seem to prefer NIST over the SSE-CMM framework, and very few insurers are relying on other formal frameworks like COBIT, ITIL and the NYS regulation framework.

While more insurers choose to adopt NIST over other frameworks, adoption of formal frameworks is growing across the board. To ensure data protection across the enterprise, insurers can rely on frameworks to assess security risks. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a road map to improve their cyber-security practices.

See also: Paradigm Shift on Cyber Security  

Most large insurers have a mature IT security function, with a dedicated organization led by a chief information security officer. But for smaller companies, dedicating resources and building competency in this area can be challenging. What is more, IT security is still seen as a lower priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security. In some cases, especially in mid-sized and small carriers, basic capabilities like penetration testing, ethical hacking programs and mandatory security training are lacking. Additionally, many carriers do not have a dedicated security executive like a CISO. Insurers must ensure that they understand their challenges and options, prioritize their investments and plan their responses to security incidents.

Insurers’ Call Centers: a Cyber Weakness?

Two years ago, the New York State Department of Financial Services (DFS) released a report on cybersecurity in the insurance sector after surveying 43 insurers with more than $3.1 trillion in assets. The report revealed that 35% of these companies experienced between one and five data breaches within the previous three years. This statistic represents only confirmed breaches (not attempted attacks), and the consequences for affected insurers included actual financial losses from lost customer business, legal defense and damaged brand reputation.

Fast forward to today, and it’s no surprise that the DFS is preparing to launch a new regulation on March 1 that requires banks, insurance companies and other financial services institutions it regulates to establish and maintain a cybersecurity program. The first of its kind in the U.S., this regulation aims to protect New York consumers and financial institutions from the ever-growing threat of cyberattacks. But, like any other industry-wide regulation, this proposed mandate is not without its challenges.

See also: 10 Cyber Security Predictions for 2017  

A key provision in the proposal is the requirement for encrypting non-public information (NPI) — such as payment card numbers, Social Security numbers (SSN), drivers license numbers and other security codes, both in-transit and at-rest. For insurance companies that routinely capture and store this information in their call centers and other areas of business, protecting NPI will be especially challenging. Most insurers record customer calls, thereby housing payment card numbers and other NPI in their physical and IT infrastructure. While many insurers utilize the practice of “stop/start” to block this data from recordings, this method creates additional security and governance concerns. Insurers that need to record 100% of calls to demonstrate compliance to other existing legislation and are using stop/start are now not recording the entire call. That not only means that they are not compliant but that they are also opening up opportunities for illicit activity to occur while the call is stopped. Yes, NPI is kept out of the call center’s infrastructure, but it is still exposed to agents — further complicating the entire effort to secure customer data. Data will also still need to be encrypted, meaning stop/start isn’t enough….

The most effective way to protect sensitive information, eliminate insecure practices and resolve broken processes to avoid potentially costly penalties and a tainted brand reputation is to abide by the saying: “They can’t hack what you don’t hold.” In short, keep NPI and other sensitive data out of the call center altogether. Insurers should implement a solution that encrypts data as it is collected and in-flight, as well as reducing stockpiles of data at rest that is just waiting to become exposed in the next big breach.

Despite the undoubted challenges it will bring, the New York DFS cybersecurity regulation is a step in the right direction because it starts to create much-needed standardization in the way insurers and their call centers handle sensitive information. To emphasize this point, we recently spoke with call center agents at 10 of the leading U.S. insurance companies. We found that there is a lack of a uniform approach in data security measures, especially when it comes to how sensitive information is removed from call recordings (and those insurers using stop/start still have NPI data elsewhere in the estate and are now not recording 100% of calls). Agents gave a wide range of answers — from using stop/start, to redacting information after the fact, to deleting the full recording after 30 days. This is in sharp contrast to the U.K., where a growing number of call centers are adopting an operating procedure that uses dual-tone multi-frequency (DTMF) masking and a secure, separate environment for encrypting data. Shouldn’t all insurers handle their data in the same, secure manner?

See also: Data Security Critical as IoT Multiplies  

While the New York DFS regulation is the first of its kind, it most certainly won’t be the last. We will now likely see other cybersecurity regulations crop up in the coming years that help standardize how financial institutions secure their data. Because this regulation affects all who conduct business in New York, it draws parallels to the pending EU General Data Protection Regulation (EU GDPR). Taking effect in May 2018, the EU GDPR will affect all businesses that hold or process data pertaining to EU citizens — no matter where they reside. Indeed, we are seeing all signs pointing toward greater standardization of data security across industries and borders. Insurers in New York and beyond must begin looking at solutions — now — to help simplify their compliance efforts and protect their customers and their reputations.