Gone Phishing: There’s No Vacation for Data Security in the Insurance Industry
July 21, 2021
The summer months can bring some much-needed time off for many in the insurance industry. But one thing that shouldn’t be taking a break is your emphasis on cybersecurity. Threats to your business and your clients abound: those with opportunities to take advantage of the massive amounts of personal information your company has on hand aren’t taking the summer off. That’s why we’re going to round up what you need to know about data protection and cybersecurity as it relates to your insurance business.
The insurance industry is a prime target for cyber crime
With the amount of personal and sensitive customer information needed to accurately insure a client, it’s no wonder our industry is a target for data security threats. Within each insurance agency, broker, carrier, or MGA/MGU lives anywhere from thousands to millions of pieces of information that can be useful to attackers.
Client data is a vital part of doing business, and the types of information you collect range from completely public to the most sensitive and private details. Names, occupations, addresses, social security numbers, health history, financial details, and more are used to quote, write, and pay for the insurance policies you provide. This overwhelmingly large amount of information needed to conduct insurance business is one of top reasons why the industry is seen as a good target for cyber attacks.
What information is at risk of cyber attacks?
The data that’s most at risk, and that needs to be protected the most diligently, is what’s commonly known as Personally Identifiable Information (PII). PII consists of data points like full names, addresses, social security numbers, drivers license or passport numbers, bank account numbers, and much more.
Often, one piece of information alone isn’t enough to constitute PII. For example, if all someone knows is your full name, there isn’t much they can do. The danger is when someone can access multiple pieces of PII which allows them to conduct identity theft or gain access to accounts they shouldn’t.
By its very nature, the insurance industry collects and stores multiple pieces of PII on each person who so much as obtains an insurance quote. This abundance of personal and sensitive information makes those collecting it particularly good targets for cyber attacks.
Why is cybersecurity such a challenge within the insurance industry?
While all businesses across every industry are at risk, there are a few things that make the insurance industry particularly attractive – and susceptible – to data breaches and cyber attacks.
The sheer volume of information available: When it comes to cyber crime and stolen data, your PII could bring in anywhere from a few dollars to tens of thousands of dollars, or more. With the vast amount of data collected across the insurance distribution channel, hackers and cyber criminals see the industry as a potential gold mine.
The highly-sensitive nature of the information: Within the insurance industry, we’re not just talking about a list of a million names. Insurance companies, and thus the agencies and brokers they’re connected to, hold onto millions of pieces of highly-sensitive information that is perfect for cyber attackers to use for nefarious purposes.
Large amounts of unstructured data: You might think all data are created equal, but that’s not actually true. Typically, when we think of data, we’re imagining what’s called “structured data.” Structured data is easier to organize and easier to protect, thanks to its structured nature.
Within the insurance industry, much of the data collected and stored is “unstructured.” Unstructured data takes the form of things like medical records, emails and other correspondence, and contracts or business documents. Because unstructured data is more complex and less consistent, it’s harder to create systematic ways of protecting it.
Resistance to modern technology: The insurance industry has a reputation for being old fashioned. Some small agencies still rely on paper files, or even if they’ve gone electronic, may still use a simple spreadsheet to keep track of their clients. No-tech and low-tech practices are especially at-risk for data breaches, or even physical break-ins.
Increasing front-end consumer inputs: On the other end of the spectrum from agencies who keep paper records are the mega-agencies and direct-writing insurers that provide consumers the ability to enter their own information online. As more and more individuals type in all their personal information to get instant insurance quotes, the opportunity for that information to be intercepted or mismanaged also grows.
Common data security concerns in the insurance industry
It’s not an exaggeration to say that cyber criminals are developing new methods daily. Currently, some of the most prevalent types of data security attacks include:
- Identity theft
- Data breaches
- Inadvertent disclosure of information
Some recent, notable examples of data security events in the insurance industry are the 2018 and 2019 phishing attacks on Unum and Paul Revere Life Insurance, a 2021 attack on Pan American Life Insurance, and stolen driver’s license numbers from Geico Insurance during the spring of 2021 – just to name a few!
The consequences of insurance industry cyber attacks
For those individuals whose information is hacked, the damage can be painful and extreme. Anyone who’s ever had their credit card stolen can relate to the damage data breaches can cause. If a cyber criminal has access to multiple pieces of your PII, it can get exponentially worse: running your credit, costing you money, and even taking a toll on your mental and physical health!
This is why the US federal government, along with many states, and even other countries are implementing strict laws and regulations to prevent cyber crime, and penalizing organizations that don’t follow them. The National Association of Insurance Commissioners (NAIC) has also put emphasis on cybercrime in recent years, adopting several recommendations to help its members prevent security breaches.
Whether you’re an insurer, an agency, brokerage, or MGA/MGU, the fallout from a data breach can be serious. Consequences may include reputational harm, financial losses, leaving your clients unable to get assistance, legal liability, and regulatory penalties.
Insurance industry best practices for data security
The very real risk of information security breaches in the insurance industry is clear. So, what can you do? According to data security experts, these are some of the most reliable ways to protect your insurance agency, insurance carrier, or MGA/MGU from cyber risks.
- Place strict limitations on employee access to personal, confidential, and sensitive information. Not everyone needs access to everything: in fact, the fewer people who have credentials, the easier it is to prevent unauthorized access to your systems.
- Keep tabs on your use permissions, including promptly removing access when people change roles or leave the company.
- Implement multi factor authentication (also known as two-factor authentication) to ensure sensitive data have multiple layers of protection.
- Use biometric authentication when possible, as it’s more difficult to fake.
- Monitor and regularly audit which files have been accessed, including investigating any out-of-the-ordinary access incidents.
- Create policies that include meaningful penalties for employees found to be in violation of your organization’s security protocols.
- Conduct vulnerability assessments, including such things as “bug bounty” and “hackathon” events, to help uncover potential security risks before they happen.
- Only do business with third parties and vendors who use industry-leading cyber security practices.
- When utilizing cloud services to store and transfer data, make sure they provide file encryption.
- Update password regularly, and implement requirements to ensure password security.
- Provide comprehensive training to staff to prevent unintentional security lapses.
Top security considerations for insurance
With all of that said, it bears repeating that insurers and insurance agencies are in the unique position of possessing a massive amount of highly-sensitive, personally identifiable information on their clients, prospects, and former clients. Thus, protecting that information should be a top priority – not an afterthought!
Even if not for selfless purposes, taking every possible step to protect personal data is always in the insurance company’s best interest. From a public relations nightmare to large legal costs, from losing customers, to facing steep financial penalties, there is truly no upside to being lax with data protection and security.
So, while you can and should take a vacation from some things this summer. Make sure your cybersecurity is not one of them!